Shellsec / Hacking / Artikler v / 3 Critical Zero-Day Flaws Found in PHP 7 — One Remains Unpatched!

Tråd bedømmelse:
  • 0 Stemmer - 0 Gennemsnit
  • 1
  • 2
  • 3
  • 4
  • 5
Visning af Tråd
3 Critical Zero-Day Flaws Found in PHP 7 — One Remains Unpatched!
06-01-2017, 00:04
#1
VIPSmokers Choice er Offline
Big black cat, with a big black hat.
****
 		Indlæg: 1.033
Registreret: Feb 2013
Omdømme: 17
3 Critical Zero-Day Flaws Found in PHP 7 — One Remains Unpatched!
thehackernews Skrev:Three critical zero-day vulnerabilities have been discovered in PHP 7 that could allow an attacker to take complete control over 80 percent of websites which run on the latest version of the popular web programming language.

The critical vulnerabilities reside in the unserialized mechanism in PHP 7 – the same mechanism that was found to be vulnerable in PHP 5 as well, allowing hackers to compromise Drupal, Joomla, Magento, vBulletin and PornHub websites and other web servers in the past years by sending maliciously crafted data in client cookies.

Security researchers at Check Point's exploit research team spent several months examining the unserialized mechanism in PHP 7 and discovered "three fresh and previously unknown vulnerabilities" in the mechanism.


While researchers discovered flaws in the same mechanism, the vulnerabilities in PHP 7 are different from what was found in PHP 5.

Tracked as CVE-2016-7479, CVE-2016-7480, and CVE-2016-7478, the zero-day flaws can be exploited in a similar manner as a separate vulnerability (CVE-2015-6832) detailed in Check Point's August report.
The first two vulnerabilities, if exploited, would allow a hacker to take full control over the target server, enabling the attacker to do anything from spreading malware to steal customer data or to defacing it.


The third vulnerability could be exploited to generate a Denial of Service (DoS) attack, allowing a hacker to hang the website, exhaust its memory consumption and eventually shut down the target system, researchers explain in their report [PDF].

According to Yannay Livneh of Check Point's exploit research team, none of the above vulnerabilities were found exploited in the wild by hackers.

The check Point researchers reported all the three zero-day vulnerabilities to the PHP security team on September 15 and August 6.

Patches for two of the three flaws were issued by the PHP security team on 13th October and 1st December, but one of them remains unpatched.

Besides patches, Check Point also released IPS signatures for the three vulnerabilities on the 18th and 31st of October to protect users against any attack that exploits these vulnerabilities.

In order to ensure the webserver’s security, users are strongly recommended to upgrade their servers to the latest version of PHP.

Source: https://thehackernews.com/2016/12/php-7-update.html
Find alle beskeder fra denne bruger
Citer denne besked i et svar
06-01-2017, 08:01
#2
ModeratorAsh er Offline
Administrator
******
 		Indlæg: 2.371
Registreret: Feb 2013
RE: 3 Critical Zero-Day Flaws Found in PHP 7 — One Remains Unpatched!
Er der et PoC? Jeg tvivler ekstremt meget på "tage over 80% af alle sider".
yolo
Find alle beskeder fra denne bruger
Citer denne besked i et svar
06-01-2017, 16:15
#3
VIPSmokers Choice er Offline
Big black cat, with a big black hat.
****
 		Indlæg: 1.033
Registreret: Feb 2013
Omdømme: 17
RE: 3 Critical Zero-Day Flaws Found in PHP 7 — One Remains Unpatched!
(06-01-2017, 08:01)Ash Skrev: Er der et PoC? Jeg tvivler ekstremt meget på "tage over 80% af alle sider".
Er ikke sikker. Virker til at den sidste zero-day er knap så destruerende som de andre. De nåede dog at være upatchede i flere måneder efter de var rapporteret, og hvor mange opdatere egenligt deres PHP?
Find alle beskeder fra denne bruger
Citer denne besked i et svar
06-01-2017, 17:58
#4
ModeratorAsh er Offline
Administrator
******
 		Indlæg: 2.371
Registreret: Feb 2013
RE: 3 Critical Zero-Day Flaws Found in PHP 7 — One Remains Unpatched!
(06-01-2017, 16:15)Smokers Choice Skrev: Er ikke sikker. Virker til at den sidste zero-day er knap så destruerende som de andre. De nåede dog at være upatchede i flere måneder efter de var rapporteret, og hvor mange opdatere egenligt deres PHP?

php --version
PHP 5.6.20-0+deb8u1 (cli) (built: Apr 27 2016 11:26:05)


Pff, ja hvem gør det?
yolo
Find alle beskeder fra denne bruger
Citer denne besked i et svar
06-01-2017, 19:25
#5
MalcolmXI er Offline
Aktivt Medlem
***
 		Indlæg: 837
Registreret: May 2013
Omdømme: 32
RE: 3 Critical Zero-Day Flaws Found in PHP 7 — One Remains Unpatched!
(06-01-2017, 08:01)Ash Skrev: Er der et PoC? Jeg tvivler ekstremt meget på "tage over 80% af alle sider".

De ~80% er antallet af hjemmesider på nettet, som benytter sig af PHP. Så kommer det jo også an på version, CMS eller ikke, og hvorvidt nogle af de sårbare funktioner er i brug.
Man skal altid passe på med THN :
Om de sår har de tal andetsteds fra skal jeg ikke kunne sige.
(23-10-2015, 21:59)bestworks Skrev: Hope you are best customer and we can to work a long time business
Find alle beskeder fra denne bruger
Citer denne besked i et svar
06-01-2017, 21:06
#6
ModeratorAsh er Offline
Administrator
******
 		Indlæg: 2.371
Registreret: Feb 2013
RE: 3 Critical Zero-Day Flaws Found in PHP 7 — One Remains Unpatched!
(06-01-2017, 19:25)MalcolmXI Skrev: De ~80% er antallet af hjemmesider på nettet, som benytter sig af PHP. Så kommer det jo også an på version, CMS eller ikke, og hvorvidt nogle af de sårbare funktioner er i brug.
Man skal altid passe på med THN :
Om de sår har de tal andetsteds fra skal jeg ikke kunne sige.

Jojo det skal skam nok passe, men overtage alle de sider? Nah.
yolo
Find alle beskeder fra denne bruger
Citer denne besked i et svar
« Ældre | Nyere »




User(s) browsing this thread: 1 Gæst(er)
Kontakt os | Shellsec | Vend tilbage til toppen | Let (arkiv) udseende | RSS synkronisering |