The Zend Company reported today: A critical vulnerability in the PHP engine has just been identified. This exploit is significant because most PHP applications on impacted systems are remotely exploitable to a very simple denial of service attack. Zend has released a security hotfix to address this vulnerability (see below).
Due to the way the PHP runtime handles internal conversion of floating point numbers, it is possible for a remote attacker to bring down a web application simply by adding a specific parameter to a query string in their web browser (click here for more information).
This vulnerability is present on all versions of PHP including PHP 4.x and 5.x, on all Intel-based 32-bit PHP builds.
Platform | Vulnerability |
Windows | YES |
Linux (using 32-bit PHP build) | YES |
Linux (using 64-bit PHP build) | NO |
Mac OS | NO |
IBM i | NO |
Zend Server and Zend Server CE users should immediately apply the security hotfix.
- Linux users: run your package manager’s update command (see the Zend Server Installation Guidefor more details).
- Windows users: download the hotfix.
Hotfixes for Zend Core and Zend Server CE tarball installer are currently being finalized and will be made available soon.