The latest
versions of PHP has been recently released by maintainers of the PHP
programming language to patch multiple high-severity vulnerabilities in its
core and bundled libraries, which could allow the most severe to execute
arbitrary code and compromise targeted servers. The PHP commonly known as
Hypertext Preprocessor, is the most popular server-side web programming
language powering over 78 percent of the Internet today. The latest versions of
PHP released under several maintained branches include 7.3.9, 7.2.22 and
7.1.32, addressing multiple security vulnerabilities. In a PHP application the
affected codebase depending on the type, occurrence, and usage, successesfully
exploit some of the most severe vulnerabilities that could allow an attacker to
execute arbitrary code in the context of the affected application. The result
of failed attempts at exploitation would affect in a denial of service (DoS)
condition on the systems. The vulnerabilities that rely on PHP could leave
Thousands of web applications open to code execution attacks including websites
powered by some popular content management systems like WordPress, Drupal and
Typo3. A code execution vulnerability 'use-after-free' assigned as
CVE-2019-13224, resides in Oniguruma, a popular regular expression library that
comes bundled with PHP, as well as many other programming languages. This flaw
can be exploited by a remote attacker potentially leading to code execution or
causing information disclosure, by inserting a specially crafted regular
expression in an affected web application. Also, the other patched flaws affect
includes curl extension, Exif function, Fast CGI Process Manager (FPM), Opcache
feature, and more. At present, there is no report of any of these security
vulnerabilities being exploited in the wild by attackers. In the latest
versions of PHP the security team recommended users and hosting providers
strongly to upgrade their servers to its latest PHP version 7.3.9, 7.2.22, or
7.1.32.
0 Comments