Security researchers found three zero-day vulnerabilities in PHP 7, all of which could prove extremely dangerous to any site using the web programming language.
Yannay Livneh of Check Point's exploit research team, said he and his colleagues spent several months examining the unserialised mechanism in PHP 7, the language now running about 80 percent of websites. This is the same area that was also found to be vulnerable in PHP 5, which allowed Drupal, Joomla!, Magento, vBulletin and Pornhub to be successfully attacked in the past.
“Throughout our investigation we discovered three fresh and previously unknown vulnerabilities (CVE-2016-7479, CVE-2016-7480, CVE-2016-7478) in the PHP 7 unserialised mechanism,” Livneh wrote.
Livneh told SC Media on Wednesday that there is no indication any of these vulnerabilities have been exploited and he noted that while the same mechanism for compromise was found, the vulnerability in PHP 7 is different from what was found in PHP 5.
“And we were not surprised,” he said. "This mechanism parses a 'complicated' format. There is no formal definition of this format. Therefore we expected to find bugs in this mechanism."
The first two CVEs, if exploited, would allow an attacker to take full control of the target server enabling the bad actor to spread malware for stealing data. The third flaw generates a denial of service attack shutting down the target system.
Check Point notified the PHP security team of the issues and patches have been issued. Notification took place in mid-September and the fixes were issued by PHP on 23 October and December 1.