In recent months, the popular PHP programming language used to create dynamic web pages has been discovered to have two new security flaws.
According to Security Online, two new vulnerabilities in PHP were discovered and assigned the identifiers CVE-2023-3823 and CVE-2023-3824. Bug CVE-2023-3823 with a CVSS index of 8.6 is an information disclosure vulnerability that allows a remote attacker to obtain sensitive information from a PHP application.
This vulnerability is caused by inadequate validation of user-supplied XML input. An attacker can exploit it by sending a special XML file to the application. The code is analyzed by the application, and the attacker can gain access to sensitive information, such as the contents of files on the system or the results of an external request.
The danger is that every application, library, and server that parses or interacts with XML documents is vulnerable to this vulnerability.
Meanwhile, bug CVE-2023-3824 is a buffer overflow vulnerability with a CVSS score of 9.4, allowing a remote attacker to execute arbitrary code on a PHP-based system. This vulnerability is caused by a function in PHP that does not properly check bounds. An attacker can testify by sending a special request to the application, thereby causing a buffer overflow and helping to gain control of the system to execute arbitrary code.
Because of this danger, users are advised to update their system to PHP version 8.0.30 as soon as possible. In addition, steps should be taken to protect the PHP application from attacks, such as validating all user input, using a web application firewall (WAF).