PHP Vulnerability | Breaking Cybersecurity News | The Hacker News

If you're running any PHP based website on NGINX server and have PHP-FPM feature enabled for better performance, then beware of a newly disclosed vulnerability that could allow unauthorized attackers to hack your website server remotely. The vulnerability, tracked as CVE-2019-11043 , affects websites with certain configurations of PHP-FPM that is reportedly not uncommon in the wild and could be exploited easily as a proof-of-concept (PoC) exploit for the flaw has already been released publicly. PHP-FPM is an alternative PHP FastCGI implementation that offers advanced and highly-efficient processing for scripts written in PHP programming language. The main vulnerability is an "env_path_info" underflow memory corruption issue in the PHP-FPM module, and chaining it together with other issues could allow attackers to remotely execute arbitrary code on vulnerable web servers. The vulnerability was spotted by Andrew Danau, a security researcher at Wallarm while hun

Facebook has patched two high-severity vulnerabilities in its server application that could have allowed remote attackers to unauthorisedly obtain sensitive information or cause a denial of service just by uploading a maliciously constructed JPEG image file. The vulnerabilities reside in HHVM (HipHop Virtual Machine)—a high-performance, open source virtual machine developed by Facebook for executing programs written in PHP and Hack programming languages. HHVM uses a just-in-time (JIT) compilation approach to achieve superior performance of your Hack and PHP code while maintaining the development flexibility that the PHP language provides. Since the affected HHVM server application is open-source and free, both issues may also impact other websites that use HHVM, including Wikipedia, Box and especially those which allow their users to upload images on the server. Both the vulnerabilities, as listed below, reside due to a possible memory overflow in the GD extension of HHVM wh

Imagine a world where the software that powers your favorite apps, secures your online transactions, and keeps your digital life could be outsmarted and taken over by a cleverly disguised piece of code. This isn't a plot from the latest cyber-thriller; it's actually been a reality for years now. How this will change – in a positive or negative direction – as artificial intelligence (AI) takes on a larger role in software development is one of the big uncertainties related to this brave new world. In an era where AI promises to revolutionize how we live and work, the conversation about its security implications cannot be sidelined. As we increasingly rely on AI for tasks ranging from mundane to mission-critical, the question is no longer just, "Can AI  boost cybersecurity ?" (sure!), but also "Can AI  be hacked? " (yes!), "Can one use AI  to hack? " (of course!), and "Will AI  produce secure software ?" (well…). This thought leadership article is about the latter. Cydrill  (a

Maintainers of the PHP programming language recently released the latest versions of PHP to patch multiple high-severity vulnerabilities in its core and bundled libraries, the most severe of which could allow remote attackers to execute arbitrary code and compromise targeted servers. Hypertext Preprocessor, commonly known as PHP, is the most popular server-side web programming language that powers over 78 percent of the Internet today. The latest releases under several maintained branches include PHP version 7.3.9, 7.2.22 and 7.1.32, addressing multiple security vulnerabilities. Depending on the type, occurrence, and usage of the affected codebase in a PHP application, successful exploitation of some of the most severe vulnerabilities could allow an attacker to execute arbitrary code in the context of the affected application with associated privileges. On the other hand, failed attempts at exploitation will likely result in a denial of service (DoS) condition on the affect

Security researchers have discovered multiple critical vulnerabilities in a popular IPTV middleware platform that is currently being used by more than a thousand regional and international online media streaming services to manage their millions of subscribers. Discovered by security researchers at CheckPoint , the vulnerabilities reside in the administrative panel of Ministra TV platform, which if exploited, could allow attackers to bypass authentication and extract subscribers' database, including their financial details. Besides this, the flaws could also allow attackers to replace broadcast and steam any content of their choice on the TV screens of all affected customer networks. Ministra TV platform, previously known as Stalker Portal, is a software written in PHP that works as a middleware platform for media streaming services for managing Internet Protocol television (IPTV), video-on-demand (VOD) and over-the-top (OTT) content, licenses and their subscribers. Deve

Sam Thomas, a security researcher from Secarma, has discovered a new exploitation technique that could make it easier for hackers to trigger critical deserialization vulnerabilities in PHP programming language using previously low-risk considered functions. The new technique leaves hundreds of thousands of web applications open to remote code execution attacks, including websites powered by some popular content management systems like WordPress and Typo3. PHP unserialization or object injection vulnerabilities were initially documented in 2009, which could allow an attacker to perform different kinds of attacks by supplying malicious inputs to the unserialize() PHP function. If you are unaware, serialization is the process of converting data objects into a plain string, and unserialize function help program recreate an object back from a string. Thomas found that an attacker can use low-risk functions against Phar archives to trigger deserialization attack without requiring