PHP is a commonly used HTML-embedded scripting language. Format string vulnerabilities exist in the error logging routines of PHP versions 3 and 4, allowing remote users to execute arbitrary code under the web server's user id. A web server having PHP installed and one or more PHP scripts is vulnerable to the problem if error logging is enabled in php.ini. Also any PHP script using the "syslog" command of PHP may be vulnerable, regardless of error logging.



The problem was tested on a Red Hat Linux system having Apache and mod_php3 installed. Error logging was enabled in php.ini. With a test exploit program, a shellcode could be run remotely under the web server user id, which is typically not the root user.



More information could be found here. [Editor's note, we don't currently allow a href tags, so this link was probably autodeleted. We'll fix this shortly.]