Wednesday, February 28, 2024

PHP: updates prevent malicious code injection


IT security researcher Charles Fol found two bugs in PHP database modules that he was able to use to run his own code. Vulnerabilities affect everyone PHP-Versions from currently maintained version trees up to and including 7.4.29, 8.0.19 Y 8.1.6.

The first vulnerability (CVE-2022-31625) affects the connection to postgreSQL databases. With an improperly initialized array to store parameters of a database query, attackers could corrupt the heap and execute their own (malicious) code on the target system if certain types of data were cleverly combined. However, to exploit the vulnerability, they should also be able to run their own PHP code on the target system.

The second security bug can be found in the PHP to MySQL connection and has been assigned CVE ID CVE-2022-31626. Here, Fol exploits a buffer overflow in PHP’s own implementation of the MySQL protocol to execute injected code.

However, a condition must also be met here in order to be able to inject malicious code: The target server must establish a connection to a specially prepared MySQL server, which also uses a particularly long password of more than 4,000 characters.

Security service provider Tenable has assigned both bugs a CVSS score of 9.8 (critical) and believes they can be exploited remotely without authentication. Even with a more cautious assessment, the security gaps still catch up with you score of 7.8 points and therefore represent a high risk.

in the new PHP versions 7.4.30, 8.0.20 and 8.1.7 the PHP group fixed both problems. Above all, administrators who operate hosting servers need to be up-to-date quickly to reduce the risk of a server takeover. However, at the time of this writing, only Alpine Linux and Fedora have updated their PHP packages.


to the home page

Ebenezer Robbins
Ebenezer Robbins
Introvert. Beer guru. Communicator. Travel fanatic. Web advocate. Certified alcohol geek. Tv buff. Subtly charming internet aficionado.

Share post:


More like this

Decoding The Diversity: A Guide To Different Types Of Horse Races

Horse racing reaches 585 million households worldwide, enjoying immense...

Maximizing Efficiency: How Our Cloud Services Revolutionized Operations for Small Businesses

Small businesses constantly seek innovative solutions to streamline operations...

Big Data for Musicians: The Game Changer!

In the dynamic realm of the music industry, Viberate...

Gaming Peripherals; The Good and The Bad

When it comes time to upgrade any gaming set-up,...