Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you an example analysis of security vulnerabilities in PHP input verification. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

Recently, the National Information Security vulnerability Library (CNNVD) received a report on PHP input verification security vulnerabilities (CNNVD-201805-054, CVE-2018-10547). An attacker who successfully exploits the vulnerability can execute arbitrary code in the user's browser without the user's knowledge. PHP versions prior to 5.6.36, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1 are all affected by the vulnerability. At present, PHP has officially released a new version to fix the vulnerability, and users are advised to confirm whether it is affected by the vulnerability and take remedial measures as soon as possible.

I. introduction of loopholes

PHP (PHP:Hypertext Preprocessor,PHP: hypertext preprocessor) is an open source general-purpose computer scripting language maintained by PHP Group and the open source community. The language is mainly used for Web development and supports a variety of databases and operating systems.

There is an input validation security vulnerability in the PHAR 404 and PHAR 403 error pages in PHP due to the program's failure to filter the user's input. After the 404 or 403 error is triggered by the PHAR program accessed through the URI address, a reflexive cross-site scripting attack can be performed, which in turn executes arbitrary code through the user's browser.

II. Harmful effects

Taking advantage of this vulnerability, attackers can carry out network attacks such as hijacking user browser sessions, implanting and spreading malicious code, which may cause user account theft, user privacy disclosure and other harm. The vulnerability involves multiple versions, including versions prior to PHP 5.6.36, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1.

III. Suggestions for restoration

At present, PHP has officially released a new version to fix the vulnerability, and users are advised to confirm whether it is affected by the vulnerability and take remedial measures as soon as possible. The specific measures are as follows:

It is recommended that all PHP5.6 users update to 5.6.36, PHP7.0 users to 7.0.30, PHP7.1 users to 7.1.17, and PHP7.2 users to 7.2.5.

The above is the example of the security vulnerability of PHP input verification shared by Xiaobian. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.