PHP flaw threatens photo uploads

The flaw -- first discovered in February and patched by the PHP Group on Thursday -- could allow an attacker to crash a hosting company's server by uploading a unique image file that would consume 100 percent of the machine's processing power.

Ian Latter, senior security consultant at Internet security specialist Pure Hacking, said if a server running a vulnerable version of PHP was attacked, it would crash. However, the weakness does not threaten users of the service.

"This is a vulnerability based around CPU exhaustion. It enables an attacker to create a specially-crafted image that would consume the CPU resources of the server that [the image] is being uploaded to. It would potentially hang or crash that service," said Latter.

Security Web site iDEFENSE, which posted an advisory about the problem yesterday, said the vulnerability exists "due to insufficient validation of JPEG image file headers in one of the language's functions".

According to the advisory, "the JPEG file header contains a file length field which may be manipulated to cause an infinite loop in the copying of file data to memory".

James Turner, security analyst at Frost & Sullivan, said that if the vulnerability is widely exploited, it is more likely to cause an inconvenience rather than pose as a serious threat.

"There is going to be a huge annoyance factor if these [photo] services go down. I can't see how the attackers could make money out of it," said Turner.

According to Internet monitoring site Netcraft, PHP is used by more than 18 million domains.