Welcome to the Patchstack Weekly Security Update, Episode 47! This update is for week 45 of 2022.
This week's knowledge share is about the PHP world's smallest security bug. I say smallest because it is one character long. You may wonder, how could one character cause so much chaos? Stick around for this week's knowledge share where I will be talking about type juggling in PHP.
I will then cover a handful of vulnerabilities in one plugin and discuss the upcoming PHP end-of-life in this week's vulnerability roundup.
I don't know how to juggle, but PHP is really good at type juggling. What is type juggling? Unlike my failed attempts to learn a circus trick, PHP inherently knows how to juggle different types of variables without the need to explicitly declare the type in code.
What this means is, a variable named $variable can be an integer
$variable = 1;
or a string
$variable = "one";
or an array
$variable = array(1, 2, 3);
or a boolean
$variable = TRUE;
Or many other types without the pesky need to declare the variable's type (e.g. type casting)
The convenience of type juggling can cause some unexpected behavior though - especially when you are comparing two variables of different types using common comparison operators.
Comparison operators are universal in programming languages. When you need to compare if two things are equal
==, not equal
!=, lesser than
< or greater than
> you will use the appropriate comparison operator.
PHP has two additional comparison operators called Identical and not identical operators. Using the triple equals
!== operators. With these identical comparison operators, PHP will not do type juggling and only return true of both variables are of the same type and have the same value.
Some code-based examples may help explain this better.
If I have a variable named $foo of type boolean, set to true.
php > $foo = true; php > var_dump($foo); bool(true)
Then have a variable named $bar, of type string, set to "true" too.
php > $bar = "true"; php > var_dump($bar); string(4) "true"
How should they compare? We see that using the traditional equal comparison operator
== returns true or that $foo and $bar are equal. This is because type juggling occurs. But if we use the Identical or triple equal operator
=== then $foo is not equal to $bar because the string "true" is not the same as the boolean true.
php > var_dump($foo == $bar); bool(true) php > var_dump($foo === $bar); bool(false)
Some other odd behavior the traditional double equal operator can cause is that all strings not starting with a number will equal 0 when compared to an integer, and strings that start with a number will be treated as an integer of the value of the number they start with.
php > var_dump("one" == 1); bool(false) php > var_dump("1one" == 1); bool(true) php > var_dump("1one" === 1); bool(false) php > var_dump("1" == 1); bool(true) php > var_dump("1" === 1); bool(false)
php > var_dump("1zero" == 0); bool(false) php > var_dump("zero" == 0); bool(true) php > var_dump("0" == 0); bool(true) php > var_dump("zero" === 0); bool(false) php > var_dump("0" === 0); bool(false)
The list of unexpected behavior type juggling can cause goes on and on and serves as a good reminder to always remember to use the non-Type juggling Identical
=== operator when comparing two values in PHP.
This is not a vulnerability, but a public service announcement. PHP 7.4 will be "end of life"'d or EOL'd on November 28th, 2022. This is just a few short weeks away, but you still have time to get your sites tested and upgraded to PHP 8.0 or higher.
You should be planning to update not only for performance and other improvements but also so you can be assured your web server continues to receive updates, including security updates for your PHP software.
The WatchTowerHQ plugin developers patched two security bugs in their plugin recently. Both bugs were due to type juggling in PHP and were patched by using the stricter Identical === operator. Users of this plugin should verify that their sites are updated as soon as possible. The problem of unauthenticated users being able to download and/or delete arbitrary files is significant.
This week's thanks goes out to the developers of WatchTowerHQ Great job addressing those security bugs in your project recently. If you haven't heard of WatchTowerHQ, you may want to check it out. This plugin looks like it provides a ton of useful automation features for managing WordPress websites. It has less than 1000 installations, so it may be a hidden gem of a WordPress plugin you will want to check out sooner than later.
A special thank you to the PHP project. PHP is open source, and the language WordPress is built on. The PHP project leaders do a great job communicating security releases and providing timelines for how long each version of PHP will be supported. Commonly each version is supported for 1 year, then given an additional 1 year of security fixes only. This is more than enough time for the developers of PHP based projects to test and update their code. Allowing end users of those projects to enjoy the performance and security improvements PHP provides.
I will be back next week with more security tips, tricks, opinions and news on the Patchstack Weekly Security Update!