May 7, Ars Technica – (International) Attackers target unpatched PHP bug allowing malicious code execution. A huge number of Web sites are endangered by an unpatched vulnerability in the PHP scripting language that attackers are already trying to exploit to remotely take control of underlying servers, security researchers warned. The code-execution attacks threaten PHP Web sites only when they run in common gateway interface (CGI) mode, a Web application security consultant with Criticode told Ars Technica. Sites running PHP in FastCGI mode are not affected. It is unknown exactly how many Web sites are at risk, because sites also must meet several other criteria to be vulnerable, including not having a firewall that blocks certain ports. Nonetheless, sites running CGI-configured PHP on the Apache Web server are by default vulnerable to attacks that make it easy for hackers to run code that plants backdoors or downloads files containing sensitive user data. Full details of the bug became public the week of April 30, giving attackers the information they need to locate and exploit vulnerable Web sites. According to a security researcher, exploits are already being attempted against servers that are part of a honeypot set up by Trustwave’s Spider Labs to detect Web-based attacks. While some of the requests observed appear to be simple probes to see if sites are vulnerable, others contain remote – 19 – file inclusion parameters that attempt to execute code of the attacker’s choosing on vulnerable servers.