14 DAY TRIAL // Stefan Esser, the developer of Suhosin, the advanced protection system for PHP installations, revealed the availability of Suhosin Extension 0.9.33 that addresses a stack buffer overflow issue that exists in the transparent cookie encryption.
The medium risk vulnerability can be exploited by an attacker to execute arbitrary code, but it can only be exploited in a certain “uncommon and weakened” Suhosin configuration and only if the FORTIFY_SOURCE compile option was not utilized when Suhosin was compiled.
The security hole was discovered during an internal audit of the Suhosin PHP extension and even though it could allow a cyber-mastermind to remotely execute code, further investigation revealed that it could only be triggered if the administrator activated transparent cookie encryption and also explicitly disabled other security features.
Furthermore, Esser says that in order for the vulnerability to be exploited, it requires a PHP application that puts unfiltered user input into a call to the header() function that sends a Set-Cookie header.
By default, the feature that allows for a potential attack to occur, the transparent cookie encryption, is disabled because it stops applications that use JavaScript from accessing cookies.
The vulnerability had been found on January 12, and by January 14 it had been already fixed in the source code, being publicly disclosed a few days later.
Suhosin users are advised to upgrade to the latest version to make sure they’re protected against these potential threats.
Made of two parts, Suhosin is a protection system designed to secure users and servers from flaws, both known and unknown, that may exist in PHP applications and in the PHP core.
One of the components represents a small patch against the PHP core, providing low-level protection, while the other one is a powerful extension the implements other security mechanisms.