Servers running PHP are vulnerable to a number of serious security exploits, including some which could allow an attacker to execute malicious code, and denial-of-service exploits, according to the PHP Group.

The project has issued updates fixing the bugs, available from the PHP website and directly from various operating system vendors. "All users of PHP are strongly encouraged to upgrade to this release," the PHP Group says in its advisory.

PHP, an open-source programming language used mainly for server-side applications, runs on server operating systems such as Linux, Unix, Mac OS X and Windows.

Several of the flaws were discovered in PHP's EXIF module, used to handle the Exchangeable Image file format (EXIF) specification used by digital cameras. A bug in the module's exif_process_IFD_TAG() function could be exploited by a specially crafted "Image File Directory" (IFD) tag to cause a buffer overflow and execute malicious code with the privileges of the PHP server, according to Linux vendor Mandriva, which issued its update on Monday.

A second EXIF module bug could lead to an infinite recursion, causing the executed program to crash.