PHP update fixes arbitrary code execution flaw, 9 other bugs

News by Bradley Barth

Center for Internet Security's Multi-State Information Sharing and Analysis Center (MS-ISAC) urges developers to upgrade to the latest version of PHP

The Center for Internet Security’s Multi-State Information Sharing and Analysis Center (MS-ISAC) has issued a security advisory urging developers to upgrade to the latest version of PHP in order to patch an arbitrary code execution vulnerability that was found in the programming language.

"PHP is prone to a heap-based buffer overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Specifically, this issue exists in the ‘mb_eregi()’ function," the advisory states. "Successfully exploiting this vulnerability could allow for arbitrary code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition."

Although there are no reports of this vulnerability being exploited in the wild, MS-ISAC assess the risk to government and business entities of all sizes to be high.

Including the aforementioned buffer overflow bug, the PHP development team’s 26 September release of PHP version 7.3.10 repaired 10 bugs and delivered other improvements as well.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews