The PHP programming language underpins much of the Internet. It forms the basis of popular content management systems like WordPress and Drupal, as well as more sophisticated web applications, like Facebook (kinda). Therefore, it’s a huge deal whenever researchers identify a security vulnerability within it.
A couple of days ago, Emil ‘Neex’ Lerner, a Russia-based security researcher, disclosed a remote-code execution vulnerability in PHP 7 – the latest iteration of the hugely popular web development language.
With this vulnerability, which has the CVE-ID of 2019-11043, an attacker could force a remote web server to execute their own arbitrary code simply by accessing a crafted URL. The attacker only needs to add “?a=” to the website address, followed by their payload.
As pointed out by Catalin Cimpanu in ZDNet, this attack drastically lowers the barrier to entry for hacking a website, simplifying it to the point where even a non-technical user could abuse it.
Fortunately, the vulnerability only impacts servers using the NGINX web server with the PHP-FPM extension. PHP-FPM is a souped-up version of FastCGI, with a few extra features designed for high-traffic websites.
While neither of those components are necessary to use PHP 7, they remain stubbornly common, particularly in commercia ..
Support the originator by clicking the read the rest link below.
