A critical vulnerability in the PHP engine has been identified on January 3, 2011. This exploit is significant because most PHP applications on impacted systems can become remotely exploitable to a very simple denial of service attack. Zend has released a security hotfix to address this vulnerability (see below).

Due to the way the PHP runtime handles internal conversion of floating point numbers, it is possible for a remote attacker to bring down a web application simply by adding a specific parameter to a query string in their web browser. (See here for more information.)

This vulnerability is present on all versions of PHP including PHP 4.x and 5.x, on all Intel-based 32-bit PHP builds.

Zend Server and Zend Server CE users should immediately apply the security hotfix.

• Linux users: run your package manager's update command (see the Zend Server Installation Guide for more details)
• Windows users: download the hotfix

Hotfixes for Zend Core and Zend Server CE tarball installer are currently being finalized and will be made available soon.

PHP user who isn't using Zend Server?

See PHP.net for more information, or switch to the free Zend Server CE with the hotfix mentioned above.