PHP is one of the most popular programming languages on the web. This is used by more than 76% of indexed websites that use a Back End server side programming language. This means that probably 7 out of 10 websites we visit would be using PHP in some way, and what about this? Well, the greater the number of people, the more cybercriminals attack it and take advantage of PHP vulnerabilities that arise.
Currently, PHP support exists only for versions 7.2 to 7.4. For many, it seems a little relevant data, however, when compared with the current scenario regarding its use on the Internet, we evidence an unfavorable field for security. 60% of the platforms that use PHP do so with a version that is already deprecated by the brand.
PHP vulnerabilities that were breached and were critical
Security experts and companies dedicated to this work day by day to minimize these vulnerabilities but, this does not apply with expired versions and even so, having the updated version can be found new vulnerabilities that affect and put everyone’s cybersecurity at risk users and companies. These would be some of the vulnerabilities that emerged for 2020:
▸CVE-2020-7066
The manufacturer has only revealed that the vulnerability is located in the PHP get_headers function, implying that this function truncates the headers upon receiving a null byte. This error can cause the headers to leak confidential information or even contain data entered by a possible attacker, for this is considered a critical severity.
▸CVE-2020-7063
Due to the incorrect default permissions for files and folders that are set during the execution of Phar :: buildFromIterator when adding files to a TAR archive, a local user could extract files from the TAR archive and gain access to restricted information. Exploitation of this vulnerability requires that the php.ini option phar.readonly be set to 0.
▸CVE-2020-12461
This vulnerability allows a remote threat actor to execute arbitrary SQL queries against the PHP Fusion database. According to the experts of the pentest company, this flaw exists due to improper debugging of the data provided by the user in maincore.php.This failure was considered critical with a score of 8/10 on the CVSS scale.
See also:
In which fields are PHP scripts mainly used?
PHP – general purpose programming language
[…] topics:PHP Vulnerabilities and risksSQL Injection – How these attacks can affect […]