"The Computer Emergency Response Team Coordination
Center (CERT/CC) Wednesday warned of multiple vulnerabilities in
the PHP scripting language which would allow a remote attacker to
execute arbitrary code with the privileges of the PHP process on a
The flaws were discovered and first reported by Stefan Esser of
e-matters, a member of the PHP developer team.
PHP is widely used in Web development and can be installed on a
variety of Web servers, including Apache, IIS, Caudium, Netscape
and iPlanet, OmniHTTPd and others. Esser said the vulnerabilities
lie in the php_mime_split function, allowing an attacker to either
execute arbitrary code with the privileges of the Web server or
interrupt normal operations of the Web server."