Check Point discovers three Zero-Day Vulnerabilities in web programming language PHP 7

PHP 7, the latest release of the popular web programming language that powers more than 80% of websites, offers great advantages for website owners and developers. Some of them include doubling the performance and adding numerous functionalities. Yet for hackers, it represents a completely fresh attack vector, where they can find previously undisclosed vulnerabilities.

During the past few months, we have analyzed PHP 7 and made it a priority to look into one of the most notoriously vulnerable areas of PHP: The unserialize mechanism. This is the same mechanism that was heavily exploited in PHP 5 and allowed hackers to compromise popular platforms as Magento, vBulletin, Drupal, Joomla!, Pornhub’s website, and other web servers, by sending maliciously crafted data in client cookies or to expose API calls.

To download the Technical Report, click here

Throughout our investigation we discovered 3 fresh and previously unknown vulnerabilities (CVE-2016-7479, CVE-2016-7480, CVE-2016-7478) in the PHP 7 unserialize mechanism. These vulnerabilities can be exploited using a technique we’ve discussed back in August.

The first two vulnerabilities allow attackers to take full control over servers, allowing them to do anything they want with the website, from spreading malware to defacing it or stealing customer data.

The last vulnerability generates a Denial of Service attack which basically hangs the website, exhausts its memory consumption, and shuts it down.

We have reported the three vulnerabilities to the PHP security team on the 15^th of September and 6^th of August.

How can I protect myself from this vulnerability?

The PHP security team issued fixes for two of the vulnerabilities on the 13^th of October and 1^st of December. To ensure your webserver’s security you should make sure you are installing or have upgraded to latest version of PHP.

In addition, Check Point issued IPS signatures for these vulnerabilities on the 18^th and 31^st of October, protecting all clients against any attempt to exploit these vulnerabilities.

The IPS protections are:

PHP 7 Unserialization Exception Infinite Loop Denial of Service
PHP 7 Unserialization Malicious toString Remote Code Execution
PHP 7 Unserialization Hash Table Resize Use After Free
PHP 7 Uninitialized Value Remote Code Execution

See how use cases come to life through Check Point's customer stories.

See how use cases come to life through Check Point's customer stories.

See how use cases come to life through Check Point's customer stories.

AI-Powered Threat Prevention

AI-Powered Threat Prevention

AI-Powered Threat Prevention

AI-Powered Threat Prevention

AI-Powered Threat Prevention

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Check Point is 100% Channel. Grow Your Business with Us!

See how use cases come to life through Check Point's customer stories.

Check Point discovers three Zero-Day Vulnerabilities in web programming language PHP 7

You may also like

Shifting Attack Landscapes and Sectors in Q1 2024 with a 28% increase in cyber attacks globally

Not So Private After All: How Dating Apps Can Reveal Your Exact Location

Agent Tesla Targeting United States & Australia: Revealing the Attackers’ Identities

Beyond Imagining – How AI is actively used in election campaigns around the world