Security researchers at Check Point Software Technologies have discovered three new zero-day vulnerabilities in PHP 7, the most recent release of the web programming language that powers more than 80% of websites.
Check Point’s Yannay Livneh said he and his fellow researchers spent several months examining PHP 7, with a priority focus on the unserialized mechanism, a notoriously insecure function that was previously exploited in PHP 5, allowing hackers to compromise popular platforms as Magento, vBulletin, Drupal, Joomla!, Pornhub’s website, and other web servers by sending malicious data in client cookies or to expose API calls.
“Throughout our investigation, we discovered three fresh and previously unknown vulnerabilities (CVE-2016-7479, CVE-2016-7480, CVE-2016-7478) in the PHP 7 unserialized mechanism,” Livneh wrote.
The first two vulnerabilities let hackers take full control over servers, “allowing them to do anything they want with the website, from spreading malware to defacing it or stealing customer data,” says Livneh. The last vulnerability generates a Denial of Service (DoS) attack which shuts down the targeted website.
Check Point reported the three vulnerabilities to the PHP security team on the 6th of August and the 15th of September, according to the post.
The PHP security team issued fixes for two of the vulnerabilities on the 13th of October and 1st of December, and Check Point reccoments upgrading to the latest version of PHP to ensure your webserver’s security.
Latest posts by Jeff Edwards (see all)
- Twelve Books Every InfoSec Pro Should Read in 2017 - May 22, 2017
- How to Stop Ransomware Attacks like WannaCry - May 22, 2017
- WannaCry Did Not Start with a Phishing Attack, Experts Say - May 22, 2017