According to Harvard University Business Research, FOSS, or Free and Open Source Software can be found in the majority of software out there, “80-90 percent of a typical application contains FOSS components.” It is very important to prioritize open source software security, because the open-source trend “is only increasing with its use in smart phones, cars, the Internet of Things, and numerous pieces of critical infrastructure”, according to the Harvard Business School article. With regards to open source vulnerabilities, a recent report published on October 4th, 2021 from perhaps the oldest online vulnerability database, VulDB, states that a critical vulnerability was noted in the open-source scripting language PHP.
What is PHP Programming Language?
PHP is a popular programming language most often used in web development by a large number of websites today. Many widely used servers as well as all major operating systems support PHP usage and development. Widely used CMS platforms such as WordPress and Joomla as well as PHP web frameworks such as Laravel are written in PHP script.
Critical Software Vulnerability Within PHP
According to VulDB’s software vulnerability report details, a critical risk software vulnerability within PHP was present since January 4th, 2021. The vulnerability is easy to exploit, allowing a remote attacker to escalate privileges on a vulnerable, unpatched system.
Technical Details
Technical details surrounding the PHP software vulnerability (CVE-2021-21705) state that this is an Improper Input Validation – PHP URL Validation filter_var privilege escalation vulnerability. The exploitability is told to be easy and a remote attacker can launch an attack. The exploitation does not require any form of authentication.
Vulnerable Software Versions
PHP software versions up to 7.3.28/7.4.20/8.0.7 are vulnerable.
Important User Information
PHP users need to know that a patch has been released that addresses the critical software vulnerability and that users should update immediately. Upgrading to version 7.3.29, 7.4.21, or 8.0.8 eliminates this vulnerability. The update process is not a one-click solution, because updating the PHP version differs for each platform (e.g. WordPress, Bluehost, Siteground.) For this reason, users should contact their host (hosting solution) on how to update the PHP version if this has not been applied already.
