D7 site => PHP 7.3.16 Vulnerability reported CVE-2020-7067

immba28
Participant II

Hi All,

We have recently received security vulnerability for our Drupal 7.69 site running with PHP version 7.3.16. Recommended fix available in PHP 7.3.17. And I believe the SCAN always go through PHP version only. So, I am looking for procedure to validate this security issue, whether its applicable to our site or not. I have gone through modules and performed search through PHP files to see whether this urldecode() function is enabled/being used.

It more related to PHP compiled with EBCDIC support. Not sure how to validate this.

Looking for your inputs on this, to proceed further.

-------------------------------------------------------------------------------------------------------------------------------------

CVE-2020-7067: OOB Read in urldecode()).

if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.

------------------------------------------------------------------------------------------------------------------------------------

Thanks,

Imran

Solved Solved
0 1 254
1 ACCEPTED SOLUTION

Hi Imran,

PHP 7.0.32 is the only Apigee supported version for developer portals (see https://docs.apigee.com/release/supported-software#apigeedeveloperportaldrupal)

However, if your portal is successfully running on PHP 7.3.x, a a minor version update should not have an impact on your portal. Please first run this upgrade and test on a non-production instance of your portal to ensure your site still functions as expected.

View solution in original post

1 REPLY 1

Hi Imran,

PHP 7.0.32 is the only Apigee supported version for developer portals (see https://docs.apigee.com/release/supported-software#apigeedeveloperportaldrupal)

However, if your portal is successfully running on PHP 7.3.x, a a minor version update should not have an impact on your portal. Please first run this upgrade and test on a non-production instance of your portal to ensure your site still functions as expected.