The PHP Foundation has reported the results of a security audit of the most critical parts of the PHP source code, which turned up several high severity issues, fixed in the new version 8.4.6 released last week.

The code investigated was php-src which is the PHP interpreter. Flaws discovered included:

• PHP logs could be tampered with because of a bug in the parsing logic for received data. This could insert or delete up to 4 characters, or more if syslog (a standard logging protocol) is used  (CVE-2024-9026).

• A bug in the handling of multipart form submissions could mean that data is not interpreted correctly  (CVE-2024-8925).

• PHP’s filter handling was found to have a memory issue causing segmentation faults (CVE-2024-8928).

• A bug in the MySQL driver could leak data from the previous query (CVE-2024-8929).

The report was produced by Quartkslab SAS, organized by the Open Source Technology Improvement Fund, and funded by the Germany-based Sovereign Tech Agency.

The PHP Foundation noted that because of budget constraints, only the “most critical components” of the source code were audited. 

Components considered critical included the PHP-FPM (FastCGI Process Manager) which is used to improve performance, the MySQL database driver, HTTP parsing and MIME attachment handling,  JSON parsing, and cryptographic features such as OpenSSL, password handling, hashing, and random number generation.

Despite the flaws found, and others which are less severe, the Quarkslab researchers concluded that “most of the identified vulnerabilities require prerequisites that are sometimes difficult to obtain or rarely encountered in a production environment,” suggesting that the general standard of security is good; the security team also spoke of the “overall good work quality of the specification and source code.”

That said, this audit is far from comprehensive, because of its focus only on the most critical components and also because of running out of time. Quarkslab said that functions including parse_url, parse_str, streams, and xp_ssl were not investigated, even though they do process data from external sources.

PHP is old, interpreted and unfashionable; yet it runs a huge number of web applications; currently 74.3 percent of websites whose server-side programming language is known, according to W3Techs. Much of this is because of the popularity of WordPress and other PHP CMS (content management system) frameworks. It is also relatively easy to use. “Many of the quirks and problematic parts have been addressed through the years, it’s battle tested, and there is a healthy and stable ecosystem,” said a developer on Hacker News.

Another commented that a simple PHP applications performs well compared to the “lethargic JS slop of the average website,” a factor that is also driving a revival of interest in Ruby on Rails.