14 DAY TRIAL // Multi-State Information Sharing & Analysis Center (MS-ISAC) released an advisory warning government agencies, businesses, and home users of multiple high-risk security issues in PHP that can allow attackers to execute arbitrary code.
Furthermore, if the PHP vulnerabilities are not successfully exploited, attackers could still induce a denial-of-service (DoS) condition rendering the probed servers unusable.
MS-ISAC is Center for Internet Security's "round-the-clock cyber threat monitoring and mitigation center for state and local governments" operated in collaboration with DHS' Office of Cybersecurity and Communications.
PHP is a programming language for server-side scripting for building web applications, with support for a broad array of platforms.
The PHP Group has issued fixes in the PHP 7.1.23 and 7.2.11 releases for all the high-risk bugs that could lead to DoS and arbitrary code execution (ACE) in all vulnerable PHP 7.1 and 7.2 versions before these latest updates.
All PHP versions before 7.1.23 and 7.2.11 can be exploited to allow for arbitrary code execution and to induce denial-of-service conditions
According to MS-ISAC's advisory, any organization from privately-held ones to government entities are at risk, as well as home users who use PHP to run web apps on their private servers.
"Successfully exploiting the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected application," says the MS-ISAC 2018-113 advisory.
The alert also states that "Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition."
All PHP users are advised to update to the latest versions of PHP that bundle fixes for the ACE and DoS vulnerabilities as soon as possible, as well as to check if there are any unauthorized modifications to their servers' contents and configurations before upgrading the PHP installation.