PHP releases version 8.0.30, patching two critical vulnerabilities

PHP, has reported two new security flaw CVE-2023-3823 and CVE-2023-3824 which are deemed high risk and released a version that patches them.

Exploiting these vulnerabilities is not trivial and depends on the specific targeted application. But it remains theoretically feasible.

• CVE-2023-3823, (CVSS score of 8.6), involves an information disclosure vulnerability present in PHP applications. This vulnerability permits remote attackers to access sensitive data stored within such applications. The vulnerability arises from inadequate validation of user-provided XML input. Exploiting this vulnerability entails the attacker transmitting specially crafted XML code, which the program parses, leading to unauthorized access to sensitive information such as contents of files or query results from external sources. This vulnerability potentially impacts any program, library, or service interacting with XML documents. A security researcher, has released a proof-of-concept, enhancing the visibility and potential exploit of the issue.
• CVE-2023-3824, (CVSS score of 9.4), pertains to a buffer overflow vulnerability. A remote attacker exploiting this flaw can execute arbitrary code on a PHP system. The vulnerability is traced to the phar_dir_read() method's insufficient bounds checking. Through a meticulously crafted request, an adversary triggers a buffer overflow, gaining control of the system and executing unauthorized code. Several problematic code segments exacerbate the situation, including faulty checks and overflows. The issue is likened to a stack information leak and a buffer write overflow. Despite the complexity of exploitation, potential concerns persist regarding a buffer overflow in the memset function.

To address these vulnerabilities, PHP 8.0.30 has been released, resolving both CVE-2023-3823 and CVE-2023-3824. Users should consider upgrading to PHP 8.0.30 from earlier versions to mitigate these security risks.