Three 0-day Vulnerabilities in PHP 7 – One is Still Unpatched!

Those vulnerabilities were reported on September 15 and August 6 by Check Point’s security researchers, but one of them still remains unpatched. Using these vulnerabilities hackers can compromise websites running on such popular platforms as Magento, Drupal, vBulletin and others by sending maliciously crafted HTTP requests to a web server.

The vulnerabilities discovered lay in the PHP 7 deserialisation mechanism.

  1. CVE-2016-7479 — Use-After-Free Code Execution
  2. CVE-2016-7480 — Use of Uninitialized Value Code Execution
  3. CVE-2016-7478 — Remote Denial of Service

First two vulnerabilities allow attackers to gain full control over the server and do whatever they want with it. The third one allows to hang web server by exhausting all available memory and crashing the server.

How to protect your website from these vulnerabilities?

Install latest PHP versions ASAP – this will get first two of them patched, because patches were released on the 13th of October and 1st of December. But the last one is still not patched so you will need to wait for some time for patches to appear.

The good thing is that none of the vulnerabilities were founded exploited by hackers.. yet.

PHP 7.1 released, but Magento 2.1 doesn’t support it yet

PHP 7.1 was released already more than a week ago, but Magento 2.1 still doesn’t support it due to the outdated mcrypt extension which needs to be refactored out of the codebase. Here is an issue opened on a Github so you can subscribe to monitor it’s status:

https://github.com/magento/magento2/issues/5701

Mcrypt extension was marked as deprecated for years and it’s surprising that such products as Magento 2 still rely on this outdated extension.

Although PHP 7.1 doesn’t contain changes but there are some important syntax additions like nullable types and the focus in this release was emphasized on performance again (which is a weak spot for Magento). So I think a lot of people would like Magento to work on a latest PHP version and those fixes which prevents it from support latest version are much anticipated.

Test if your ISP is using Transparent DNS Proxies

DNS has always been one of the weakest links in security. From transparent DNS proxing, to DNS hijacking in local network attacks, to complete and quite transparent, often very permanent and undetectable hijacks of consumer-level network equipment, such as routers, through trivial UPNP hacks.

Using this service you can tell weather your ISP is doing some bad things behind your back: dnsleaktest.com. Since more and more ISPs around the world starting proxifying DNS traffic through their own servers it’s becoming more and more of a problem. Some of them are actually modifying the result of any lookup of google.com regardless of if user is using their DNS or not.