BreadcrumbHomeResourcesBlog PHP Vulnerabilities: Assessment and Prevention March 3, 2023 PHP Vulnerabilities: Assessment and PreventionSecurityBy Massimiliano CavicchioliPHP, like any other programming technology, is not exempt from having vulnerabilities. In fact, web applications (most of which use PHP) are a frequently probed attack surface for malicious parties who want to find and exploit PHP vulnerabilities. This makes being able to assess and mitigate PHP vulnerabilities a crucial part of developing and managing PHP applications.In this blog, we explore PHP vulnerabilities, including what PHP vulnerabilities are, how to assess them, and steps teams can take to keep their EOL PHP patched and secure. Table of ContentsPHP Vulnerabilities: OverviewPHP Vulnerabilities: Prevention Best PracticesHow Are PHP Vulnerabilities Disclosed?PHP Vulnerabilities: Severity LevelsFinal ThoughtsTable of Contents1 - PHP Vulnerabilities: Overview2 - PHP Vulnerabilities: Prevention Best Practices3 - How Are PHP Vulnerabilities Disclosed?4 - PHP Vulnerabilities: Severity Levels5 - Final ThoughtsBack to topPHP Vulnerabilities: OverviewWhat Are PHP Vulnerabilities?PHP vulnerabilities are exploitable flaws in a PHP application that can be used to gain unauthorized access to systems.Common PHP vulnerabilities can include code injection, broken access control, security misconfiguration, and cryptographic failures.What Is the Latest PHP Vulnerability?New PHP Common Vulnerabilities and Exposures (CVEs) are identified daily. The most up-to-date list can be found in the Zend Security Center.CVE entries include details about the CVE and its impact, which PHP versions and/or extensions were affected, and information on how to mitigate the CVE – whether that’s upgrading the PHP version, or using workarounds (e.g., configuration settings) that prevent exposure to PHP vulnerabilitiesBack to topPHP Vulnerabilities: Prevention Best PracticesTo prevent exposure to PHP vulnerabilities and other risks, teams should follow application security best practices, including:Threat modeling via the STRIDE method to find potential PHP vulnerabilities that could be exploitedRisk assessment with the DREAD framework to understand the likelihood of specific kinds of attacksBecause most web applications use PHP as their server-side language of choice, implementing the above mentioned methodologies and keeping PHP versions up to date is one of many PHP security best practices that teams need to consider as they develop and maintain their web applications.Back to topHow Are PHP Vulnerabilities Disclosed?Zend and the PHP community work daily to discover PHP vulnerabilities residing in the PHP engine and in all the prominent extensions that comprise the PHP ecosystem. The results of this continuous process are published in the form of CVEs, by the community and in our PHP Security Center. These CVE entries, as discussed above, serve to help teams assess and mitigate PHP vulnerabilities in their applications. How PHP Vulnerabilities Are Reported and Acted Upon Within the CommunityIf someone working within the PHP ecosystem finds any PHP vulnerabilities, they can securely report that PHP vulnerability to the PHP security team. Once a report is received, the team works to verify the issue, then collaborates on a patch with the reporting party. Once the fix is verified, it’s merged into the appropriate tree – but with the information obfuscated so that an observer cannot directly ascertain it is security related. This step is important, as it helps to keep nefarious parties from crawling for undisclosed PHP vulnerabilities and exploiting them before the CVE (or a patch) is disclosed to the public.In the run up to the actual announcement of a CVE, a CVE identifier is associated with the patch, but the CVE is generally not given any details until after release. The PHP security team works with package maintainers from a number of operating system distributions (E.g., RHEL, Debian, Arch, etc.), so that binaries can be released either simultaneously with the source release, or within 1-2 days.This process is well established across development ecosystems to help ensure teams are able to patch faster than nefarious parties are able to exploit the PHP vulnerability. It’s also important to note there are rare cases where PHP vulnerabilities may be found by a nefarious party, and is only made public due to the successful exploitation of a system via that vulnerability. However, this is rare due to the continued proactive actions of reporters within the PHP community and the PHP security team. On-Demand Webinar: PHP Engine SecurityJoin global PHP security expert Stanislav Malyshev for an on-demand webinar exploring how security vulnerabilities are managed in the PHP engine.Back to topPHP Vulnerabilities: Severity LevelsPHP vulnerabilities are not created equally, which is why organizations like the National Institute of Standards and Technology have created standardized criteria for assessing PHP vulnerabilities. The National Vulnerability Database provides a scoring system called the common vulnerability scoring system, or CVSS, that helps teams working with software to quickly understand the severity of a given PHP vulnerability.This scoring system has went through several iterations, with CVSS v3.0 breaking down severities into five categories ranging from critical, to no severity.CVSS v3.0 Severity by Base Score RangeBase Score RangeSeverity Level0.0None0.1-3.9Low4.0-6.9Medium7.0-8.9High9.0-10.0CriticalPHP Vulnerabilities: Calculating Security LevelsNIST provides a calculator for determining the score / severity of PHP vulnerabilities. These scores are determined based on a number of vectors, including attack vector, attack complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact. There are other defined characteristics for temporal and environmental scores, as well. Source: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator Returning back to our earlier PHP CVE example, CVE-2022-31630, you can see two separate base scores listed, with the associated vectors selected during the calculation phase differing between the two scores. Source: https://nvd.nist.gov/vuln/detail/CVE-2022-31630 This means that both the NVD group and PHP Group evaluated the CVE, with the NVD group finding it more severe (per their vector selections) than the PHP group.Back to topFinal ThoughtsWhile assessing and mitigating PHP vulnerabilities can be complicated and time-consuming, it’s a very important part of the PHP development and management process. If CVEs are left unpatched, it leaves teams at risk to potentially devastating exploits – exploits that can ultimately impact the success of their organizations.If you haven’t yet, we highly encourage you to bookmark our PHP Security Center page, and to make sure you have full visibility into the PHP versions you’re deploying. And, if you have end of life PHP that needs patched, be sure to check out our PHP LTS offerings.Keep Your EOL PHP Patched With LTS From ZendZend provides PHP LTS for EOL PHP versions, all backed by guaranteed SLAs and support from our team of experts.See Our LTS OptionsAdditional Resources101 Guide - PHP SecuritySolution - Zend PHP Consulting ServicesSolution - Zend PHP Security and Consulting ServicesBlog - CVE-2023-3823 OverviewBlog - Why Good PHP Monitoring MattersBlog - Mitigating CVE-2023-0662Blog - 6 PHP Security Best PracticesBlog - Understanding CVEs and CVSS ScoresBack to top
Massimiliano Cavicchioli Software Architect Massimiliano Cavicchioli is a Software Architect at Zend. He has over 20 years of experience in the tech world, 16 of which he spent contributing to the PHP ecosystem at Zend. During his many years of providing consultation to enterprise corporations, Massi has developed a wealth of tangible knowledge — making him highly capable in helping companies achieve best practices in both PHP and OSS.
