Hackers in the libraries
SECURITY BOFFINS have found a critical vulnerability in two PHP libraries that are used to provide web services and content management systems.
PHP, is one of the most widely used scripting language on the web and the flaws are in the XML-RPC for PHP and PEAR XML-RPC libraries.
Similar flaws were discovered in July and prompted an audit of the libraries by the Hardened-PHP Project, a group that was founded to protect PHP users and servers against security holes.
According to the Projects advisory
here, the new flaw takes advantage of a technique similar to the earlier vulnerabilities, which involved eval() statements.
"To get rid of this and future eval() injection vulnerabilities, the Hardened-PHP Project has developed, together with the maintainers of both libraries, a fix that completely eliminates the use of eval() from the library", the report said.
Linux distributiors such as Red Hat and Gentoo have already issued patches, but perhaps the biggest problem will be for those who have used content management systems are built using PHP, such as PostNuke, Drupal, b2evolution and TikiWiki. The INQuirer