Critical Vulnerability in Scripting Language PHP

Photograph of PHP Script

In just the past few weeks, vulnerability databases have been raking the fallen leaves of software vulnerability reports particularly affecting open-source products. Software products that are open-source or include a widely used, collaborative developer open-source component such as the JavaScript V8 Engine used in several browsers, among them Google Chrome, can be a larger cyber-risk than proprietary script components.

According to Harvard University Business Research, FOSS, or Free and Open Source Software can be found in the majority of software out there, “80-90 percent of a typical application contains FOSS components.” It is very important to prioritize open source software security, because the open-source trend “is only increasing with its use in smart phones, cars, the Internet of Things, and numerous pieces of critical infrastructure”, according to the Harvard Business School article.

With regards to open source vulnerabilities, a recent report published on October 4th, 2021 from perhaps the oldest online vulnerability database, VulDB, states that a critical vulnerability was noted in the open-source scripting language PHP.

What is PHP Programming Language?

PHP is a popular programming language most often used in web development by a large number of websites today. Many widely used servers as well as all major operating systems support PHP usage and development. Widely used CMS platforms such as WordPress and Joomla as well as PHP web frameworks such as Laravel are written in PHP script.

Critical Software Vulnerability Within PHP

According to VulDB’s software vulnerability report details, a critical risk software vulnerability within PHP was present since January 4th, 2021. The vulnerability is easy to exploit, allowing a remote attacker to escalate privileges on a vulnerable, unpatched system.

Technical Details

Technical details surrounding the PHP software vulnerability (CVE-2021-21705) state that this is an Improper Input Validation – PHP URL Validation filter_var privilege escalation vulnerability. The exploitability is told to be easy and a remote attacker can launch an attack. The exploitation does not require any form of authentication.

Vulnerable Software Versions

PHP software versions up to 7.3.28/7.4.20/8.0.7 are vulnerable.

Important User Information

PHP users need to know that a patch has been released that addresses the critical software vulnerability and that users should update immediately. Upgrading to version 7.3.29, 7.4.21, or 8.0.8 eliminates this vulnerability. The update process is not a one-click solution, because updating the PHP version differs for each platform (e.g. WordPress, Bluehost, Siteground.) For this reason, users should contact their host (hosting solution) on how to update the PHP version if this has not been applied already.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.