Network Security, Patch/Configuration Management, Vulnerability Management

Four versions of PHP programming language updated to fix multiple bugs

Share

The developer of the PHP (Hypertext Preprocessor) server-side scripting language has issued a series of updates that fix 40 vulnerabilities spread across four different versions -- the most serious of which was severe enough to allow an attacker to execute arbitrary code within the context of an affected application.

According to an advisory late last week from the Multi-State Information Sharing & Analysis Center (MS-ISAC), the most dangerous bug can be exploited to "view, change, or delete data; or create new accounts with full user rights," depending upon user privileges associated with the impacted application. Moreover, a failed exploitation can result in a denial-of-service (DOS) condition.

The affected versions are PHP 7.2 prior to 7.2.5 (18 bugs), PHP 7.1 prior to 7.1.17 (14 bugs), PHP 7.0 prior to 7.0.30 (four bugs), and PHP 5.0 prior to 5.6.36 (four bugs).

The MS-ISAC warns that the risk to both government and business users is high, and advises that organizations immediately upgrade to the latest patched version of PHP, but only after conducting appropriate testing and verifying that no unauthorized system modifications previously occurred on the system.

 Depending on the privileges associated with the application, an attacker could install programs; 
 Depending on the privileges associated with the application, an attacker could install programs; 

Four versions of PHP programming language updated to fix multiple bugs

The developer of the PHP (Hypertext Preprocessor) server-side scripting language has issued a series of updates that fix 40 vulnerabilities spread across four different versions -- the most serious of which was severe enough to allow an attacker to execute arbitrary code within the context of an affected application.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.