Web application security specialists report the finding of a security vulnerability in the PHP programming language. This is one of the most used resources on the Internet, as it is the cornerstone of content management systems (such as WordPress and Drupal), as well as of some web applications, such as Facebook.
The latest iteration of this web development
language, PHP 7, presents a remote
code execution (RCE) vulnerability of considerable seriousness, as stated
by Emil Lerner, a researcher based in Russian territory.
According to the web application security
expert, if exploited, the CVE-2019-11043 vulnerability would allow a threat
actor to force the execution of his own arbitrary code on a remote server by
simply accessing a URL specifically created for this purpose. “A hacker
would only require adding the characters ‘?a’ to the targeted website address,
in addition to the malicious payload,” the expert, also known as ‘Neex’,
mentions.
Moreover, a report published on the specialized
platform ZDNet mentions that this flaw makes it ridiculously easy to compromise
the security of a website, since even a user without hacking knowledge relatively
close to some basic concepts could exploit it. However, not all of them are bad
news, as web application security experts mention that the vulnerability only
seems to affect deployments that use the NGINX web server with PHP-FPM
extension, an updated version of FastCGI.
Although none of these components are critical
to using PHP 7, their use remains very common, especially in commercial
environments. For example, productivity software vendor NextCloud uses PHP 7
with NGINX and PHP-FPM. The company’s customers have been alerted, and were
asked to install the latest PHP version update as soon as possible.
In case website administrators are unable to
update their PHP implementations, web application security experts from the
International Institute of Cyber Security (IICS) recommend setting a rule in
the PHP mod_security standard of their firewall.
The presence of this vulnerability is a highly
serious fact, as there are multiple environments at risk and its exploitation a
little complex process. Furthermore, while there are workarounds and security
patches, this does not mean that the risk of exploitation is fully mitigated. A
clear example of this is the OpenSSL Heartbleed vulnerability, because although
more than two years have passed since its detection, hundreds of thousands of
servers remain vulnerable to exploitation.
As if that weren’t enough, the evidence
collected so far suggests that threat actors have already exploited this
vulnerability in the wild, targeting a specific group of organizations, so it
is vital that website administrators implement all possible mitigation
measures.
