Researchers Discover 3 Zero-Day Vulns in PHP 7, Exposing Millions of Websites to Attack

php-7Security researchers at Check Point Software Technologies have discovered three new zero-day vulnerabilities in PHP 7, the most recent release of the web programming language that powers more than 80% of websites.

Check Point’s Yannay Livneh said he and his fellow researchers spent several months examining PHP 7, with a priority focus on the unserialized mechanism, a notoriously insecure function that was previously exploited in PHP 5, allowing hackers to compromise popular platforms as Magento, vBulletin, Drupal, Joomla!, Pornhub’s website, and other web servers by sending malicious data in client cookies or to expose API calls.

“Throughout our investigation, we discovered three fresh and previously unknown vulnerabilities (CVE-2016-7479, CVE-2016-7480, CVE-2016-7478) in the PHP 7 unserialized mechanism,” Livneh wrote.

The first two vulnerabilities let hackers take full control over servers, “allowing them to do anything they want with the website, from spreading malware to defacing it or stealing customer data,” says Livneh.  The last vulnerability generates a Denial of Service (DoS) attack which shuts down the targeted website.

Check Point reported the three vulnerabilities to the PHP security team on the 6th of August and the 15th of September, according to the post.

The PHP security team issued fixes for two of the vulnerabilities on the 13th of October and 1st of December, and Check Point reccoments upgrading to the latest version of PHP to ensure your webserver’s security.

Jeff Edwards
Follow Jeff

Jeff Edwards

Jeff Edwards is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large.He holds a Bachelor of Arts Degree in Journalism from the University of Massachusetts Amherst, and previously worked as a reporter covering Boston City Hall.
Jeff Edwards
Follow Jeff

Leave a Reply

Your email address will not be published. Required fields are marked *