Critical vulnerability in PHP allows easy DoS attack on millions of websites

A severe vulnerability in a PHP function would allow threat actors to evade security measures implemented for the protection of web applications. The affected feature is filter_var(), which allows developers to debug and validate strings for different data formats, including email addresses, web domains, and URLs.

Cybersecurity specialist Jordy Zomer reports that the feature had an integer tuning flaw that, when activated, causes the program to dodge filtering logic. The function takes an input string and a numeric argument that determines the length of the string. The signature of the function defines the length argument as a “signed integer”, which divides the variable range between negative and positive values.

However, another declared length variable within the function body was defined as an unsigned integer, which only accepts positive values. This discrepancy generates erratic behavior when the function was provided with very large strings, causing the program flow to skip the instruction branch that applied filters for the host name and domain marks (FILTER_VALIDATE_DOMAIN and FILTER_FLAG_HOSTNAME).

According to the researcher, because the filter is no longer valid, any code that depends on it as a security control can be overlooked, resulting in multiple security errors.

Zoomer adds that this flaw would allow the deployment of denial of service (DoS) attacks against PHP web servers with data slightly larger than 2 GB: “The best recommendation is to use the appropriate escape mechanisms when placing something in a different context than you had before,” says the researcher.

Although the attack scenario is certainly serious, the flaw is triggered only by very large user input, which poses a problem for its exploitation: “This bug is unlikely to have much of an impact, due to the basic fact that it only influences a specific subfunction on a specific function, plus it requires a variable of more than 4GB.”

Any properly configured PHP application must have memory limits and input controls that do not allow 4 GB input data for domain names, a factor that further limits the attack.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.