Three 0-day Vulnerabilities in PHP 7 – One is Still Unpatched!

Those vulnerabilities were reported on September 15 and August 6 by Check Point’s security researchers, but one of them still remains unpatched. Using these vulnerabilities hackers can compromise websites running on such popular platforms as Magento, Drupal, vBulletin and others by sending maliciously crafted HTTP requests to a web server.

The vulnerabilities discovered lay in the PHP 7 deserialisation mechanism.

  1. CVE-2016-7479 — Use-After-Free Code Execution
  2. CVE-2016-7480 — Use of Uninitialized Value Code Execution
  3. CVE-2016-7478 — Remote Denial of Service

First two vulnerabilities allow attackers to gain full control over the server and do whatever they want with it. The third one allows to hang web server by exhausting all available memory and crashing the server.

How to protect your website from these vulnerabilities?

Install latest PHP versions ASAP – this will get first two of them patched, because patches were released on the 13th of October and 1st of December. But the last one is still not patched so you will need to wait for some time for patches to appear.

The good thing is that none of the vulnerabilities were founded exploited by hackers.. yet.