BACKRONYM, Other Vulnerabilities Patched in PHP

PHP 5.6.11, 5.5.27 and 5.4.43 were released last week. The latest versions of the popular scripting language address numerous functionality bugs and several security issues.

The most important security flaw addressed in PHP 5.6.11, 5.5.27 and 5.4.43 is the MySQL vulnerability dubbed BACKRONYM (Bad Authentication Causes Kritical Risk Over Networks, Yikes MySQL).

BACKRONYM is a TLS vulnerability affecting Oracle MySQL client libraries and forks such as MariaDB and Percona (CVE-2015-3152). The bug can be exploited by a man-in-the-middle (MitM) attacker to downgrade MySQL SSL/TLS connections, intercept database queries and results, and manipulate database contents.

The vulnerability, caused by the fact that the –ssl option does not enforce an effective SSL/TLS connection, was patched by Oracle in December 2013 with the release of MySQL 5.7.3. The problem is that MySQL 5.7.x is not a general availability release so most users still utilize the vulnerable 5.6 version.

The developers of PHP have patched BACKRONYM in the MySQL native driver for PHP (mysqlnd), the scripting language’s drop-in replacement for the MySQL Client Library.

In addition to this bug, PHP 5.6.11 patches four other security issues. One of the vulnerabilities is caused by the fact that the escapeshellcmd() and escapeshellarg() functions in PHP don’t treat “!” as a special character, potentially allowing an attacker to execute arbitrary code.

Other vulnerabilities patched in the latest version of PHP are a use-after-free in spl_recursive_it_move_forward_ex() and a use-after-free in sqlite3SafetyCheckSickOrOk().

Active support for PHP 5.4 ceased 9 months ago, but security support is still being provided until September 14, 2015. In the case of PHP 5.5, general support ended on July 10, but security fixes will be provided for another year.

On Friday, the PHP development team announced the availability of PHP 7.0.0 Beta 1, the third pre-release of the new PHP 7 major series.