IT security researcher Charles Fol found two bugs in PHP database modules that he was able to use to run his own code. Vulnerabilities affect everyone PHP-Versions from currently maintained version trees up to and including 7.4.29, 8.0.19 Y 8.1.6.
The first vulnerability (CVE-2022-31625) affects the connection to postgreSQL databases. With an improperly initialized array to store parameters of a database query, attackers could corrupt the heap and execute their own (malicious) code on the target system if certain types of data were cleverly combined. However, to exploit the vulnerability, they should also be able to run their own PHP code on the target system.
The second security bug can be found in the PHP to MySQL connection and has been assigned CVE ID CVE-2022-31626. Here, Fol exploits a buffer overflow in PHP’s own implementation of the MySQL protocol to execute injected code.
However, a condition must also be met here in order to be able to inject malicious code: The target server must establish a connection to a specially prepared MySQL server, which also uses a particularly long password of more than 4,000 characters.
Security service provider Tenable has assigned both bugs a CVSS score of 9.8 (critical) and believes they can be exploited remotely without authentication. Even with a more cautious assessment, the security gaps still catch up with you score of 7.8 points and therefore represent a high risk.
in the new PHP versions 7.4.30, 8.0.20 and 8.1.7 the PHP group fixed both problems. Above all, administrators who operate hosting servers need to be up-to-date quickly to reduce the risk of a server takeover. However, at the time of this writing, only Alpine Linux and Fedora have updated their PHP packages.
Introvert. Beer guru. Communicator. Travel fanatic. Web advocate. Certified alcohol geek. Tv buff. Subtly charming internet aficionado.