Blog Feed Post

PHP 7 Vulnerabilities You Can’t Ignore

Since its initial release in December 2015, PHP 7 has earned praise by early adopters for its new language features and impressive performance improvements. But developers beware: Glaring security holes lurk beneath the glamour of a new release. In late December 2016, security researchers discovered multiple zero-day exploits in PHP 7, including remote code execution and denial of service vulnerabilities. Attackers can use these exploits to take your site offline or worse—hijack your site for all manner of dastardly deeds.

While the latest PHP 7 releases include patches for these vulnerabilities, the Common Vulnerabilities and Exposures (CVE) List shows that security researchers regularly discover PHP security flaws. In this post you will learn how security breaches can impact your business and what you can do to protect your PHP applications from hackers.


Now that we understand the consequences of a security breach, let’s take a closer look at the zero-day exploits discovered in PHP late last year.

Use unserialize()with extreme caution!

The common denominator among all three exploits is PHP’s unserialize() function. PHP 7 introduced a new filtered unserialize feature that aims to mitigate the impact of code injection vulnerabilities by requiring developers to whitelist classes that are safe to unserialize. But even with this improvement, passing untrusted input to unserialize() is not safe, as clearly indicated by the function’s documentation. 

What is untrusted input?

Any input that comes from a source not directly under your control should be considered dangerous. Examples of input sources include query string parameters, HTML forms, file uploads, third-party APIs, and more.

Is my site vulnerable?

The only way to know if your site is vulnerable is to inspect your entire codebase and all of its dependencies. Typically the vulnerability report, such as this one for CVE-2016-7479, includes enough information for you to identify vulnerable code. However, each vulnerability is unique, making it unfeasible to manually inspect your codebase for every possible vulnerability—not to mention you have to repeat these inspections every time you change your code or new vulnerabilities are discovered.

How do I fix it?

The immediate fix is to update to the latest patched version of PHP 7. If that’s not possible because you are using shared hosting or because upgrading could break your application, you need to implement a workaround. Even if you can upgrade PHP, you should still consider a workaround because unserialize() is historically risky and likely still contains undiscovered vulnerabilities. In this case, the safest approach is to use an alternative serialization format, such as JSON, that can deserialize data without loading or executing additional PHP code. 

Building a foundation for PHP security

At this point your head may be spinning—and we’ve only covered a single PHP 7 vulnerability. Fortunately, there are many industry standard tools and practices available to help you make your site more secure without losing sleep or breaking the bank. Even adhering to only two or three of these recommendations will put you in a more secure posture than many organizations.

Patching schedule

This one isn’t PHP specific, but if you don’t keep your operating system and PHP version up to date with the latest security patches, nothing else you do matters. Most Linux distributions include PHP in their package repository, and they update it regularly with the latest security patches. Enabling automatic security updates for your OS is the absolute minimum you can do. If you install PHP from source or some other method, you should use configuration management software such as Ansible, Chef, or Puppet to automate the installation and upgrade process.

Dependency checks

Most production PHP applications depend on dozens of third-party libraries directly, and even more libraries indirectly. Each one of these components may have security flaws and require regular updates. For this reason, many development teams use Composer to simplify management of their app’s dependencies. But how do you know when you need to update?

 The open source OWASP dependency-check tool can identify vulnerable Composer packages in your application. As a bonus, if you use NPM to manage JavaScript packages, dependency-check works on those too.

Secure coding practices

Unless your application lives in a vacuum, you will make code changes on a regular basis. Any developer involved with building or reviewing PHP applications should have a basic knowledge of common web application vulnerabilities and secure coding practices.

 Understanding the OWASP Top 10 is a good foundation for general web application security knowledge. Attack vectors such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF) are common to web applications written in any programming language.

 The next level of security knowledge is to know the specific security considerations and concerns for the PHP language. There are good online guides available to get you started, and the PHP manual itself has an entire section devoted to security.

Static analysis

Static analysis tools read and analyze your application source code, looking for common security vulnerabilities and insecure code structures. For example, the Exakat PHP security scanner can identify unsafe use of the unserialize() function that we examined earlier. Drawbacks of static analysis tools include incomplete rulesets and false positives. There are many open source and commercial PHP static analysis tools available, so do your homework and find ones that work well for you. While they often provide quick and useful feedback on the security of your code, static analysis should never be used as your only security control.

Dynamic analysis

While static analysis tools examine your application’s source code, dynamic analysis tools, such as Arachni or the OWASP Zed Attack Proxy, observe the behavior of running applications. These tools crawl your site, click on links, fill out forms, and do all kinds of unexpected things to your site in order to discover classes of vulnerabilities that can’t be detected using static analysis. If at all possible, you should run these tools against a test instance of your application and not a production site, because they can potentially modify data or break your site.

Make security part of your CI/CD pipeline

Good PHP application security takes time, requires expertise, and demands a broad toolset. If you don’t automate the basics and make security visible, your team will inevitably drift back into poor security habits. One of the best ways to establish a sustainable application security baseline is to integrate security controls into your continuous integration pipeline. Many of the security tools mentioned previously have scriptable command-line interfaces, and some even have first-class CI support, such as the OWASP dependency-check and ZAP plugins for Jenkins.

 When developers notice security issues in their build status reports, they will naturally start fixing them as part of their daily work. Advanced teams will even fail the build when a security check fails, preventing deployment until they can patch the issue. Instead of taking weeks, months, or even years to detect and remediate most security vulnerabilities, you can have a Zero mean time to remediation (MTTR). You can find and fix security problems before unleashing your code on the internet.

Web application firewalls

What about application security problems that arise in production? Despite your best efforts to build security into your product, there will always be opportunities for attackers to exploit your application in the wild. While advanced security monitoring and incident response are beyond the scope of this article, one simple solution that offers substantial security benefits is to use a web application firewall in front of your site.

 Web application firewalls (WAF) stop malicious requests before they can reach your servers. Not only can a WAF prevent common types of attacks, it can also block traffic from sources known for malicious activity. Most commercial web application firewalls act as a reverse proxy and require little to no application or hosting changes to start using. ModSecurity is an open source WAF module you can install on your Apache, Nginx, or Microsoft IIS web server. With the modern increase in threat activity and rise of massive botnets, leveraging a WAF is quickly becoming a requirement for site owners.


Security vulnerabilities are a fact of life. While a security breach can be damaging to your business, there are plenty of ways you can protect your PHP sites and mitigate your risk that don’t require you to be a security genius. Don’t let the recent discovery of PHP 7 security vulnerabilities discourage you from using the latest and greatest version. With the right training, awareness, tools, and practices, you can safely run PHP 7 applications in production today and in the future.


The post PHP 7 Vulnerabilities You Can’t Ignore appeared first on Application Performance Monitoring Blog | AppDynamics.

Read the original blog entry...

More Stories By Jyoti Bansal

In high-production environments where release cycles are measured in hours or minutes — not days or weeks — there's little room for mistakes and no room for confusion. Everyone has to understand what's happening, in real time, and have the means to do whatever is necessary to keep applications up and running optimally.

DevOps is a high-stakes world, but done well, it delivers the agility and performance to significantly impact business competitiveness.

Latest Stories
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In his Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, will explore t...
Translating agile methodology into real-world best practices within the modern software factory has driven widespread DevOps adoption, yet much work remains to expand workflows and tooling across the enterprise. As models evolve from pockets of experimentation into wholescale organizational reinvention, practitioners find themselves challenged to incorporate the culture and architecture necessary to support DevOps at scale. In his session at @DevOpsSummit at 20th Cloud Expo, Anand Akela, Senior...
Join IBM November 2 at 19th Cloud Expo at the Santa Clara Convention Center in Santa Clara, CA, and learn how to go beyond multi-speed it to bring agility to traditional enterprise applications. Technology innovation is the driving force behind modern business and enterprises must respond by increasing the speed and efficiency of software delivery. The challenge is that existing enterprise applications are expensive to develop and difficult to modernize. This often results in what Gartner calls ...
In recent years, containers have taken the world by storm. Companies of all sizes and industries have realized the massive benefits of containers, such as unprecedented mobility, higher hardware utilization, and increased flexibility and agility; however, many containers today are non-persistent. Containers without persistence miss out on many benefits, and in many cases simply pass the responsibility of persistence onto other infrastructure, adding additional complexity.
Did you know that you can develop for mainframes in Java? Or that the testing and deployment can be automated across mobile to mainframe? In his session at @DevOpsSummit at 20th Cloud Expo, Vaughn Marshall, Sr. Principal Product Owner at CA Technologies, will discuss and demo how increasingly teams are developing with agile methodologies using modern development environments and automating testing and deployments, mobile to mainframe.
SYS-CON Events announced today that Hitachi Data Systems, a wholly owned subsidiary of Hitachi LTD., will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City. Hitachi Data Systems (HDS) will be featuring the Hitachi Content Platform (HCP) portfolio. This is the industry’s only offering that allows organizations to bring together object storage, file sync and share, cloud storage gateways, and sophisticated search an...
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place June 6-8, 2017, at the Javits Center in New York City, New York, is co-located with 20th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry p...
Automation is enabling enterprises to design, deploy, and manage more complex, hybrid cloud environments. Yet the people who manage these environments must be trained in and understanding these environments better than ever before. A new era of analytics and cognitive computing is adding intelligence, but also more complexity, to these cloud environments. How smart is your cloud? How smart should it be? In this power panel at 20th Cloud Expo, moderated by Conference Chair Roger Strukhoff, pane...
Most companies are adopting or evaluating container technology - Docker in particular - to speed up application deployment, drive down cost, ease management and make application delivery more flexible overall. As with most new architectures, this dream takes a lot of work to become a reality. Even when you do get your application componentized enough and packaged properly, there are still challenges for DevOps teams to making the shift to continuous delivery and achieving that reduction in cost ...
@GonzalezCarmen has been ranked the Number One Influencer and @ThingsExpo has been named the Number One Brand in the “M2M 2016: Top 100 Influencers and Brands” by Analytic. Onalytica analyzed tweets over the last 6 months mentioning the keywords M2M OR “Machine to Machine.” They then identified the top 100 most influential brands and individuals leading the discussion on Twitter.
SYS-CON Events announced today that Twistlock, the leading provider of cloud container security solutions, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Twistlock is the industry's first enterprise security suite for container security. Twistlock's technology addresses risks on the host and within the application of the container, enabling enterprises to consistently enforce security policies, monitor...
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound e...
The age of Digital Disruption is evolving into the next era – Digital Cohesion, an age in which applications securely self-assemble and deliver predictive services that continuously adapt to user behavior. Information from devices, sensors and applications around us will drive services seamlessly across mobile and fixed devices/infrastructure. This evolution is happening now in software defined services and secure networking. Four key drivers – Performance, Economics, Interoperability and Trust ...
@ThingsExpo has been named the Most Influential ‘Smart Cities - IIoT' Account and @BigDataExpo has been named fourteenth by Right Relevance (RR), which provides curated information and intelligence on approximately 50,000 topics. In addition, Right Relevance provides an Insights offering that combines the above Topics and Influencers information with real time conversations to provide actionable intelligence with visualizations to enable decision making. The Insights service is applicable to eve...
Multiple data types are pouring into IoT deployments. Data is coming in small packages as well as enormous files and data streams of many sizes. Widespread use of mobile devices adds to the total. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will look at the tools and environments that are being put to use in IoT deployments, as well as the team skills a modern enterprise IT shop needs to keep things running, get a handle on all this data, and deli...