Summary: The PHP project has issued a security advisory detailing multiple vulnerabilities across various PHP versions, urging users to update to the latest patched versions immediately. Key vulnerabilities include log tampering, arbitrary file inclusion, and data integrity violations, which could have severe implications for affected systems.
Threat Actor: Unknown | unknown
Victim: PHP Users | PHP Users
Key Point :
- Multiple vulnerabilities identified, including CVE-2024-9026 (log tampering) and CVE-2024-8927 (bypass of cgi.force_redirect).
- Vulnerabilities affect PHP versions prior to 8.1.30, 8.2.24, and 8.3.12, necessitating immediate updates.
- Failure to update could lead to serious consequences such as data breaches and system compromises.
The PHP project has recently released a security advisory, addressing several vulnerabilities affecting various versions of PHP. These vulnerabilities range from potential log tampering to arbitrary file inclusion and data integrity violations. It is strongly recommended that all PHP users update their systems to the latest patched versions immediately.
Key Vulnerabilities and Their Impact
-
CVE-2024-9026: Log Tampering in PHP-FPM
This vulnerability allows potential manipulation of logs in PHP-FPM, enabling attackers to either insert extraneous characters or remove up to 4 characters from log entries. This can hinder incident response and forensic investigations.
CVE-2024-8927: Bypass of cgi.force_redirect
Configuration
Attackers can exploit this bug to bypass restrictions imposed by the cgi.force_redirect
configuration, potentially leading to arbitrary file inclusion in certain configurations. This can compromise sensitive data and allow unauthorized access.
CVE-2024-8926: PHP CGI Parameter Injection Vulnerability
This vulnerability bypasses a previous fix (CVE-2024-4577) under specific, non-standard Windows codepage configurations. While unlikely to occur in real-world environments, it underscores the importance of addressing even seemingly minor vulnerabilities.
CVE-2024-8925: Erroneous Parsing of Multipart Form Data
This bug in the parsing of multipart form data can lead to legitimate data not being processed, violating data integrity. Attackers can exploit this to exclude portions of legitimate data under specific conditions.
Affected and Patched Versions
The following PHP versions are affected by these vulnerabilities:
- PHP versions prior to 8.1.30
- PHP versions prior to 8.2.24
- PHP versions prior to 8.3.12
The patched versions that address these vulnerabilities are:
- PHP 8.1.30
- PHP 8.2.24
- PHP 8.3.12
Immediate Action Required
It is crucial to update your PHP installations to the latest patched versions as soon as possible. These vulnerabilities can have serious consequences, including data breaches, system compromise, and disruption of services.