PHP 7, the latest release of the popular web programming language that powers more than 80% of websites, offers great advantages for website owners and developers. Some of them include doubling the performance and adding numerous functionalities. Yet for hackers, it represents a completely fresh attack vector, where they can find previously undisclosed vulnerabilities.
During the past few months, we have analyzed PHP 7 and made it a priority to look into one of the most notoriously vulnerable areas of PHP: The unserialize mechanism. This is the same mechanism that was heavily exploited in PHP 5 and allowed hackers to compromise popular platforms as Magento, vBulletin, Drupal, Joomla!, Pornhub’s website, and other web servers, by sending maliciously crafted data in client cookies or to expose API calls.
Throughout our investigation we discovered 3 fresh and previously unknown vulnerabilities (CVE-2016-7479, CVE-2016-7480, CVE-2016-7478) in the PHP 7 unserialize mechanism. These vulnerabilities can be exploited using a technique we’ve discussed back in August.
The first two vulnerabilities allow attackers to take full control over servers, allowing them to do anything they want with the website, from spreading malware to defacing it or stealing customer data.
The last vulnerability generates a Denial of Service attack which basically hangs the website, exhausts its memory consumption, and shuts it down.
We have reported the three vulnerabilities to the PHP security team on the 15th of September and 6th of August.
How can I protect myself from this vulnerability?
The PHP security team issued fixes for two of the vulnerabilities on the 13th of October and 1st of December. To ensure your webserver’s security you should make sure you are installing or have upgraded to latest version of PHP.
In addition, Check Point issued IPS signatures for these vulnerabilities on the 18th and 31st of October, protecting all clients against any attempt to exploit these vulnerabilities.
The IPS protections are:
- PHP 7 Unserialization Exception Infinite Loop Denial of Service
- PHP 7 Unserialization Malicious toString Remote Code Execution
- PHP 7 Unserialization Hash Table Resize Use After Free
- PHP 7 Uninitialized Value Remote Code Execution