CVE-2017-11143 : Security Advisory and Response
Learn about CVE-2017-11143, a vulnerability in PHP versions before 5.6.31 allowing attackers to crash the interpreter via WDDX deserialization. Find mitigation steps and prevention measures here.
In versions of PHP prior to 5.6.31, a vulnerability exists in the WDDX deserialization process where an unauthorized individual with the ability to inject XML for deserialization could invoke an invalid free operation, potentially leading to a crash of the PHP interpreter.
Understanding CVE-2017-11143
What is CVE-2017-11143?
This CVE refers to a vulnerability in PHP versions before 5.6.31 that allows attackers to crash the PHP interpreter by exploiting an invalid free operation during the WDDX deserialization process.
The Impact of CVE-2017-11143
The vulnerability could be exploited by injecting XML to trigger an invalid free operation, resulting in a potential crash of the PHP interpreter.
Technical Details of CVE-2017-11143
Vulnerability Description
The issue arises from an invalid free operation occurring when an empty boolean element is present in the ext/wddx/wddx.c file.
Affected Systems and Versions
- Product: PHP
- Vendor: N/A
- Versions affected: PHP versions prior to 5.6.31
Exploitation Mechanism
Attackers can exploit this vulnerability by injecting malicious XML to trigger the invalid free operation, causing a crash in the PHP interpreter.
Mitigation and Prevention
Immediate Steps to Take
- Update PHP to version 5.6.31 or newer to mitigate the vulnerability.
- Monitor official PHP security advisories for patches and updates.
Long-Term Security Practices
- Regularly update PHP and other software to the latest versions.
- Implement secure coding practices to prevent injection attacks.
Patching and Updates
- Apply patches provided by PHP to address the vulnerability.