Vulnerabilities in PHP
History:
- 16/10/2018 --- v1.0 -- Initial publication
Summary
On 11th of October 2018, several vulnerabilities have been fixed in PHP, a programming language designed for web applications. According to the Center for Internet Security [1], these vulnerabilities allow an adversary to perform an arbitrary code execution and/or denial-of-service attack (DoS).
Technical Details
The vulnerabilities affect the system in accordance with the associated privileges of the application. The adversary successfully exploiting the vulnerabilities can install programs, view, change or delete data and modify/create users even with admin privileges. A failed exploitation can potentially lead to a state of denial of service [1].
Versions Affected
- PHP 7.2 prior to 7.2.11 [2]
- PHP 7.1 prior to 7.1.23 [3]
Recommendations
- Check if the system has unauthorized modifications -- in case these vulnerabilities have already been exploited.
- Upgrade to the latest version (either 7.1.23 or 7.2.11)
- Apply the Least Privilege principle to the system and services to limit the impact in case a PHP application is exploited.