Security News > 2022 > February > Irony alert! PHP fixes security flaw in input validation code

Irony alert! PHP fixes security flaw in input validation code
2022-02-18 19:59

Released yesterday [2022-02-17], this version fixes various memory mismanagement bugs, including CVE-2021-21708, which is a use-after-free blunder in a function called php filter float().

A proof-of-concept exploit based on using PHP to query a database shows that the bug can be used to crash the PHP process, so a working Denial of Service attack is already known to be possible.

If the number that comes in is already a floating point number, then the code goes as shown below, where the old PHP code is on the left and the new code is on the right.

Don't worry if you don't know C; the important thing to note is that the error checking is done first, followed by a line that frees up the memory currently used by PHP to store the number, followed immediately by a line that reallocates memory for PHP to use.

The updated code in version 8.1.3 has restored the code to a safer sequence, although it would be safer still if there were a single function called, say, dtor and alloc in one go(), so that future programmers couldn't accidentally re-insert code between the call to the destructor and the call to the allocator.

If you're a programmer, try to write your code to reduces the number of ways that errors can be introduced by the coders who come after you.


News URL

https://nakedsecurity.sophos.com/2022/02/18/irony-alert-php-fixes-security-flaw-in-input-validation-code/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-02-27 CVE-2021-21708 Use After Free vulnerability in PHP
In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE.
network
low complexity
php CWE-416
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
PHP 9 1 43 115 124 283