A flaw in the common open-source scripting language PHP could allow attackers to crash or compromise a hefty fraction of the nine million servers running the open-source Web software Apache, as well as other Web servers.
A member of the PHP engineering team warned Web developers of the software flaws in an advisory on Wednesday, but security experts believe that while some in the Internet underground have tools to exploit the flaw, few people have the resources.
"It is not really easy to execute," said Johannes Ullrich, chief technology officer for the SANS (System Administration, Networking, and Security) Internet Storm Center, who obtained a program file that illustrates the vulnerability.
A handful of holes appear in different versions of PHP, a scripting language that can be installed on many different Web servers--including Apache, Microsoft"s Internet Information Server and iPlanet--allowing them to create Web pages on the fly from a database of information.
PHP software originally stood for Personal Homepage, before the script evolved into a much more complex language. It"s best known for letting developers create more-easily modified Web sites based entirely on a collection of open-source software known as LAMP, which includes the Linux operating system, the Apache Web server, the MySQL database, and PHP or Python scripting languages. Survey firm Netcraft estimates that nearly nine million Web servers, about 64 percent, use Apache, and because of PHP"s popularity, a large fraction of those sites are likely to have the software installed.