PHP核心安全审计结果

PHP核心安全审计结果
PHP Core Security Audit Results

原始链接: https://thephp.foundation/blog/2025/04/10/php-core-security-audit-results/

2024年，PHP基金会在主权科技机构的资助下，由OSTIF组织，委托Quarkslab对PHP源代码（php-src）的关键组件进行了安全审计。由于预算限制，此次审计未能涵盖全部代码库，但仍发现了27个问题，其中17个与安全相关（3个高危，5个中危，9个低危）。四个漏洞获得了CVE标识符，包括PHP-FPM日志篡改、多部分表单数据解析、过滤器处理以及MySQL客户端堆泄露等问题。PHP开发团队已解决所有已识别的问题。强烈建议用户升级到最新版本的PHP以增强安全性。报告赞扬了PHP代码库的整体质量。PHP基金会感谢审计团队、维护人员和资助者为改进PHP安全性所做的贡献，并鼓励进一步的赞助以进行全面的审计。

Hacker News 最新 | 过去 | 评论 | 提问 | 展示 | 招聘 | 提交登录 PHP核心安全审计结果 (thephp.foundation) 12 分，来自 moebrowne，1小时前 | 隐藏 | 过去 | 收藏 | 1 评论 sgc 4分钟前 [–] 主要我想说声谢谢。非常长的一段时间里，PHP投入了难以置信的工作和奉献。PHP社区成功地多次重塑了PHP，主要目的就是为了让这门语言更好。祝愿他们继续取得成功。回复加入我们，参加6月16日至17日在旧金山举办的AI创业学校！指南 | 常见问题 | 列表 | API | 安全 | 法律 | 申请YC | 联系我们搜索：

SSH审计：SSH服务器和客户端安全审计 2023-10-17

（评论） 2025-03-27

XZ后门故事——初步分析 2024-04-14

上游 xz/liblzma 中的后门导致 SSH 服务器受损 2024-03-30

原文

The PHP Foundation is pleased to announce the completion of a comprehensive security audit of the PHP source code (php/php-src), commissioned by the Sovereign Tech Agency.

This initiative was organized in partnership with the Open Source Technology Improvement Fund (OSTIF) and executed by the esteemed security group Quarkslab.

Audit Overview

Conducted over a two-month period in 2024, the audit encompassed:

Development of a threat model tailored to php-src
Manual code reviews
Dynamic testing procedures
Cryptographic assessments

The collaboration between Quarkslab’s auditors and PHP maintainers ensured a thorough examination of the codebase.

⚠️
Due to budget constraints, the recent security audit focused on the most critical components of the PHP source code rather than the entire codebase. Organizations interested in sponsoring a comprehensive audit or additional assessments are encouraged to contact us!
⚠️

Key Findings

The audit identified 27 issues, with 17 having security implications:

3 High-severity
5 Medium-severity
9 Low-severity

Additionally, 10 informational findings were reported.

Notably, four vulnerabilities received CVE identifiers:

CVE-2024-9026: Log tampering vulnerability in PHP-FPM, allowing potential manipulation or removal of characters from log messages.
CVE-2024-8925: Flaw in PHP’s multipart form data parsing, potentially leading to data misinterpretation.
CVE-2024-8928: Memory-related vulnerability in PHP’s filter handling, leading to segmentation faults.
CVE-2024-8929: Issue where a malicious MySQL server could cause the client to disclose heap content from other SQL requests.

Recommendations and Resolutions

Quarkslab’s report commended the overall high quality and specification adherence of the php/php-src project.

The PHP development team has addressed all identified issues. Users are strongly encouraged to upgrade to the latest PHP versions to benefit from these security enhancements.

Acknowledgments

We extend our gratitude to the individuals and organizations that made this audit possible:

The PHP Foundation Team and PHP maintainers:
Jakub Zelenka, Arnaud Le Blanc, Niels Dossche, Ilija Tovilo, Stas Malyshev, Dmitry Stogov, Derick Rethans, and Roman Pronskiy.
Quarkslab Team:
Angèle Bossuat, Julio Loayza Meneses, Mihail Kirov, Sebastien Rolland, Ramtine Tofighi Shirazi.
Sovereign Tech Agency:
Abigail Garner and the team – for commissioning the audit and all the help.
OSTIF:
Amir Montazery, Derek Zimmer, Helen Woeste – for organizing the collaboration.

This audit underscores our commitment to enhancing PHP’s security and reliability. We remain dedicated to ongoing improvements and collaborations to ensure PHP’s robustness for the global development community.