Critical Security Holes Found in PHP7


Two out of three holes have been patched.

IT security firm, Checkpoint, has found serious vulnerabilities in PHP 7. Checkpoint has analyzed the code of PHP7 to look into any vulnerabilities, especially ‘the unserialize mechanism’ that was heavily exploited in PHP 5 that compromised platforms like Magento, vBulletin, Drupal, Joomla etc.

What they found was not encouraging, Checkpoint wrote in a blog post, “Throughout our investigation we discovered 3 fresh and previously unknown vulnerabilities (CVE-2016-7479, CVE-2016-7480, CVE-2016-7478) in the PHP 7 unserialize mechanism. These vulnerabilities can be exploited using a technique we’ve discussed back in August.”

The first two vulnerabilities, according to Checkpoint, gives attackers complete control over servers. The third can create a DoS (Denial of Service) attack which exhausts the memory consumption of the target site and shuts it down.

The PHP team was informed of the vulnerabilities in August and September. The fix for two vulnerabilities was released on October 13 and December 1. Users are advised to ensure they are running the latest version of PHP.

Check Point has issued IPS signatures for these vulnerabilities to protect users from possible attacks.

Critical Security Holes Found in PHP7
comments powered by Disqus