CVE-2023-3823 & CVE-2023-3824 – PHP Security Vulnerabilities: What You Need to Know

by do son · Published August 7, 2023 · Updated August 8, 2023

PHP is a popular programming language used to create dynamic web pages. However, like any software, it is not immune to security vulnerabilities. In recent months, two new security vulnerabilities have been discovered in PHP: CVE-2023-3823 and CVE-2023-3824.

CVE-2023-3823 (CVSS score of 8.6): Information Disclosure

CVE-2023-3823 is an information disclosure vulnerability that could allow a remote attacker to obtain sensitive information from a PHP application. The vulnerability is caused by insufficient validation of user-supplied XML input. An attacker could exploit this vulnerability by sending a specially crafted XML code to the application. The code would then be parsed by the application, and the attacker could gain access to sensitive information, such as the contents of arbitrary files on the system or the results of external requests.

Every application, library, and server parsing or interacting with XML documents is susceptible to this flaw. Thanks to the diligent work of security researcher nickvergessen, who also published the proof-of-concept.

CVE-2023-3824 (CVSS score of 9.4): Buffer Overflow

CVE-2023-3824 is a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code on a PHP system. The vulnerability is caused by improper bounds checking by the phar_dir_read() function. An attacker could exploit this vulnerability by sending a specially crafted request to the application. The request would then cause a buffer overflow, and the attacker could gain control of the system and execute arbitrary code.

The complexity of this vulnerability revolves around a series of problematic checks and overflows. For example, the condition to_read == 0 || count < ZSTR_LEN(str_key) has been found to be incorrect. This leads to a series of implications in the code, such as an issue with the line ((php_stream_dirent *) buf)->d_name[to_read + 1] = ‘\0’;. This piece of code is prone to overflow and does not properly NUL-terminate the filename. It has been likened to a stack information leak and a buffer write overflow, further compounding the problem.

In addition, there may be concerns related to buffer overflow in the memset. Although no such instances have been found within PHP itself, third-party extensions might still be affected.

The exploitation is admittedly challenging, dependent on the specific application targeted, but it is feasible in theory. As per the security advisory, “People who inspect contents of untrusted phar files could be affected.”

Thanks to the efforts of security researcher nielsdos, who also published the proof-of-concept.

Mitigation

Both CVE-2023-3823 and CVE-2023-3824 have been patched in PHP 8.0.30. If you are using an older version of PHP, you should upgrade to 8.0.30 as soon as possible. In addition, you should take steps to protect your PHP applications from attack, such as: