PHP Security Center

In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17, and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), the urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.

Upgrade to PHP 7.2.30 or above, 7.3.17 or above, or 7.4.5 or above.

In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16, and 7.4.x below 7.4.4, while parsing EXIF data using the exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash.

Upgrade to PHP 7.2.9 or above, 7.3.16 or above, or 7.4.4 or above.

In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using the mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite a stack-allocated buffer. This could lead to memory corruption, crashes, and potentially code execution.

Upgrade to 7.3.16 or above, or 7.4.4 or above.

In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers() with a user-supplied URL, if the URL contains a zero (\u0000) character, the URL will be silently truncated at its first occurence. This may cause some software to make incorrect assumptions about the target of the get_headers(), which could lead to sending information to the wrong server or path on a server.

Upgrade to 7.2.9 or above, 7.3.16 or above, or 7.4.4 or above.

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15, and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0 (disabled) and the file upload fails, the upload procedure would try to clean up data that does not exist and encounter a null pointer dereference, which would likely lead to a crash.

Set the session.upload_progress.cleanup INI value to 1 (enabled).

When possible, upgrade to 7.2.28 or above, 7.3.15 or above, or 7.4.3 or above.

In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using the phar extension, certain content inside a PHAR file could lead to reading one-byte past the allocated buffer. This could potentially lead to information disclosure or crash.

Upgrade to PHP 7.3.15 or higher, or 7.4.3 or higher.

When using the fgetss() function to read data while stripping HTML tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14, and 7.4.x below 7.4.2, it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.

fgetss() combines the functionality of fgets() with that of strip_tags(), which removes HTML and PHP tags, as well as null bytes. Considering fgetss() is deprecated, you should not be using it. Instead, you should call strip_tags() on each valid return value of fgets():

while (! feof($fh)) {
    $line = fgets($fh);
    $line = strip_tags($line);
    // do something with $line
}

When possible, upgrade to PHP 7.2.27 or higher, 7.3.14 or higher, or 7.4.2 or higher.

When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14, and 7.4.x below 7.4.2, it is possible to supply data that will cause the underlying C function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash.

Upgrade to PHP &.2.27 or higher, 7.3.14 or higher, or 7.4.2 or higher.

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15, and 7.4.x below 7.4.3, when creating PHAR archive using the PharData::buildFromIterator() method, files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when the archive is extracted.

Upgrade to PHP 7.2.28 or above, 7.3.15 or above, or 7.4.3 or above.

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP's DirectoryIterator class accepts filenames with embedded null bytes (\u0000) and treats them as terminating at that byte. This can lead to security vulnerabilities when applications check paths that the code is allowed to access.

Filter paths and filenames before providing them to the DirectoryIterator constructor:

preg_replace('/\\0/', "", $var);

When possible, update to PHP 7.2.26 or later, PH 7.3.13 or later, or 7.4.1 or later.