PHP

2024: Hackers "resurrected" a vulnerability in PHP found 12 years ago. Thousands of servers in Russia under attack

In early June, FSTEC included a warning in the database of threats and vulnerabilities with an index BDU:2024-04432^[1] about a discovered vulnerability in the PHP interpreter for Windows, which allows executing malicious commands through the PHP CGI interface used to communicate with the Apache web server. The danger of the discovered vulnerability is estimated by CVSS at 9.8 out of 10. It is argued that there is a fairly simple method of its operation.

It was with this picture that researchers from DEVCORE illustrated the discovered vulnerability

In fact, a bypass of the protection mechanism against a similar vulnerability found back in 2012 (CVE-2012-1823) has now been discovered. Then PHP built in mechanisms for filtering special characters when working with CGI, but in the current situation, the developers did not implement it to convert Best-Fit encoding to Windows. As a result, attackers have the ability to transmit malicious commands using request parameters to the web server.

Experts disagree on the popularity of the Windows - Apache - PHP bundle. So, Alexey Trofimov, a specialist in the external testing group of the security integrator Bastion"," told TAdviser the following: "The PHP and Windows bundle is considered popular in Russia. About 40% of servers use it. "

At the same time, other experts assess such a bundle as quite rare. Mikhail Sergeyev, a leading CorpSoft24 engineer, believes that the combination of PHP and Windows is rarely used in Russia, since Windows is a paid commercial software with high hardware requirements. A combination of Windows and PHP can be used on the developer's local computer.

Most often, PHP websites are hosted on Linux servers, and the combination of PHP and Windows is typical, rather, for developers testing their code on their own computer that is not available from the Internet, and therefore the likelihood of exploiting new vulnerabilities is small, - said Ilya Polyakov, head of code analysis at Angara Security. - According to ZoomEye, most of these servers are located in the United States - more than 21 million. In Russia, their number is lower than in Iran - about 16 thousand.

Statistics on the use of PHP based on Winodws

Although PHP is gradually losing market share, it is still significant - almost 75%, - said Alexander Bykov, head of security services at cloud provider Nubes, in a conversation with TAdviser. - The share of Windows in web development is mainly related to the use of IIS, which accounts for about 12%. As for the combination of PHP and Windows, this configuration is not the most common. This is confirmed by the fact that Unix and similar systems are more often used as operating systems for web hosting. Now web applications running on Windows are rather inherited and need to be replaced. Or these are applications that need deep work with.NET.

It should be noted that.NET technology is now actively used for import substitution, since it can work on both Windows and domestic operating systems. Therefore, it is possible that the number of servers vulnerable to this error has recently increased. However, 16 thousand vulnerable devices according to ZoomEye are good indicators, although Russia, as noted, is not in first place in terms of the number of such servers.

The vulnerability was discovered by Devcore in early May^[2]. Its researchers passed the information to PHP developers. In early June, the PHP community released new versions of its interpreters - 8.3.8, 8.2.20 and 8.1.29, where the vulnerability was fixed. Updating to these versions is the best solution to the problem, but it is not always possible.

FSTEC itself recommends the following vulnerability control methods: limit the ability to run CGI scripts obtained from untrusted sources; if possible, switch from PHP CGI to a more secure architecture (Mod-PHP, FastCGI or PHP-FPM); use SIEM systems to track attempts to exploit the vulnerability; Configure Web Application Layer Firewall to restrict remote access. Alexey Trofimov adds: "A good measure of protection will be to configure the firewall for patterns associated with the dash character (% AD) in transmitted parameters to CGI scripts."

Given the trend towards import substitution of software in Russia, there are fewer projects where a combination of PHP and Windows is used, "said Stanislav Orlov, technical director of the manufacturer of system-wide and application software ALMI Partner. - We recommend that companies that still use Microsoft products in such a combination with PHP switch to FSTEC-certified Linux distributions.

2019: Vulnerability that provides remote hacking capability

On October 27, 2019, it became known that a dangerous vulnerability (CVE-2019-11043) was identified in the PHP 7 branch, providing attackers with the ability to execute commands on the server using a specially crafted URL.

According to experts, the bug is already actively used in attacks. The process of its operation is quite simple, and the problem is aggravated by the fact that a PoC code was previously posted on the GitHub portal to identify vulnerable servers. As experts explained, having discovered a vulnerable server, "an attacker can send specially crafted requests by adding '? a =' to the URL."

It is noted that the problem applies exclusively to NGINX servers with PHP-FPM enabled (a software package for processing PHP scripts). Vulnerable are nginx configurations, where PHP-FPM fills in with the separation of URL parts using "fastcgi_split_path_info" and the definition of the PATH_INFO environment variable, but without first checking the existence of the file with the "try_files $ fastcgi_script_name" directive or the "if (! -f $ document_root $ fastcgi_script_name)" construction. Example of a vulnerable configuration:

Using a specially crafted URL, an attacker can achieve an offset of the path info pointer to the first byte of the fcgi data seg structure. Writing zero to this byte will move the pointer'char * pos' to a previously running memory area, called by the FCGI PUTENV wake overwrites some data (including other ast cgi variables), the vulnerability description says.

With the help of this technique, an attacker can create a fictitious variable PHP_VALUE fcgi and achieve code execution.

The developers released a patch for this vulnerability on October 25, 2019. All users are urged to upgrade to PHP 7.3.11 and PHP 7.2.24^[3] to^[4].

2018:62% of all sites risk being hacked due to PHP updates being discontinued

In October 2018, it became known that a large number of sites on the Internet are at risk due to the upcoming termination of updates for outdated PHP versions.

According to ZDNet, citing W3Techs data, by mid-October 2018, a total of 78.9% of web resources are working on PHP. On December 31, PHP 5.6.x support ends, as a result of which the entire PHP 5.x branch will begin to go down in history.

By October 14, 62% of sites use PHP 5.x versions, which will stop updating in early 2019. Thus, hundreds of millions of resources could be at risk of hacking if hackers find vulnerabilities in outdated versions of this scripting language. Such malfunctions will not be eliminated starting from January 1.

This is a huge problem for the PHP ecosystem, "says Scott Arciszewski, director of development at Paragon Initiative Enterprise. - Although many believe that they cannot just take and abandon PHP 5 in 2019, such a decision [to stop supporting older versions of PHP] can be called careless.

According to the expert, any major exploited vulnerabilities in PHP 5.6 will certainly affect newer versions. PHP 7.2 will regularly receive free patches from the PHP command, and in the case of PHP 5.6, it will be possible to get an update only if the user pays for continued support to the OS manufacturer, Artsiszewski noted.

Curiously, among the most popular content management systems (WordPress, Joomla and Drupal), only Drupal has officially raised the minimum requirements for CMS to PHP 7. This rule will come into force in March 2019. By mid-October 2018, Joomla requires the site to be running on versions no older than PHP 5.3, and the minimum WordPress requirement is PHP 5.2.^[5]

2016

PHP 7.1 Alpha Testing

On June 10, 2016, the PHP development team announced its readiness to test the first alpha version of a significant branch of the PHP 7.1 programming language. Release expected in November 2016^[6]

Significant changes

• A void return type was added, indicating that the function did not return a value;
• If you specify an offset within a row, you can now specify negative values, the position in the row for which will be calculated relative to the end of the row. For example, for the string 'abcdef', $ str [-2] will return "e";
• A variant of the list () design has been added, in which keys can be specified. Например: "list(1 => $oneBit, 2 => $twoBit, 3 => $threeBit) = $powersOfTwo";
• Added the expression "[] =," which is an alternative to the "list () =" construct. For example, instead of "list ($ a, $ b, $ c) = array (1, 2, 3)" you can now specify "[$ a, $ b, $ c] = [1, 2, 3]";
• A system for displaying errors and warnings is implemented if strings that are not converted to a number are used in mathematical expressions. For example, "10 apples" + "5 pears" will lead to the conclusion of the error "Notice: A non well formed numeric string encoded in example.php on line 3," and 5 * "orange" to "Warning: A non-numeric string encoded in example.php on line 3";
• The ability to handle multiple exception types in a single catch expression;
• Supports visibility definition for constants within a class. Constants can now be defined with public, private, and protected flags;
• The ability to use a question mark to mark types that can be null.

PHP 7.0.2 Corrective Release

On January 7, 2016, corrective releases of the PHP programming language 7.0.2, 5.6.17 and 5.5.31^[7] available].

The releases included about 30 changes, six vulnerabilities were fixed:

• buffer overflow in escapeshell functions,
• incorrect type handling in XMLRPC,
• two problems with changing packet ordering in the WDDX extension,
• the ability to read from areas outside the buffer in gdImageRotateInterpolated,
• buffer overflow in FPM.

At the same time, several errors were fixed, leading to the fall of the interpreter and the problem with incorrect cleaning of outdated sessions in the Session extension was solved.

2015

PHP 7.0.0 Release

On December 3, 2015, the official PHP PHP 7.0.0 release was released. It included changes prepared as part of the PHPNG^[8].

This branch is distinguished by a significant redesign of a number of subsystems, a portion of additional features and the presence of changes that violate compatibility. The jump in the version number emphasizes the significance of the release and is associated with the transition to a change in the order of numbering of releases, where the developers left the extra digit in the main releases (7.0 instead of 5.7.0).

Changes in PHP 7:

• Dramatically improve performance by leveraging new memory management techniques and migrating to new storage structures. Some PHP 7 tests are up to twice as fast as PHP 5.6;
• Consistent 64-bit support on 64-bit systems. Including the ability to use strings up to 2^31 bytes in size, support for 64-bit integer values ​ ​ when working in Windows, support for large files in 64-bit assemblies.
• The ability to process many errors that previously led to forced shutdown through exceptions;
• A new operator "??," which allows you to define an alternative value if the primary assignment object is not defined. For example, to assign an empty string if the associative array element is now empty instead of isset ($_GET ['mykey'])? $_GET ['mykey']: "can you specify $_GET ['mykey']? "";
• The ability to explicitly define scalar types int, float, string, and bool for arguments and values ​ ​ of functions (for example, "function foo (int $ abc): int").
• The hard type check mode enabled by the "declare (strict_types=1)" directive, in which a mismatch between the type of the function to be passed or the value returned by the function will result in an error.
• A new combined comparison operator <=>"" with an implementation of behavior similar to strcmp () and version_compare (), but through the use of <=>the typical syntax of comparison operators. In particular, the new operator allows not only to check the identity of operands, but also to evaluate which one is larger than the other (0 are equal, 1 is left is larger, -1 is right is larger);
• Support for anonymous classes;
• Support for grouping definitions in the use statement (for example, use Doctrine\Common\Collections\Expr\{ Comparison, Value, CompositeExpression};);
• The new Closure method:: call ();
• Additional syntax for embedding unicode strings\u {xxxxxx};
• Support for setting constant arrays in the define () statement;
• The ability to use reserved keywords in new contexts (for example, you can define a function forEach and it will not intersect with the foreach operator);
• The "yield from expression" syntax for the FUs to delegate operations to roaming objects and arrays.
• In addition to openssl, support has been added for the Application-Layer Protocol Negotiation (ALPN) TLS extension to negotiate application layer protocols used to provide a secure connection. Used in SPDY and HTTP/2;
• Unify the syntax of the variable definition and switch to using AST (Abstract Syntax Tree). Changing some rarely used semantics of combining variables (for example, $ foo- > $ bar ['baz'] is now interpreted as ($ foo- > $ bar) ['baz'], and not $ foo- > {$ bar ['baz']}).
• Terminates support for PHP 4-style constructors where the constructor name is the same as the class name. Support for static calls of non-static methods is also discontinued;
• Discontinuing support for old and unsupported SAPI calls and extensions: sapi/aolserver, sapi/apache sapi/apache_hooks, sapi/apache2filter, sapi/caudium, sapi/continuity, sapi/isapi, sapi/milter, sapi/nsapi, sapi/phttpd, sapi/pi3web, sapi/roxen, sapi/thttpd, sapi/tux, sapi/webjames, ext/sybase_ct;

Preanons PHP 7

On April 23, 2015, Rasmus Lerdorf, the creator of the PHP scripting language, announced at the O'Reilly Fluent conference about the upcoming release of the new version, stating that the performance of the environment has more than doubled: according to him, this acceleration was observed in real web applications^[9].

The release of the first release candidate PHP 7 is scheduled for June 2015, the final version - in October 2015.

PHP 7 symbol, 2015

PHP 7 is based on the phpng branch, created to eliminate flaws related to structures and types of data, memory management. As Lerdorf emphasized, PHP 7 consumes server resources more economically, so "everyone who uses a large number of servers" needs to switch to version 7.

PHP 7 is based on an abstract syntax tree, whereby, according to the creator of the language, the development of auxiliary tools, static analysis and code profiling are simplified. Functions in PHP 7 can return arrays, strict typing is introduced.

Some PHP 4 functions will not be supported in this version, Lerdorf noted, so the twelve-year-old code may not work in the new version of the interpreter.

The first alpha version of PHP 7 became available for testing

On June 11, 2015, the development team announced the availability of the PHP 7.0.0 Alpha 1 programming language branch for testing. Release scheduled for November 12, 2015^[10].

Significant changes:

• Significantly improve performance by adopting new memory management techniques and migrating to new storage structures. Some PHP 7 tests are up to twice as fast as PHP 5.6;

• Consistent 64-bit support on 64-bit systems. Including the ability to use strings up to 2^31 bytes, support for 64-bit integer values ​ ​ when working in Windows, support for large files in 64-bit assemblies.

• The ability to process many errors that previously led to forced shutdown through exceptions;

• A new operator "??," which allows you to define an alternative value if the primary assignment object is not defined. For example, to assign an empty string if the associative array element is now empty instead of isset ($_GET ['mykey'])? $_GET ['mykey']: "can you specify $_GET ['mykey']? "";

• It is possible to explicitly define scalar types int, float, string and bool for arguments and values ​ ​ of functions (for example, "function foo (int $ abc): int").

• The hard type check mode enabled by the "declare (strict_types=1)" directive, in which a mismatch between the type of the function to be passed or the value returned by the function will result in an error.

• A new combined comparison operator <=>"" with an implementation of behavior similar to strcmp () and version_compare (), but through the use of <=>the typical syntax of comparison operators. In particular, the new operator allows not only to check the identity of operands, but also to evaluate which one is larger than the other (0 are equal, 1 is left is larger, -1 is right is larger);

• Support for anonymous classes;

• Support for grouping definitions in the use statement (for example, use Doctrine\Common\Collections\Expr\{ Comparison, Value, CompositeExpression};);

• The new Closure method:: call ();

• Additional syntax for embedding unicode strings\u {xxxxxx};

• Support for setting constant arrays in the define () statement;

• The ability to use reserved keywords in new contexts (for example, you can define a function forEach and it will not intersect with the foreach operator);

• The new "yield from expression" syntax for the FUs to delegate operations to roaming objects and arrays.

• In addition to openssl, support has been added for the Application-Layer Protocol Negotiation (ALPN) TLS extension to negotiate application layer protocols used to provide a secure connection. Used in SPDY and HTTP/2;

• Unify the syntax of the variable definition and switch to using AST (Abstract Syntax Tree). Changing some rarely used semantics of combining variables (for example, $ foo- > $ bar ['baz'] is now interpreted as ($ foo- > $ bar) ['baz'], and not $ foo- > {$ bar ['baz']}). A fairly large portion of changes that violate compatibility;

• Discontinuing support for old and unsupported SAPI calls and extensions: sapi/aolserver, sapi/apache sapi/apache_hooks, sapi/apache2filter, sapi/caudium, sapi/continuity, sapi/isapi, sapi/milter, sapi/nsapi, sapi/phttpd, sapi/pi3web, sapi/roxen, sapi/thttpd, sapi/tux, sapi/webjames, ext/sybase_ct;

PHP versions 5.6.10, 5.5.26 and 5.4.42 have been corrected

On June 11, 2015, it became known about the release of corrective releases of the PHP programming language 5.6.10, 5.5.26 and 5.4.42, where eight vulnerabilities were fixed and about ten bugs were fixed.

• Protection against substitution of additional headers has been added to the mail () function.

• The FTP extension has fixed an integer overflow that can cause code execution.

• The escapeshellarg function has eliminated a vulnerability that allows the substitution of operating system commands when shielding special characters in arguments to the system () function.

• Two vulnerabilities have been fixed in the PCRE extension (CVE-2015-2325, CVE-2015-2326) and three in Sqlite3 (CVE-2015-3414, CVE-2015-3415, CVE-2015-3416).

PHP update 5.4.44, 5.5.28 and 5.6.12. 12 vulnerabilities fixed

On August 7, 2015, corrective releases of PHP 5.6.12, 5.5.28 and 5.4.44 became available, where twelve vulnerabilities were fixed, an error group was fixed^[11].

Most vulnerabilities can lead to denial of service and are manifested in add-ons (SPL, GD, SOAP, ODBC and OpenSSL). The vulnerability was also identified in the directory code. Not without vulnerabilities in the data serialization function (unserialize) - 69793 and 70121.

At the same time, the developers announced that they were approaching the end of the support cycle for the PHP 5.4 branch (the latest release is expected in September or October 2015), that the PHP 5.5 branch was transferred to the final maintenance stage, within which the general plan errors were fixed and only vulnerabilities were fixed.

2014: The most vulnerable to hackers were PHP sites

The attack on the corporate site not only disrupts the operation of online services and undermines the reputation of owners, but often becomes the first stage in hacking the internal networks of large companies. At the same time, according to a study by Positive Technologies (Positive Technologies), the number of sites with high-risk vulnerabilities has recently increased significantly. The researchers identified the most common vulnerabilities and assessed how effective methods were to detect them.

In total, security analysis tests conducted by the company in 2013 examined about 500 websites, for 61 of them a more in-depth analysis was carried out. A significant part of the investigated portals belonged to banks - due to the increased attacks in this area. The demand for security analysis of media sites has also increased, which is associated with high-profile cases of their hacking and the spread of misinformation. In addition, the websites of government agencies, industrial enterprises and telecommunications companies were investigated.

It turned out that 62% of sites in 2013 contained high-risk vulnerabilities. This indicator is significantly higher than last year (45%). Most applications with high-risk vulnerabilities were identified on media sites (80%). As for the sites, remote banking service none of the systems examined RBS fully met the requirements of the security standard. PCI DSS

The most common vulnerability of 2013 - Cross Site Scripting - occurs on 78% of the sites examined. This drawback allows an attacker to influence the content of a web page displayed in the user's browser, including for the purpose of distributing malicious code or obtaining victim credentials. For example, in the case of a vulnerable Internet banking system, an attacker can form a link related to a real bank site, when navigating through which the user will see a fake authorization form. The data entered by the user will be sent to the attacker's server.

In second place in popularity (69%) is insufficient protection against the selection of user identifiers or passwords (Brute Force), for example, due to the absence or incorrect implementation of the CAPTCHA mechanism. The top 10 also includes two high-risk vulnerabilities - "SQL Statement Implementation" (43%) and "XML External Entity Implementation" (20%).

The most unsafe sites were those written in PHP: 76% of them contain critical vulnerabilities. Web resources are less vulnerable (70 Java %) and (ASP.NET 55%). Dangerous vulnerability "Implementation of operators" SQL is found on 62% of sites written in PHP; for other languages, this figure is much lower.

Positive Technologies also conducted a comparative analysis of application testing using black, gray and white box methods. The black box method involves examining the system without receiving data about it from the owner; the gray box method assumes an intruder who has some privileges in the system; and finally, the white box method means analysis using all internal system data, including program source codes.

Among the web resources investigated by black and gray box methods, 60% of sites found critical vulnerabilities. For the white box method, this figure is higher - 75%.

From the average number of vulnerabilities per system, it follows that white box testing detects almost 10 times more critical vulnerabilities than black and gray box testing. If it is possible to analyze the source code of web applications, the white box method is preferable. But so far, site owners rarely resort to it: only 13% of web resources were investigated using this method.

2012: PHP 5.4.0

The PHP development team announced in March 2012 a new release of the popular PHP 5.4.0 programming language.

It is noted that this release includes new syntactic constructs, including a toolkit for code reuse called trait with support for a single inheritance; brief recording of arrays ($ a = [1, 2, 3, 4]; or $ a = ['one' = 1, 'two' = 2, 'three' = 3, 'four' = 4]), etc.

In PHP 5.4.0, according to the developers, performance has been increased and the amount of RAM consumed has been reduced; Improved error and warning messages introduced support for multi-byte encoding in all PHP assemblies, which can be enabled and disabled in the settings.

For ease of development and testing in command line mode - CLI (Command LineInterface) - PHP 5.4.0 has a built-in web server.

In addition, the new version has made backward-incompatible changes, providing for the following exclusions from the language (as outdated): the use of global variables (Register_Globals); magic quotes directive; safe mode; break/continue $ var constructs; allow-call-time-pass-reference options.

It is reported that version 5.4.0 will be the latest to officially support Windows XP and Windows 2003. According to the developers, binary builds will not be created for these operating systems in the next versions of PHP.

Programming languages

• PHP
• JavaScript
• Java
• Python
• C++
• C#
• COBOL
• Ruby
• Bosque
• Project Verona
• CRN++
• Dart

See also

• Logical programming
• Evidence-based programming
• Programming methodology
• Programming technology
• Programmer

Notes