PHP Core Security Audit Results

Summary

The PHP Foundation is pleased to announce the completion of a comprehensive security audit of the PHP source code (php/php-src), commissioned by the Sovereign Tech Agency. This initiative was organized in partnership with the Open Source Technology Improvement Fund (OSTIF) and executed by the esteemed security group Quarkslab. Audit Overview Conducted over a two-month period in 2024, the audit encompassed: Development of a threat model tailored to php-src Manual code reviews Dynamic testing procedures Cryptographic assessments The collaboration between Quarkslab’s auditors and PHP maintainers ensured a thorough examination of the codebase. ⚠️ Due to budget constraints, the recent security audit focused on the most critical components of the PHP source code rather than the entire codebase. Organizations interested in sponsoring a comprehensive audit or additional assessments are encouraged to contact us! ⚠️ Key Findings The audit identified 27 issues, with 17 having security implications: 3 High-severity 5 Medium-severity 9 Low-severity Additionally, 10 informational findings were reported. Notably, four vulnerabilities received CVE identifiers: CVE-2024-9026: Log tampering vulnerability in PHP-FPM, allowing potential manipulation or removal of characters from log messages. CVE-2024-8925: Flaw in PHP’s multipart form data parsing, potentially leading to data misinterpretation. CVE-2024-8928: Memory-related vulnerability in PHP’s filter handling, leading to segmentation faults. CVE-2024-8929: Issue where a malicious MySQL server could cause the client to disclose heap content from other SQL requests. Recommendations and Resolutions Quarkslab’s report commended the overall high quality and specification adherence of the php/php-src project. The PHP development team has addressed all identified issues. Users are strongly encouraged to upgrade to the latest PHP versions to benefit from these security enhancements. Acknowledgments We extend our gratitude to the individual...