14 DAY TRIAL // The latest version of PHP includes several security patches, one of them referring to a vulnerability that can be exploited by an attacker to execute code remotely on the affected machine, if certain conditions are met.
Identified as CVE-2014-9427, the security glitch relates to the sapi/cgi/cgi_main.c in the CGI component in multiple versions of PHP (5.4.36 and earlier, 5.5.x through 5.5.20, and 5.6.x through 5.6.4).
It occurs when the “mmap” function, responsible for mapping files into memory, is used for reading a PHP file and it fails to “properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character,” the description of the vulnerability reads.
The result is reading from a location that is outside the bounds of the allocated memory, revealing information that should otherwise not be accessible.
A successful exploit of the vulnerability allows triggering unexpected execution of a PHP script available in the memory locations near the mapping.
Additionally, an attacker could rely on the flaw to reach confidential information from the php-cgi process memory by taking advantage of the possibility to upload a PHP file.
CVE-2014-9427 has been assigned a 7.5 severity score as per the CVSS (Common Vulnerabilities Scoring System), with a maximum exploitability subscore of 10 because it can be leveraged without authentication and it has low access complexity.
Given the severity of the issue, administrators are advised to update their PHP version to the latest release.