Originally released in 2015, PHP 7 provided programmers and developers with an array of features they still love today. Also, there are more than a few online resources about PHP and common questions, allowing users to easily find the information they were looking for.
While PHP 7 is a great tool and provides services needed by both individuals and businesses, it isn’t completely free from problems. Particularly, PHP 7 has been hit by several zero-day flaws that presented serious issues for users.
While there are bound to be issued with any program or software, finding the issues with a tool like this makes things easier. It’s also helpful to know what some of the most common problems are. Keep reading to learn more.
Zero-Day Vulnerability Explained
Before diving into the specific issues a person may have using PHP 7, it’s important to understand what zero-day vulnerability is. The zero-day vulnerability is an unknown or known flaw in the software, sometimes resulting from incorrect configurations, programming errors, or an array of other issues.
It is referred to as “zero-day” because it was just recently discovered, and the vendor has had “zero-days” to make and release a patch. What this means is that the software and virtually everyone using it is vulnerable. It also means that teams must work quickly to patch the zero-day flaws found. If they fail to do this, exploiters or hackers will try to take advantage of it.
3 Zero-Day Vulnerabilities in PHP 7
As mentioned above, any software is vulnerable to zero-day issues, including PHP 7. Three of the issues that have been discovered are found here.
1. CVE-2016-7479 – Use-After-Free Code Execution
In all the versions of PHP 7, when the unserialization process is occurring, the resizing of the “properties” hash table of a serialized object may result in a use-after-free. Remote attackers may exploit this but and acquire arbitrary execution.
2. CVE-2016-7480 – Use of Uninitialized Value Code Execution
In ext/spl/spl_observer.c the SplObjectStorage unserialize implementation in PHP prior to 7.0.12 doesn’t verify a key is an object. It results in an attacker being able to execute arbitrary code. In some cases, it may cause a denial of service by way of crafted serialized data.
3. CVE-2016-7478 – Remote Denial of Service
For PHP versions 5.x before 5.6.28 and 7.x that were released before 7.0.13, the Zend/zend_exceptions.c lets attackers cause a denial of service or an infinite loop through the serialized data by way of a crafted Exception. This issue is related to CVE-2015-8876.
What are the Dangers if the Zero-Day Vulnerabilities Aren’t Patched?
If the vulnerabilities were not patched, and a hacker exploited them, it could spell disaster for a user’s web page or website. There are some exploits that would have allowed any hacker to take full control of the server, which would give them access to control a range of dangerous things.
One of the flaws may have also allowed the hacker to create a DDoS attack on your website, which would have put you out of commission. In addition to the back-end damage, there are other dangers that may arise. You may lose users, face lawsuits, and even lose millions of dollars due to the data breach or hack.
Security Tips for PHP 7
There is good news. There are now an array of tips and tools available to help make your application or site safer and more secure from these types of exploits. One of the most important things you need to do is to keep your software updated. Vendors regularly release flaw fixes and patches in new versions, so you need to make sure you are updating your software, your OS, and anything else right away.
Also, make sure that you use safe and secure coding practices. If someone is working within your code, they should know what they are working with. If they don’t, mistakes may occur, which may result in the zero-day vulnerability being discovered after a breach.
If possible, use tools that are able to analyze your code, both dynamically and statically. This is going to provide you with more thorough checks of your sites and applications to make sure there aren’t any vulnerabilities present, and if they are, notify you about them so you can take care of the issue.