Magento Security

Magento Websites at Risk Due to Critical Vulnerabilities in PHP Versions 7.1, 7.2 & 7.3

Updated on: February 19, 2024

Aakanchha Keshri Aakanchha Keshri

3 mins read

Magento Websites at Risk Due to Critical Vulnerabilities in PHP Versions 7.1, 7.2 & 7.3

The leading web application language PHP is found to have several critical vulnerabilities in versions 7.1, 7.2 & 7.3. The most dreading of it all is the arbitrary code execution vulnerability in PHP. Many popular CMS like, WordPress, Magento, Drupal, Joomla, etc. use PHP as their tech stack.

This Blog Includes show

Although there have not been any wild attacks yet. Still, the severity of the vulnerability could be guessed by the vast number of websites it puts to risk.

PHP released an update on 29th Aug about the bug fixes and release of new versions. However, web owners are yet to update their website’s PHP versions.

The updated versions are:

  • PHP version 7.1.32 for 7.1
  • PHP version 7.2.22 for 7.2
  • PHP version 7.3.9 for 7.3

Download the updated versions from here.

Technical Details

The vulnerabilities found and patched by PHP could allow arbitrary code execution in websites, if not updated. Apart from code execution, it could also allow attackers to install malicious programs; see, modify, and delete data; create fake user accounts. Also, a failed exploitation could render DoS (denial-of-service) for your website.

PHP’s official website
PHP’s official website

Most CMS developers are taking it upon themselves to spread the word to their customers. For instance, Magento sent a mail to its customers citing the critical vulnerability. It also put a deadline of 30th September for its customers to update their PHP versions.

Magento’s warning mail
Magento’s warning mail

Bug Fixes in Version 7.1.32

  • Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). (CVE-2019-11042)
  • Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041)
  • Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN).

Bug Fixes in Version 7.2.22

  • Fixed bug #78363 (Buffer overflow in zendparse).
  • Fixed bug #78379 (Cast to object confuses GC, causes crash).
  • Fixed bug #77946 (Bad cURL resources returned by curl_multi_info_read()).
  • Fixed bug #78333 (Exif crash (bus error) due to wrong alignment and invalid cast).
  • Fixed bug #78342 (Bus error in configure test for iconv //IGNORE).
  • Updated to LiteSpeed SAPI V7.5 (Fixed clean shutdown).
  • Fixed bug #78179 (MariaDB server version incorrectly detected).
  • Fixed bug #77191 (Assertion failure in dce_live_ranges() when silencing is used).
  • Fixed bug #69100 (Bus error from stream_copy_to_stream (file -> SSL stream) with invalid length).
  • Fixed bug #78282 (atime and mtime mismatch).
  • Fixed bug #78326 (improper memory deallocation on stream_get_contents() with fixed length buffer).

Bug Fixes in Version 7.3.9

  • Fixed bug #78363 (Buffer overflow in zendparse).
  • Fixed bug #78379 (Cast to object confuses GC, causes crash).
  • Fixed bug #78412 (Generator incorrectly reports non-releasable $this as GC child).
  • Fixed bug #77946 (Bad cURL resources returned by curl_multi_info_read()).
  • Fixed bug #78333 (Exif crash (bus error) due to wrong alignment and invalid cast).
  • Fixed bug #77185 (Use-after-free in FPM master event handling).
  • Fixed bug #78342 (Bus error in configure test for iconv //IGNORE).
  • Fixed bug #78380 (Oniguruma 6.9.3 fixes CVEs). (CVE-2019-13224)
  • Fixed bug #78179 (MariaDB server version incorrectly detected).
  • Fixed bug #78213 (Empty row pocket).
  • Fixed bug #77191 (Assertion failure in dce_live_ranges() when silencing is used).
  • Fixed bug #69100 (Bus error from stream_copy_to_stream (file -> SSL stream) with invalid length).
  • Fixed bug #78282 (atime and mtime mismatch).
  • Fixed bug #78326 (improper memory deallocation on stream_get_contents() with fixed length buffer).
  • Fixed bug #78346 (strip_tags no longer handling nested php tags).

Conclusion

We cannot stress this enough, update as soon as possible. Downloading these security patches will mitigate the risks to a bare minimum. And, install a web application firewall to check any attempted attack. The Astra firewall provides continuous protection to your website against RCE, SQLi, XSS, CSRF, OWASP Top 10 and 100+ other cyber attacks.

Aakanchha Keshri

Aakanchha Keshri

Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Related Articles

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders
Astra Security

We make security simple and hassle-free for thousands of websites & businesses worldwide.

See our glowing reviews on

Pentest

Company

Resources

Services

Made with ❤️ in USA France India Germany

Copyright © 2024 ASTRA IT, Inc. All Rights Reserved.

Privacy Policy Terms of Service Report a vulnerability