Irony alert! PHP fixes security flaw in input validation code


If you’re using PHP in your network, check that you’re using the latest version, currently 8.1.3.

RELATED POSTS

Released yesterday [2022-02-17]this version fixes various memory mismanagement bugsincluding CVE-2021-21708which is a use-after-free blunder in a function called php_filter_float().

A proof-of-concept exploit based on using PHP to query a database shows that the bug can be used to crash the PHP process, so a working Denial of Service (DoS) attack is already known to be possible.

Of course, as Mozilla routinely and unswervingly likes to point out In its regular updates, when bugs are patched that show evidence of memory corruption, you should “Presume that with enough effort some of [them] could have been exploited to run arbitrary code. “

Remote Code Execution (RCE), where data submitted from outside can not only crash a program on your computer but also gain control of it in the process, typically leads to network intrusion, data exfiltration, malware implantation, or a foul-tasting cocktail of all of them.