OSTIF (Open Source Technology Improvement Fund) has recently announced the completion of an independent audit of the PHP project’s code base to enhance the security of open projects. The audit was conducted by the French company Quarkslab, known for its previous work on projects like Openvpn, Veracrypt, and Openssl.
During the audit, a total of 27 issues were identified, with 17 categorized as safety-related problems and 10 as informational. Two of the issues were classified as dangerous vulnerabilities, six had a moderate level of danger, and nine were considered non-hazardous.
Some of the vulnerabilities identified during the audit included a vulnerability in the filter processor resulting in memory corruption, a flaw in the MySQL driver leading to a memory leak from reading data beyond the buffer’s boundaries, and a PHP-FPM issue allowing for a denial-of-service attack by creating excessive CPU load. Additionally, there were three moderate danger issues in Openssl related to key alignment, initialization vector rewriting, and lack of DH parameter verification, along with four non-hazardous problems in Openssl.
Other vulnerabilities included an integer overflow when analyzing php.ini, a vulnerability in PHP-FPM that could remove symbols from log messages, and an issue with multipart form analysis leading to incorrect data processing.