The Open Source Technology Improvement Fund (OSTIF) did a comprehensive security test by the PHP interpreter (PHP-SRC) in collaboration with Soeugen Tech Fund and in collaboration with Quarkslab and PHP Foundation last year. The purpose of this examination was to improve the safety of comprehensive script language interpreters even before the version of PHP 8.4 in November 2024.
27 weak marks were found
As part of the audit, which clearly lasted for about two months, the curse of the quarklab made a detailed analysis that included both the manual code check -both the dynamic test and the cryptographic review. A total of 27 weaknesses were found, including 17 security problems. The most severe discovered weaknesses include two high and six moderate heaviness.
Some of the identified safety intervals include:
- PHP protocol a manipulation, which was made possible with an error in the data parsing logicCve-2024-9026,
- Problems with multi -part formation that can lead to wrong data interpretation (Cve-2024-8925,
- A memory problem in PHP filter that leads to partition errors (Cve-2024-8928,
- A weak point in MySQL driver that can reveal data from previous questions (Cve-2024-8929,
Php foundation lift In a blog post Emphasized that only the most important components of the source code were examined due to the restricted budget. Examined components include PHP-FPM (FastCGI process manager), MySQL database driver and cryptographic function.
(Image: Nuevoimg / 123rf.com)
Bettercode () PhpAn online conference of IX and dpunkt.verlag in collaboration with Thephp.cc takes on 25 November, 2025. Interested parties can find out about the programming language in lectures and discussions – there will be a look outside the box. Until the program’s program, there are concessional tickets for blind bird tariffs. If you want to get more information about recent years subjects, you will get a review Conference on website,
PHP code meets general safety standards
Despite the weaknesses shown, the Quarkslab Research Team considers the general security standard of the PHP code to be good. Most identified weaknesses require specific essential conditions, blog post Productions are rarely found in the environment.
The PHP community has now removed the security intervals found. Users of PHP interpreter (PHP-SRC) The latest available version should be updated for benefits from safety reforms made.
More detailed information provides more detailed Quarklab SAS report, Blog post from PHP Foundation Also one Announcement on ostif,
(MDO)
