PHP

2019: The vulnerability giving an opportunity of remote cracking

On October 27, 2019 it became known that in a branch of PHP 7 dangerous vulnerability (CVE-2019-11043) giving to malefactors an opportunity to execute commands on the server is revealed, using specially created URL.

According to experts, the bug is already actively used in the attacks. Process of its operation quite simple, besides a problem is aggravated with the fact that earlier on the GitHub portal the PoC-code for determination of vulnerable servers was placed. How did specialists explain, having detected the vulnerable server, "attacking can send specially created requests, having added'? a=' in URL".

It is noted that the problem extends only to NGINX servers with the included PHP-FPM (the software package for processing of scripts in the PHP language). The nginx configurations where probros in PHP-FPM if is performed with separation of parts of URL by means of "fastcgi_split_path_info" and determination of a variable of an environment of PATH_INFO, but without preliminary check of existence of the file the directive "$fastcgi_script_name try_files" or construction "are vulnerable (! - $document_root$fastcgi_script_name f)". Example of a vulnerable configuration:

Using specially created URL attacking can achieve pointer path_info shift on the first byte of structure of _fcgi_data_seg. Record of zero in this byte will lead to movement of the pointer 'char * pos' on earlier following area of memory caused by FCGI_PUTENV rewrites some data (including other ast cgi variables), - it is specified in the description of vulnerability.

Using this equipment the malefactor can create the dummy PHP_VALUE fcgi variable and achieve accomplishment of the code.

Developers released a patch for this vulnerability on October 25, 2019. To all users it is strongly recommended to be updated to versions of PHP 7.3.11 and PHP 7.2.24^[1].

2018: 62% of all websites risk to be cracked because of the stopped updates of PHP

In October, 2018 it became known that a large number of the websites on the Internet are in a risk zone because of the forthcoming termination of release of updates for outdated versions of PHP.

According to the ZDNet edition with reference to data of W3Techs, to the middle of October, 2018 works for PHP in total 78.9% of web resources. On December 31 support of PHP 5.6.x therefore all branch of PHP 5.x will begin to disappear comes to the end.

By October 14 of 62% of the websites use versions of PHP 5.x which will cease to be updated at the beginning of 2019. Thus, hundreds of millions of resources can get under cracking threat if hackers find vulnerabilities in outdated versions of this scripting language. Such faults will not be eliminated, since January 1.

It is a huge problem for PHP ecosystem — the director of developments of Paragon Initiative Enterprise Scott Arciszewski says. — Though many consider that they cannot so just take and refuse here PHP 5 in 2019, such solution [to stop support of old versions of PHP] it is possible to call careless.

According to the expert, any large operated vulnerabilities in PHP 5.6 for certain will mention also newer versions. PHP 7.2 will regularly receive free patches from the PHP command, and in case of PHP 5.6 it will be possible to receive updating, only if the user pays for the continuing support to OS producer, Artsishevski noted.

It is curious that among the most popular content management systems (WordPress, Joomla and Drupal) only Drupal officially raised the minimum requirements for CMS to PHP 7. This rule will become effective in March, 2019. To the middle of October of the 2018th Joomla requires work of the website on the version PHP 5.3, and the minimum requirement of WordPress — PHP 5.2 is not more senior.^[2]

2016

Alpha testing of PHP 7.1

On June 10, 2016 the development team of PHP announced readiness for testing of the first alpha of a considerable branch of PHP programming language 7.1. The release is expected in November, 2016^[3].

Significant changes

• The type of a returned value void indicating that function did not return value is added;
• At the indication of shift in a line it is possible to specify now negative values, the position in line for which will be calculated concerning a line end. For example, for the line 'abcdef' of $str [-2] will return "e";
• The option of construction list () is added in which keys can be set. For example: "list (1 => $oneBit, 2 => $twoBit, 3 => $threeBit) = $powersOfTwo";
• Expression" [] =" which acts as a construction alternative "list () = is added". For example, instead of "list ($a, $b, $c) = array(1, 2, 3)" can be specified now" [by $a, $b, $c] = [1, 2, 3]";
• The system of error output and warnings in case of use in mathematical expressions of the lines which are not transformed to number is implemented. For example, "10 apples" + "5 pears" will lead to an error output "Notice: A non well formed numeric string encountered in example.php on line 3", and 5 * "orange" to "Warning: A non-numeric string encountered in example.php on line 3";
• Possibility of processing of several types of exceptions in one expression of catch;
• Support of determination of visibility for constants in a class. Constants can decide on flags of public, private and protected now;
• Possibility of use of a question mark for a mark of types which can accept null value.

The adjusting release of PHP 7.0.2

On January 7, 2016^[4] adjusting releases of PHP programming language 7.0.2, 5.6.17 and 5.5.31^[4] became available].

About 30 changes were a part of releases, six vulnerabilities are eliminated:

• buffer overflow in the escapeshell functions,
• incorrect processing of types in XMLRPC,
• two problems with change of streamlining of packets in the WDDX expansion,
• possibility of reading from areas outside the buffer in gdImageRotateInterpolated,
• buffer overflow in FPM.

At the same time it is eliminated several errors leading to falling of the interpreter and the problem with incorrect cleaning of outdated sessions in the Session expansion is solved.

2015

Release of PHP 7.0.0

On December 3, 2015 the official release of PHP PHP 7.0.0 is released. The changes prepared within^[5] went to it].

This branch differs in considerable processing of a number of subsystems, portion of additional opportunities and existence of the changes breaking compatibility. The jump in version number emphasizes relevancy of release and contacts transition to change in an order of numbering of releases where developers left from excess digit in the main releases (7.0 instead of 5.7.0).

Changes in PHP 7:

• Significant performance improvement, thanks to application of new methods of the organization of work with memory and transition to new structures of data storage. In some PHP tests 7 PHP 5.6 is up to two times faster;
• Complete support of 64-bit types on the 64-bit systems. Including a possibility of use of lines, the size to 2^31 byte, support of 64-bit integer values during the work in Windows, support of big files in 64-bit assemblies.
• Possibility of processing through exceptions of many errors which were earlier leading to forced completion of work;
• New operator"??", allowing to define alternative value if primary subject to assignment is not defined. For example, for assignment of blank line if the element of associative array instead of isset ($ _GET ['mykey']) is not filled now? $ _GET ['mykey']:' 'it is possible to specify $ _GET ['mykey']?? "";
• Possibility of explicit definition of the scalar int, float, string and bool types for arguments and values of functions (for example, "function foo ($abc int): int").
• The mode of tough check of types included by the directive "declare(strict_types=1)" at which mismatch of type of the value transferred to function or returned by function will lead to an error.
• The new operator of the combined comparison "<=>" with implementation of the behavior similar to strcmp () and version_compare (), but through use of standard syntax of comparison operators. In particular, the new operator allows not only to check identity of operands, but also to estimate what of them more than another (0 - are equal, 1 - left it is more,-1 - right it is more);
• Support of anonymous classes;
• Support of grouping of determinations in use operator (for example, use Doctrine\Common\Collections\Expr\{ Comparison, Value, CompositeExpression } ;);
• New Closure method:: call ();
• Additional sintaks for embedding of unicode-lines \u {xxxxxx};
• Support of a task of arrays of constants in define operator ();
• Possibility of use of the reserved key word in new contexts (for example, it is possible to define the forEach function and it will not be crossed with foreach operator);
• Syntax "yield from expression" for delegation by fuktsiyami-generators of transactions in the moved objects and arrays.
• Support of the ALPN TLS expansion (Application-Layer Protocol Negotiation) for review of protocols of level of the applications used for ensuring the protected connection is added to addition of openssl. It is used in SPDY and HTTP/2;
• Unification of syntax of determination of variables and transition to use of AST (Abstract Syntax Tree). Change of some redkoispolzuyemy semantics of combination of variables (for example, $foo-> $bar ['baz'] is interpreted now as ($foo-> $bar) ['baz'], but not $foo-> { by $bar ['baz'] }).
• The termination of support of designers in PHP style 4 in whom the name of the designer matches class name. Support of static calls of nonstatic methods is also stopped;
• The termination of support of the old and not supported calls of SAPI and expansions: sapi/aolserver, sapi/apache sapi/apache_hooks, sapi/apache2filter, sapi/caudium, sapi/continuity, sapi/isapi, sapi/milter, sapi/nsapi, sapi/phttpd, sapi/pi3web, sapi/roxen, sapi/thttpd, sapi/tux, sapi/webjames, ext/mssql and ext/sybase_ct;

Preannouncement of PHP 7

On April 23, 2015 Rasmus Lerdorf, the creator of the scripting PHP language, announced at the O'Reilly Fluent conference the future release of the new version, saying that high-speed performance of the environment increased more than twice: according to him, such acceleration was observed in real^[6].

Exit of the first candidate release of PHP 7 is planned for June, 2015, the final version — in October, 2015.

Character of PHP 7, 2015

PHP 7 is based on a branch of phpng created for elimination of the defects connected with structures and data types, memory management. As Lerdorf emphasized, PHP 7 spends more economically server resources therefore it is necessary to upgrade to version 7 "to all who use a large number of servers".

PHP 7 is based on an abstract syntax tree by means of what, according to the creator of language, development of auxiliary tools, static analysis and profiling of the code becomes simpler. Functions in PHP 7 can return arrays, strict typification is entered.

In this version some PHP functions 4 will not be supported, Lerdorf so the code of twelve-year prescription can not fulfill in the new version of the interpreter noted.

The first alpha of PHP 7 became available to testing

On June 11, 2015 the development team announced availability to testing of a branch of PHP programming language 7.0.0 of Alpha 1. The release is planned for November 12, 2015^[7].

Significant changes:

• Significant performance improvement, by means of application of new methods of the organization of work with memory and transition to new structures of data storage. In some PHP tests 7 PHP 5.6 is up to two times faster;

• Complete support of 64-bit types on the 64-bit systems. Including, a possibility of use of lines the size to 2^31 byte, support of 64-bit integer values during the work in Windows, support of big files in 64-bit assemblies.

• Possibility of processing through exceptions of many errors which were earlier leading to forced completion of work;

• New operator"??", allowing determination of alternative value if primary subject to assignment is not defined. For example, for assignment of blank line if the element of associative array instead of isset ($ _GET ['mykey']) is not filled now? $ _GET ['mykey']:' 'it is possible to specify $ _GET ['mykey']?? "";

• The possibility of explicit definition of the scalar int, float, string and bool types for arguments and values of functions is implemented (for example, "function foo ($abc int): int").

• The mode of tough check of types included by the directive "declare(strict_types=1)" at which mismatch of type of the value transferred to function or returned by function will lead to an error.

• The new operator of the combined comparison "<=>" with implementation of the behavior similar to strcmp () and version_compare (), but through use of standard syntax of comparison operators. In particular, the new operator allows not only to check identity of operands, but also to estimate what of them more than another (0 - are equal, 1 - left it is more,-1 - right it is more);

• Support of anonymous classes;

• Support of grouping of determinations in use operator (for example, use Doctrine\Common\Collections\Expr\{ Comparison, Value, CompositeExpression } ;);

• New Closure method:: call ();

• Additional sintaks for embedding of unicode-lines \u {xxxxxx};

• Support of a task of arrays of constants in define operator ();

• Possibility of use of the reserved key word in new contexts (for example, it is possible to define the forEach function and it will not be crossed with foreach operator);

• New syntax "yield from expression" for delegation by fuktsiyami-generators of transactions in the moved objects and arrays.

• TLS expansion support I ALPN (Application-Layer Protocol Negotiation) for review of protocols of level of the applications used for ensuring the protected connection is added to addition of openssl. It is used in SPDY and HTTP/2;

• Unification of syntax of determination of variables and transition to use of AST (Abstract Syntax Tree). Change of some seldom used semantics of combination of variables (for example, $foo-> $bar ['baz'] is interpreted now as ($foo-> $bar) ['baz'], but not $foo-> { by $bar ['baz'] }). Rather large portion of the changes breaking compatibility;

• The termination of support of the old and not supported calls of SAPI and expansions: sapi/aolserver, sapi/apache sapi/apache_hooks, sapi/apache2filter, sapi/caudium, sapi/continuity, sapi/isapi, sapi/milter, sapi/nsapi, sapi/phttpd, sapi/pi3web, sapi/roxen, sapi/thttpd, sapi/tux, sapi/webjames, ext/mssql and ext/sybase_ct;

Correction of versions of PHP 5.6.10, 5.5.26 and 5.4.42 is carried out

On June 11, 2015 it became known of release of the adjusting releases of PHP programming language 5.6.10, 5.5.26 and 5.4.42 where eight vulnerabilities are eliminated and about ten errors are corrected.

• Protection against substitution of additional headings is added to the mail function ().

• In the FTP expansion integer overflow which can lead to accomplishment of the code is eliminated.

• As escapeshellarg the vulnerability allowing to perform substitution of commands of the operating system when shielding special characters in arguments to the system function is eliminated ().

• Two vulnerabilities are eliminated in the PCRE expansion (CVE-2015-2325, CVE-2015-2326) and three in Sqlite3 (CVE-2015-3414, CVE-2015-3415, CVE-2015-3416).

Update of PHP 5.4.44, 5.5.28 and 5.6.12. 12 vulnerabilities are eliminated

On August 7, 2015 the adjusting releases of PHP 5.6.12, 5.5.28 and 5.4.44 where twelve vulnerabilities are eliminated became available, the error packet^[8] is corrected].

The most part of vulnerabilities can lead to failure in service and is shown in additions (SPL, GD, SOAP, ODBC and OpenSSL). Vulnerability is revealed also in the code of work with directories. It was not without vulnerabilities in function of seriality of data (unserialize) - 69793 and 70121.

Together with it developers announced approach by the end of a cycle of support of a branch of PHP 5.4 (the last release is expected in September or October, 2015), about transfer of a branch of PHP 5.5 in a stage of final maintenance within which error correction of a vista shot stops and only vulnerabilities are eliminated.

2014: The websites for PHP were the hackablest

An attack on the corporate website not only breaks work of on-line services and hurts reputation of owners, but often becomes the first stage of cracking of internal networks of the large companies. At the same time, according to a research of Positive Technologies company, recently the quantity of the websites with vulnerabilities of a high risk considerably increased. Researchers revealed the most widespread vulnerabilities and estimated, methods of their detection are how effective.

In total during the tests according to the analysis of security which were carried out by the company in 2013 about 500 websites were studied, for 61 of them more profound analysis was carried out. A considerable part of the studied portals belonged to banks — because of the become frequent attacks in this sphere. Also demand for the analysis of security of the websites of media increased that is connected with loud cases of their cracking and distribution of misinformation. Besides, the websites of public institutions, industrial enterprises and telecommunication companies were investigated.

It became clear that 62% of the websites in 2013 contained vulnerabilities of a high risk. This indicator is significantly higher last year's (45%). Most of all applications with vulnerabilities of a high risk were revealed on the websites of media (80%). As for the websites of remote banking, any of the studied RBS systems did not correspond completely requirements of the standard of security of PCI DSS.

The most widespread vulnerability of 2013 — cross-site accomplishment of scenarios (Cross Site Scripting) — meets for 78% of the studied websites. This shortcoming allows attacking to influence contents of the web page displayed in the user's browser including for the purpose of distribution of a malicious code or obtaining credentials of the victim. For example, in case of the vulnerable system of Internet banking the malefactor can create the link relating to the real website of bank in which upon transition the user will see a false form of authorization. The data entered by the user will be directed to the malefactor's server.

On the second place in popularity (69%) — insufficient protection against selection of identifiers or passwords of users (Brute Force), for example owing to absence or incorrect sale of the CAPTCHA mechanism. In top-10 two vulnerabilities of a high risk — "Implementation of operators of SQL" (43%) and "Implementation of external entities of XML" (20%) also entered.

The websites written in the PHP language were the most unsafe: 76% from them contain critical vulnerabilities. Web resources on Java (70%) and ASP.NET (55%) are less vulnerable. Dangerous vulnerability "Implementation of operators of SQL" meets for 62% of the websites written for PHP; for other languages this indicator is much lower.

Specialists of Positive Technologies also carried out contrastive analysis of applications testing by methods of black, gray and white boxes. The method of a black box means a system research without data acquisition about it from the owner; the method of a gray box assumes the violator who has some privileges in a system; and at last, the method of a white box means the analysis using all internal data on a system, including source codes of programs.

Among the web resources investigated by methods of black and gray boxes for 60% of the websites there were critical vulnerabilities. For a method of a white box this indicator is higher — 75%.

Follows from average amount of the vulnerabilities falling on one system that white box testing allows to detect almost in 10 times more of critical vulnerabilities, than testing by methods of black and gray boxes. At an opportunity to analyze source codes of web applications the method of a white box is preferable. But so far owners of the websites resort to it seldom: this method investigated only 13% of web resources.

2012: PHP 5.4.0

The development team of PHP announced new release of popular PHP programming language 5.4.0 in March, 2012.

It is noted that new syntactic constructions, among which the tools for reuse of the code called treyty (trait) with support of uniform inheritance entered this release; short record of arrays ($a = [1, 2, 3, 4]; or $a = ['one' = 1, 'two' = 2, 'three' = 3, 'four' = 4]), etc.

In PHP 5.4.0, according to developers, performance is increased and the volume of the consumed RAM is reduced; error messages and warnings are improved; support of multibyte codings in all assemblies of PHP which can be switched on and off in settings is entered.

For convenience of development and testing in the mode of the command line — CLI (Command LineInterface) — in PHP 5.4.0 the built-in web server appeared.

Besides, the return and incompatible changes providing the following withdrawals from language are made to the new version (as outdate): use of global variables (Register_Globals); directive magic quotes (so-called 'magic quotes'); safe mode (safe mode); constructions of break/continue of $var; options allow-call-time-pass-reference.

It is reported that version 5.4.0 will be the last in which Windows XP and Windows 2003 OS will be officially supported. According to the statement of developers, for these OS in the next versions of PHP binary assemblies will not be created.

Programming languages

• PHP
• JavaScript
• Java
• Python
• C++
• C#
• COBOL
• Bosque
• Project Verona
• CRN++
• Dart

You See Also

• Logical programming
• Evidential programming
• Programming methodology
• Technology of programming
• Programmer

Notes