Immediate PHP Update Required Due to Multiple Vulnerabilities

Bar Refael

April 15, 2024

The PHP development team has urgently addressed multiple vulnerabilities impacting versions 8.1.28, 8.2.18, and 8.3.6 with newly released security patches. These updates are critical as they mitigate severe risks including command injection, session hijacking, and service disruptions.

Vulnerability Highlights:

  • CVE-2024-1874: A critical vulnerability due to improper command-line handling on Windows systems that allows attackers to inject arbitrary commands. This could lead to full system takeovers if PHP applications execute batch (.bat) or command (.cmd) files.
  • CVE-2024-2756: A medium severity vulnerability due to an incomplete fix to a previous patch that could allow attackers to set malicious cookies, potentially hijacking user sessions or launching cross-site attacks.
  • CVE-2024-3096: A low severity flaw that could allow attackers to bypass password authentication in systems using password_hash, specifically if a user’s password starts with a null byte.
  • CVE-2024-2757: A high severity vulnerability where certain inputs to the mb_encode_mimeheader function could trigger infinite loops, potentially causing denial-of-service attacks by disrupting email processing.

Action Steps:

  • Immediate Update: Administrators and users must update to the latest PHP versions without delay.
  • Secure Coding Practices: Developers should audit code, particularly around command-line interfaces, cookie management, and email functions.
  • Continuous Monitoring: Stay updated on security patches and potential vulnerabilities via reliable cybersecurity channels.

For detailed update procedures and more information on mitigations, visit the official PHP website or contact your service provider. This proactive approach is essential to safeguard systems against these identified risks and maintain operational security.

Stay Secure. Stay Informed.

OP Innovate Research Team.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Get OP Innovate CTI Alerts

Leave your email and get critical updates and alerts straight to your inbox