PHP contains two critical bugs that could allow someone to take over a server and use a browser to run dangerous code, German IT security firm E-matters has warned.

PHP is the most popular scripting module on Apache servers and is enabled on at least half of all Apache servers, according to figures from SecuritySpace. The browsers affected are Explorer and Safari - accounting for virtually the entire market.

The PHP Group issued a patch for the flaws on Wednesday, and Linux vendors have also begun releasing fixes tailored for their particular distributions, according to security firm Secunia, which maintains a vulnerabilities database.

On Wednesday, the PHP Group also released the final version of PHP 5.0, which fixes the flaws. The bugs were confirmed in PHP versions 4.3.7 and earlier, and PHP 5.0 release candidate 3 and earlier.

The first flaw, involving various errors in PHP's memory_limit request termination, could be exploited to allow an attacker to execute arbitrary code on a server with a vulnerable implementation of PHP enabled, researchers said. The exploit works on any platform, according to a report by E-matters researcher Stefan Esser, who said he discovered the problem during a re-audit of memory_limit following a related advisory late last month. Vendors were notified a week ago and the problem was made public on Wednesday, E-matters said.

The second problem could be used to launch unsafe code in Internet Explorer and Apple's Safari browser because of the way those browsers handle miscoded HTML. PHP's strip_tags() function is often used to block cross-site scripting attacks by removing unsafe HTML from user input. However, it is possible to slip unsafe script past strip_tags() by inserting characters such as \0 in the input - for example disguising a "script" tag as "\0script".

Such tags would have no effect on most browsers because they would be considered errors and ignored. However, a feature in IE and Safari strips out errors such as \0 and then renders the code, thus allowing potentially dangerous code to render in the browser. The server patch blocks the dangerous code from reaching the browsers.

Cross-site scripting attacks can run malicious tags and code in a browser as a result of clicking on a hyperlink or reading an email. Such attacks can result in hijacking a user session, changing user settings, stealing browser cookies and other exploits, according to security advisory service CERT.

Secunia researchers said IE and Safari had been rendered vulnerable by a feature whose security implications hadn't been considered clearly enough. "This is not a vulnerability in those browsers, but unfortunate and unnecessary functionality," the firm said in its advisory.