[link|http://news.com.com/2100-1001-850752.html|Much ado about something]

Excerpt:

As previously reported by CNET News.com, the flaws occur in Web server modules using the Personal Homepage scripting language, more commonly known as PHP. The language is widely used among sites built on open-source software and allows such sites to create Web pages on the fly.

David Dittrich, senior security engineer at the University of Washington, stressed that while the technical nature of the flaws would make creating a worm more difficult, the Net is rife with groups that have the wherewithal and knowledge to pull off the job.



"It's just a matter of time before someone does a worm," Dittrich said, adding that systems administrators who have Web sites running a flawed version of PHP should patch their version as soon as possible.

Last Wednesday, a member of the PHP Group posted details of a handful of flaws that could be exploited to take over Web servers that use version 3.0.10 to version 4.1.1 of the PHP software. By gaining control of the Web server software, attackers could deface any sites hosted by that server or take advantage of their position to issue system commands to the server.