The Center for Internet Security’s Multi-State Information Sharing and Analysis Center (MS-ISAC) on Friday issued a security advisory urging developers to upgrade to the latest version of PHP in order to patch an arbitrary code execution vulnerability that was found in the programming language.
“PHP is prone to a heap-based buffer overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Specifically, this issue exists in the ‘mb_eregi()’ function,” the advisory states. “Successfully exploiting this vulnerability could allow for arbitrary code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.”
Although there are no reports of this vulnerability being exploited in the wild, MS-ISAC assess the risk to government and business entities of all sizes to be high.
Including the aforementioned buffer overflow bug, the PHP development team’s Sept. 26 release of PHP version 7.3.10 repaired 10 bugs and delivered other improvements as well.