A PHP bug initially dismissed as posing no security threat could potentially enable code execution outside the sandbox in shared-server environments, a new exploit has revealed.
Discovered in the popular website language nearly two years ago, the vulnerability can allow attackers to execute arbitrary code by bypassing restrictions implemented using PHP’s .
The initial bug report, posted on PHP’s public bug tracker in March 2018, had suggested that the flaw would simply cause the program to crash.
But in a post published on GitHub yesterday (January 30) a researcher (who did not give their real name) said their exploit could “trick [the function] into returning a reference to a variable that has been destroyed, causing a use-after-free vulnerability.”
Share and enjoy
Shared hosting, which allows multiple websites to share a single server, offers a cost-effective alternative to dedicated servers but is generally seen as less secure, and is falling out of fashion amid the rise of cloud services.
In response to the exploit, another PHP user said on the PHP bug report thread that “this bug needs to be fixed ASAP”, claiming that “people are already exploiting it in the wild.”
However, a PHP employee (‘Stas’) then downplayed the flaw’s ramifications: “I see that the specific code can trigger UAF, but there’s no security issue there, it’s just a regular crash.”
This view was apparently rejected by the PHP security team since a patch has landed the very next day (January 31).
Pending the patch’s public release, shared hosting vendors could “use to disable ”, according to PHP user Maarten de Boer (‘cursingcucumber’), writing on a Reddit thread discussing the exploit.
While the exploit is apparently effective against all versions of PHP between 7.0 to 7.4, vendors using versions older than 7.4 might need to first update to the current latest version, since, de Boer said, “it appears to be harder to blacklist the method of the Exception class for PHP < 7.4.”
The researcher (mm0r1) who developed the exploit said the proof of concept “was tested on various PHP builds for Debian/Ubuntu/CentOS/FreeBSD with cli/fpm/apache2 server APIs and found to work reliably.”
PHP’s was also bypassed in a similar way by a hack using an imap_open exploit in November 2018.
OWASP has issued recommendations, echoed in the PHP advice from many hosting providers, that such risky PHP functions should be disabled unless required.
The Daily Swig has invited the PHP security team and researcher who developed the exploit to comment further.
YOU MIGHT ALSO LIKE CacheOut vulnerability hype comes under fireCacheOut vulnerability hype comes under fire