Tech Support
Documentation
Login
Contact Us
Executive Summary
Our security research team has discovered that CVE-2023-0568, a buffer allocation vulnerability officially reported to affect only PHP 8+ versions, also impacts PHP 7 series installations (on Windows and Linux). This finding has significant implications for organizations still running PHP 7 in production environments, especially since this version has reached its End-of-Life (EOL) status and no longer receives official security updates.
8.1 CVSS 3.x from NVD
7.5 CVSS 3.x from PHP Group
The Vulnerability Explained
CVE-2023-0568 is an off-by-one buffer allocation error in PHP’s core path resolution function. When resolving paths with lengths approaching the system’s MAXPATHLEN setting, the function allocates a buffer that’s one byte too small. This results in the byte immediately following the allocated buffer being overwritten with a NULL value.
While this might initially appear to be a minor issue, it represents a more serious security concern:
- The vulnerability can lead to unauthorized data access or modification
- Under specific conditions, it may result in denial-of-service (DoS)
- Stack overwrites, even limited ones, can create opportunities for more complex exploitation chains
PHP 7: Still Vulnerable but Officially Unsupported
The official advisory for CVE-2023-0568 specifies that it affects:
- PHP 8.0.x before 8.0.28
- PHP 8.1.x before 8.1.16
- PHP 8.2.x before 8.2.3
However, our security research team has confirmed that PHP 7 series installations are also vulnerable to this same issue. This creates a significant security gap for organizations still running PHP 7, as:
- PHP 7 has reached EOL status
- No official patches are available from PHP maintainers
- This vulnerability remains unaddressed in all PHP 7 installations
Technical Details
The vulnerability exists in PHP’s path resolution code, which follows this pattern in multiple locations:
| // Allocates buffer with maximum size of MAXPATHLEN char resolved_path[MAXPATHLEN]; // If path doesn’t end with slash and one must be appended // A NUL character could be written to index MAXPATHLEN // Resulting in a one-byte buffer overflow |
When path lengths approach MAXPATHLEN, the code allocates a buffer that’s one byte too small. If the path doesn’t end with a slash and requires one to be appended, the code will write beyond the allocated buffer, overwriting a stack byte.
While an isolated one-byte stack overwrite might seem minor, it can have serious security implications in the right circumstances:
- Overwriting stack data can corrupt adjacent variables
- It may potentially influence program control flow
- When combined with other vulnerabilities, it could contribute to more sophisticated attacks
Our Solution: Endless Lifecycle Support for PHP 7
We understand that migrating from PHP 7 to newer versions isn’t always immediately feasible due to application compatibility, resource constraints, or other business factors. That’s why we’re offering:
- Custom Security Patches: We’ve developed patches for PHP 7 that address CVE-2023-0568 and other known vulnerabilities
- Updated PHP 7 Packages: Available for both Windows and Linux environments
- Ongoing Security Support: Continued monitoring and patching of newly discovered vulnerabilities in PHP 7
Recommended Actions
If your organization is still running PHP 7, we recommend:
- Assess Your Exposure: Evaluate whether your applications might be vulnerable to path manipulation that could trigger this vulnerability
- Apply Our Patched Packages: Install our security-patched PHP 7 packages to mitigate this vulnerability
Conclusion
Security vulnerabilities don’t respect EOL dates. CVE-2023-0568 is a prime example of how security issues can affect software beyond its official support lifecycle. Our extended support services for PHP 7 provide organizations with the security patches they need while planning their migration strategy on their own timeline.
