Monday, December 9, 2024

PHP: updates prevent malicious code injection

Date:

IT security researcher Charles Fol found two bugs in PHP database modules that he was able to use to run his own code. Vulnerabilities affect everyone PHP-Versions from currently maintained version trees up to and including 7.4.29, 8.0.19 Y 8.1.6.

The first vulnerability (CVE-2022-31625) affects the connection to postgreSQL databases. With an improperly initialized array to store parameters of a database query, attackers could corrupt the heap and execute their own (malicious) code on the target system if certain types of data were cleverly combined. However, to exploit the vulnerability, they should also be able to run their own PHP code on the target system.

The second security bug can be found in the PHP to MySQL connection and has been assigned CVE ID CVE-2022-31626. Here, Fol exploits a buffer overflow in PHP’s own implementation of the MySQL protocol to execute injected code.

However, a condition must also be met here in order to be able to inject malicious code: The target server must establish a connection to a specially prepared MySQL server, which also uses a particularly long password of more than 4,000 characters.

Security service provider Tenable has assigned both bugs a CVSS score of 9.8 (critical) and believes they can be exploited remotely without authentication. Even with a more cautious assessment, the security gaps still catch up with you score of 7.8 points and therefore represent a high risk.

in the new PHP versions 7.4.30, 8.0.20 and 8.1.7 the PHP group fixed both problems. Above all, administrators who operate hosting servers need to be up-to-date quickly to reduce the risk of a server takeover. However, at the time of this writing, only Alpine Linux and Fedora have updated their PHP packages.


(DMK)

to the home page

Ebenezer Robbins
Ebenezer Robbins
Introvert. Beer guru. Communicator. Travel fanatic. Web advocate. Certified alcohol geek. Tv buff. Subtly charming internet aficionado.

Share post:

Popular

More like this
Related

Practice Acrylic Nail Techniques Without Needing a Fake Hand

When you're starting your journey with acrylic nails, practice...

Inside the World of Common Snapping Turtles: Behavior and Habitat

The common snapping turtle (Chelydra serpentina) is one of...

How to Use Video Marketing to Promote B2C Products?

Video marketing has emerged as a powerful tool for...

Adapting to Change: The Future for Leopard Tortoise Environments

Leopard tortoises, known for their striking spotted shells and...