PHP 8.3 multiple vulns with exploitable RCE

rkrenzis

rkrenzis

The php version in the pkg repo has multiple vulnerabilities, including a RCE.

Code: 
# pkg info php83                                                                                                                               
php83-8.3.6                                                                                                                 
Name           : php83                                                                                                                                             
Version        : 8.3.6                                                                                                                                             
Installed on   : Thu Jun 20 16:14:12 2024 EDT                                                                                                                     
Origin         : lang/php83                                                                                                                                       
Architecture   : FreeBSD:14:amd64                                                                                                                                 
Prefix         : /usr/local                                                                                                                                       
Categories     : www lang devel
Licenses       : PHP301
Maintainer     : bofh@FreeBSD.org
WWW            : https://www.php.net/
Comment        : PHP Scripting Language (8.3.X branch)
Options        :
        CGI            : on
        CLI            : on
        DEBUG          : off
        DTRACE         : on
        EMBED          : on
        FPM            : on
        IPV6           : on
        LINKTHR        : on
        MYSQLND        : on
        NOASLR         : off
        PCRE           : on
        PHPDBG         : off
        ZTS            : off
Shared Libs required:
        libxml2.so.2
        libpcre2-8.so.0
        libargon2.so.0
Shared Libs provided:
        libphp.so
Annotations    :
        FreeBSD_version: 1400097
        build_timestamp: 2024-04-18T01:04:52+0000
        built_by       : poudriere-git-3.4.1-1-g1e9f97d6
        cpe            : cpe:2.3:a:php:php:8.3.6:::::freebsd14:x64
                port_checkout_unclean: no
        port_git_hash  : 22ceb6a4d
        ports_top_checkout_unclean: no
        ports_top_git_hash: 4dd3e3444
        repo_type      : binary
        repository     : FreeBSD
Flat size      : 25.5MiB
Description    :
PHP, which stands for "PHP: Hypertext Preprocessor" is a widely-used Open
Source general-purpose scripting language that is especially suited for
Web development and can be embedded into HTML.  Its syntax draws upon C,
Java, and Perl, and is easy to learn.  The main goal of the language is to
allow web developers to write dynamically generated webpages quickly, but
you can do much more with PHP.

Vulnerabilities:

  • CGI:
    • Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection in PHP-CGI). (CVE-2024-4577)
  • Filter:
    • Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL). (CVE-2024-5458)
  • Standard:
    • Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874). (CVE-2024-5585)
https://nvd.nist.gov/vuln/detail/CVE-2024-4577 is 9.8 CRITICAL
https://nvd.nist.gov/vuln/detail/CVE-2024-5458 is 5.3 Medium
https://nvd.nist.gov/vuln/detail/CVE-2024-5585 is 8.8 High
I also reported it here as well: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=279979

Is there any plan on releasing an updated PHP-8.3 package? It seems PHP-8.2 has also suffered the same fate. It's stuck at 8.2.18 and missing security rated releases. I've downgraded to PHP-8.1 package, which has been kept current.
 
An update would be nice and welcome of course, but for me these have very little, read no, impact.

CVE-2024-4577 is windows specific
CVE-2024-5458 is regarding handling of urls with username+passwords, which imho is insecure anyway
CVE-2024-5585 is regarding proc_open, which maybe the more critical of the three, but personally I also consider it bad practice to run system commands from php scripts.

That said, if there is a newer PHP 8.3.x version released I'd like to be able to update it too.
 
iRobbery said:
An update would be nice and welcome of course, but for me these have very little, read no, impact.

CVE-2024-4577 is windows specific
CVE-2024-5458 is regarding handling of urls with username+passwords, which imho is insecure anyway
CVE-2024-5585 is regarding proc_open, which maybe the more critical of the three, but personally I also consider it bad practice to run system commands from php scripts.

That said, if there is a newer PHP 8.3.x version released I'd like to be able to update it too.
Click to expand...

Thank you for pointing this out. I just found in the older CVE (https://www.php.net/archive/2012.php#id2012-05-03-1) that Apache+mod_php and NGINX+php-fpm are not affected.
 
You must log in or register to reply here.
Back
Top