Multiple security vulnerabilities were identified in PHP, a widely-used open source general purpose scripting language which could compromise the security and integrity of web applications. These vulnerabilities include incorrect parsing of multipart/form-data, improper handling of directives, and flawed logging mechanisms. Let's dive into the details of the recent vulnerabilities.
This vulnerability affects the way PHP processes file uploads and input form data, which could lead to incorrect handling of legitimate data. Attackers could manipulate the form data, resulting in certain parts of the data being processed incorrectly or excluded. This might lead to application errors, data integrity violations, or even security breaches if malicious content is involved.
This issue involves the HTTP_REDIRECT_STATUS variable, which is used to check if the PHP CGI binary is running under an HTTP server. The vulnerability allows request submitters to control this variable via HTTP headers, potentially bypassing the cgi.force_redirect directive, which is designed to prevent arbitrary file inclusions.
This flaw could allow attackers to manipulate server configurations, leading to serious security concerns like arbitrary file inclusion, which could expose sensitive data or enable remote code execution (RCE).
This PHP vulnerability allows attackers to manipulate or remove up to four characters from log messages, which can result in altered or incomplete logs. In environments where PHP-FPM is configured to use syslog output, attackers could exploit this flaw to further manipulate log data, potentially masking malicious activity.
To address these PHP vulnerabilities, Canonical has released security patches for various Ubuntu releases, including Ubuntu 24.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 20.04 LTS. For Debian users, the vulnerabilities have been fixed in version 8.2.24-1~deb12u1 for the stable Debian 12 "Bookworm".
It's crucial to upgrade PHP packages immediately to mitigate potential risks. Regular updates ensure that security flaws are patched promptly, reducing the attack surface for malicious actors.
For organizations running end-of-life Linux systems, maintaining security becomes more challenging as these systems no longer receive security updates. However, services like TuxCare's Extended Lifecycle Support (ELS) offer a solution by providing extended support, including security patches for critical packages such as PHP, Linux kernel, glibc, OpenSSL, and Python.
TuxCare's ELS covers more than 140 packages across various end-of-life systems, including Ubuntu 16.04, Ubuntu 18.04, CentOS 6, CentOS 7, CentOS 8, CentOS Stream 8, and Oracle Linux 6 and Oracle Linux 7.
Additionally, TuxCare also offers Extended Lifecycle Support for PHP, which offers continued security patches for legacy PHP versions across both current and unsupported Linux distributions. With PHP ELS, organizations can continue running older versions of PHP securely without the need for large-scale code refactoring.
Learn more about Extending Support for PHP End-of-Life Versions in our previous blog.