Bugs in PHP modules allow execution of arbitrary code

Errors in PHP modules allow execution of arbitrary code. Flaws in PHP database engines connecting to SQL databases allow arbitrary code execution. Admins of shared hosting servers should update quickly to prevent malicious code being injected this way.

As IT security researcher Charles Fol announced on Twitter last Thursday, he discovered two bugs in PHP-modules, which he was able to use to run his own code. The discovered vulnerabilities affect all PHP versions from the currently maintained version trees up to and including 7.4.29, 8.0.19 and 8.1.6.

Security Bug #1: CVE-2022-31625

The first vulnerability affects the connection to postgreSQL databases. With a clever combination of certain data types, attackers could corrupt the heap and execute their own (malicious) code on the target system with an incorrectly initialized array for storing parameters of a database query. However, in order to exploit this vulnerability, the attackers would also need to be able to run their own PHP code on the target system.

Security Bug #2: CVE-2022-31626

The second vulnerability discovered is in the PHP connection to MySQL. Fol took advantage of a buffer overflow in PHP’s own implementation of the MySQL protocol to execute injected code. In order to be able to exploit this vulnerability, however, the target server must establish a connection to a specially prepared MySQL server, which also uses a particularly long password of more than 4000 characters.

Fixed by updates

The PHP group responded quickly and both problems with the new PHP versions 7.4.30, 8.0.20 and 8.1.7 already fixed. Above all, administrators who operate hosting servers should update quickly in order not to risk taking over the server.