PHP Exploit Information and Hotfix

January 5, 2011 — A critical vulnerability in the PHP engine was identified two days ago, on January 3, 2011. This exploit is significant because most PHP applications on impacted systems can become remotely exploitable to a very simple denial of service attack. Zend has released a security hotfix to address this vulnerability (see below).

Due to the way the PHP runtime handles internal conversion of floating point numbers, it is possible for a remote attacker to bring down a web application simply by adding a specific parameter to a query string in their web browser. (See here for more information.)

This vulnerability is present on all versions of PHP including PHP 4.x and 5.x, on all Intel-based 32-bit PHP builds.

Platform Vulnerable
Windows YES
Linux (using 32-bit PHP build) YES
Linux (using 64-bit PHP build) NO
Mac OS NO
IBM i NO

Update (January 6, 2011) — PHP.net has now also released a fix for this problem.

Update (March 10, 2011) — The fix for this issue is included in Zend Server 5.1. All users currently on a vulnerable version of Zend Server are strongly encouraged to upgrade.

Download now »