PHP Foundation The PHP Foundation

PHP Core Security Audit Results

Published on by
News

The PHP Foundation is pleased to announce the completion of a comprehensive security audit of the PHP source code (php/php-src), commissioned by the Sovereign Tech Agency.

This initiative was organized in partnership with the Open Source Technology Improvement Fund (OSTIF) and executed by the esteemed security group Quarkslab.

Audit Overview

Conducted over a two-month period in 2024, the audit encompassed:

  • Development of a threat model tailored to php-src
  • Manual code reviews
  • Dynamic testing procedures
  • Cryptographic assessments

The collaboration between Quarkslab’s auditors and PHP maintainers ensured a thorough examination of the codebase.

⚠️
Due to budget constraints, the recent security audit focused on the most critical components of the PHP source code rather than the entire codebase. Organizations interested in sponsoring a comprehensive audit or additional assessments are encouraged to contact us!
⚠️

Key Findings

The audit identified 27 issues, with 17 having security implications:

  • 3 High-severity
  • 5 Medium-severity
  • 9 Low-severity

Additionally, 10 informational findings were reported.

Notably, four vulnerabilities received CVE identifiers:

  • CVE-2024-9026: Log tampering vulnerability in PHP-FPM, allowing potential manipulation or removal of characters from log messages.
  • CVE-2024-8925: Flaw in PHP’s multipart form data parsing, potentially leading to data misinterpretation.
  • CVE-2024-8928: Memory-related vulnerability in PHP’s filter handling, leading to segmentation faults.
  • CVE-2024-8929: Issue where a malicious MySQL server could cause the client to disclose heap content from other SQL requests.

Recommendations and Resolutions

Quarkslab’s report commended the overall high quality and specification adherence of the php/php-src project.

The PHP development team has addressed all identified issues. Users are strongly encouraged to upgrade to the latest PHP versions to benefit from these security enhancements.

Acknowledgments

We extend our gratitude to the individuals and organizations that made this audit possible:

  • The PHP Foundation Team and PHP maintainers:
    Jakub Zelenka, Arnaud Le Blanc, Niels Dossche, Ilija Tovilo, Stas Malyshev, Dmitry Stogov, Derick Rethans, and Roman Pronskiy.
  • Quarkslab Team:
    Angèle Bossuat, Julio Loayza Meneses, Mihail Kirov, Sebastien Rolland, Ramtine Tofighi Shirazi.
  • Sovereign Tech Agency:
    Abigail Garner and the team – for commissioning the audit and all the help.
  • OSTIF:
    Amir Montazery, Derek Zimmer, Helen Woeste – for organizing the collaboration.

This audit underscores our commitment to enhancing PHP’s security and reliability. We remain dedicated to ongoing improvements and collaborations to ensure PHP’s robustness for the global development community.

Further Reading

If your company is interested in commissioning another round of security audit, please contact The PHP Foundation team: contact@thephp.foundation.

🐘💜

Edit this page on GitHub