Recent discoveries reveal high-risk PHP vulnerabilities

Consider the impact of 78% of the internet jeopardized. For a visual aid, consider that 71% of the Earth is covered with water. That’s a lot. 

Before you read on, you should DROP WHAT YOU ARE DOING AND PATCH UPDATE YOUR PHP TO THE NEWEST VERSION! We don’t mean to shout, but there really is no time to lose.   

One of the most popular server-side web programming languages, Hypertext Preprocessor (PHP) was discovered to be at high risk for attacks. Patches for high-severity vulnerabilities, critically located in the PHP Core and bundled libraries, were released by the PHP powers that be. Without a protective system like a smart WAF or a patch in place, those vulnerabilities could open the door for remote attacks that compromise servers through arbitrary code execution. 

Of the discovered PHP vulnerabilities, one in the Oniguruma library, which comes bundled with PHP, is the most dangerous. According to RedHat:

“A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.”

RedHat

These code execution attacks that target PHP have far-reaching implications. Hundreds of millions of applications and major platforms such as Drupal, WordPress, and others are built using  PHP.

“Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.”

New York State, Office of Information Technologies Services

Although these potential exploits have so far only existed synthetically, their discovery is troubling. These sorts of execution attacks are identified as high-risk for businesses of all sizes, across all sectors. The only people not directly at risk are home users. 

One of the most popular server-side web programming languages, Hypertext Preprocessor (PHP) was discovered to be at high risk for attacks. Hundreds of millions of applications and major platforms are built using  PHP. Understand the risks and fixes.

Tweet

Mitigating PHP execution flaws

If a hacker can successfully exploit the vulnerability in the PHP, the arbitrary code execution would affect the applications with associated privileges. 

At-risk systems:

• PHP 7.1 prior to 7.1.32
• PHP 7.2 prior to 7.2.22
• PHP 7.3 prior to 7.3.9

If you have any of these systems, update immediately.
You can find a full list of bugs, by system, on the NY State site.

Things to do to protect against PHP execution flaws:

1. Before applying the patch, check your system for any unauthorized modifications. Failed execution attacks may result in a denial of service (DoS).
2. Perform all security testing and audit recent activity before upgrading to the latest PHP.
3. Configure your systems and services to Least Privilege.
4. Protect your web applications with a WAF, capable of parsing APIs.

Because these execution attacks can provide access to user data, if you are compromised (or if at risk of compromise), the law requires that these users are informed about possible data disclosure. You should also to advise them to be wary of suspicious activity coming from your organization. They shouldn’t open suspicious emails, give sensitive data, et cetera. 

Bigger Problems with PHP Programming Language

PHP based websites and applications have a history of vulnerability and critique, but the PHP programming language is almost too pervasive to replace. It has a de facto authority. Many blame programmers for vulnerabilities, but the expectation of perfect code is an unreasonable security protocol.

“It’s worth noting that PHP has no official security manual or guide, its population of security books vary dramatically in both quality and scope (you’re honestly better off buying something non-specific to PHP than wasting your cash), and the documentation has related gaps and omitted assumptions.”

PHP Security: Default Vulnerabilities, Security Omissions and Framing Programmers?

Some experts believe that PHP is simply an insecure programming language. There are, after all, multiple problems for coders that are intrinsic in utilizing PHP.

“If PHP is a secure programming language, why is it flawed with such insecure defaults and feature omissions? If these are security vulnerabilities in applications and libraries written in PHP, are they not also therefore vulnerabilities in the language itself? Depending on how those questions are answered, PHP appears to be both aware of yet continually ignoring serious shortcomings in its security.”

PHP Security: Default Vulnerabilities, Security Omissions and Framing Programmers?

While this particular PHP execution flaw was discovered ahead of any known attacks, thanks to the efforts of whitehat hackers and other passionate cybersecurity specialists. What it really should demonstrate and reinforce is that the things we use every day—the code languages, applications, sites, and services we depend on—are not always as safe as they are comfortable. 

If you have to use PHP-based applications, put in compensating security controls, such as WAFs. Enforce configuration best practices; use isolation into individual containers, run the application in unprivileged account and use minimally required data permissions. Pay attention to recommended security updates. And, support proactive whitehat, bug bounty, and security research communities. 

Learn the Deep Tech in Wallarm News: PHP Remote Code Execution 0Day Discovered in Real World CTF Exercise