The Open Source Technology Improvement Fund (OSTIF) is proud to share the results of our security audit of PHP Specifically, the open source implementation of the interpreter for the PHP scripting language, which is popular in use for web development. As a result of this collaboration with OSTIF, Quarkslab, and The PHP Foundation, PHP was able to harden and improve security ahead of its 8.4 release.
Audit Process:
The audit work took place over almost two months in 2024. The auditing team at Quarkslab opened lines of communication with the PHP maintainers to first perform discovery and research on the project, which included development of a threat model used to guide and outline the security audit. This threat model is different from The PHP Foundation threat model, with Quarkslab’s auditing threat model available to read in the audit report. The audit team then moved on to perform manual code review, code tooling review, dynamic testing, and a cryptography review of the code base in scope. Outlined in the audit report are 11 code review tasks included in the audit scope with an additional 3 tasks the PHP team requested and a further 5 cryptographic tasks. Everything performed or excluded in this engagement by the audit team is outlined in the audit report, as the time-box restriction of this work meant the prioritization and de-prioritization of certain tasks as the audit progressed.
Audit Results:
- 27 Findings Reported
- 17 Findings with Security Impact
- 2 High Severity, 6 Medium Severity, 9 Low Severity
- 10 Informational Findings
- 4 CVEs
- 17 Findings with Security Impact
- Recommendations for Future Security Work
- Recommendations for Future SAST and Fuzzing Efforts
- New fuzzing harness for fpm_stdio_parent_use_pipes(struct fpm_child_s *child)
Quarkslab, in the audit report, remarks that overall the PHP-SRC project has good quality of code and well implemented specifications. The reported audit findings have been resolved by the PHP team, so project users should opt to use the most recently available version of PHP-SRC to benefit from this work by both Quarkslab and the maintainers.
Thank you to the individuals and groups that made this engagement possible:
- The PHP Foundation team and PHP maintainers, especially: Roman Pronskiy, Jakub Zelenka, Arnaud Le Blanc, Niels Dossche, Ilija Tovilo, Stas Malyshev, Dmitry Stogov, and Derick Rethans
- Quarkslab team: Angèle Bossuat, Julio Loayza Meneses, Mihail Kirov, Sebastien Rolland, Ramtine Tofighi Shirazi
- The Sovereign Tech Agency
You can read the Audit Report HERE
You can read PHP’s Blog HERE
You can read Quarkslab’s Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].