Pierluigi Paganini September 06, 2019

Maintainers at the PHP programming language have released new versions that address multiple flaws, including some code execution issues.

The development team behind the PHP programming language recently released new versions of PHP to address multiple high-severity vulnerabilities in its core and bundled libraries.

The most severe flaw could be exploited by a remote attacker to execute arbitrary code on targeted servers.

PHP is used by more than 79% of all the websites whose server-side programming language we know. So almost 8 out of every 10 websites that you visit on the Internet are using PHP in some way.

The latest releases include PHP version 7.3.9, 7.2.22 and 7.1.32, and address multiple security vulnerabilities.

Some of the issues could be exploited by an attacker to execute arbitrary code in the context of the affected application with associated privileges.

The exploitation of some issues could also trigger a denial of service (DoS) condition on the vulnerable systems. The flaws affect several components, including curl extension, Exif function, FastCGI Process Manager (FPM), Opcache feature, and more.

One of the vulnerabilities, tracked as CVE-2019-13224, is a ‘use-after-free’ code execution issue that affects the Oniguruma regular expression library. Oniguruma is a BSD licensed regular expression library that supports a variety of character encodings, it is bundled in several programming languages, including PHP.

A remote attacker can trigger this flaw by using a specially crafted regular expression, potentially leading to code execution or causing information disclosure.

“A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression.” reads the security advisory published by Red Hat. “The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.”

Users and admins are strongly recommended to upgrade their servers to the latest PHP version 7.3.9, 7.2.22, or 7.1.32.

According to the experts, none of the addressed issues have been exploited by threat actors in attacks in the wild.

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

[adrotate banner=”5″]

[adrotate banner=”13″]