State threat-sharing center warns of multiple PHP vulnerabilities

MS-ISAC said the vulnerabilities were a high risk to government organizations and businesses of all sizes.
Software developer programming code on computer.

A popular programming language contains multiple vulnerabilities, the worst of which could allow attackers to execute commands of their choice, according to a new advisory from the Multi-State Information Sharing and Analysis Center. The center said the vulnerabilities were a high risk to government organizations and businesses of all sizes.

The vulnerabilities concern the Hypertext Preprocessor (PHP), an open-source script language for web development.

“Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights,” warned the MS-ISAC, a threat-sharing center for state, local, tribal and territorial government agencies.

The advisory urges users to upgrade to the newest PHP version immediately after testing, and to ensure that there haven’t been any unauthorized system changes before applying patches.


Tom Kellermann, chief cybersecurity officer at cloud-security firm Carbon Black, said the PHP revelations were evidence of slack attention to security from IT developers, many of whom “don’t actually practice what they preach” on security.

“Companies that choose to ignore these advisories do so at their own peril,” Kellermann told CyberScoop.

Security researchers have cautioned that sound software development can be undone by flaws in interpreters for programming languages like PHP. Drupal, the content management system that powers popular websites and uses PHP, announced a patch last month for a remote code execution vulnerability.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts