Security News > 2022 > February > Irony alert! PHP fixes security flaw in input validation code
Released yesterday [2022-02-17], this version fixes various memory mismanagement bugs, including CVE-2021-21708, which is a use-after-free blunder in a function called php filter float().
A proof-of-concept exploit based on using PHP to query a database shows that the bug can be used to crash the PHP process, so a working Denial of Service attack is already known to be possible.
If the number that comes in is already a floating point number, then the code goes as shown below, where the old PHP code is on the left and the new code is on the right.
Don't worry if you don't know C; the important thing to note is that the error checking is done first, followed by a line that frees up the memory currently used by PHP to store the number, followed immediately by a line that reallocates memory for PHP to use.
The updated code in version 8.1.3 has restored the code to a safer sequence, although it would be safer still if there were a single function called, say, dtor and alloc in one go(), so that future programmers couldn't accidentally re-insert code between the call to the destructor and the call to the allocator.
If you're a programmer, try to write your code to reduces the number of ways that errors can be introduced by the coders who come after you.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-02-27 | CVE-2021-21708 | Use After Free vulnerability in PHP In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. | 9.8 |