Attackers target unpatched PHP bug allowing malicious code execution
A huge number of websites around the world are endangered by an unpatched vulnerability in the PHP scripting language that attackers are already trying to exploit to remotely take control of underlying servers, security researchers warned.
The code-execution attacks threaten PHP websites only when they run in CGI, or common gateway interface, mode, Darien Anthony Patrick, a Web application security consultant with Criticode, told Ars. Nobody knows exactly how many websites are at risk, because sites also must meet several other criteria to be vulnerable, including not having a firewall that blocks certain ports. Nonetheless, sites running CGI-configured PHP on the Apache webserver are by default vulnerable to attacks that make it easy for hackers to run code that plants backdoors or downloads files containing sensitive user data.