Security
IMAP and RSH/SSH Connections
PHP’s imap extension relies on an outdated and
unmaintained library. Code that still uses functions such as
imap_open() that are provided by this extension should
be migrated to libraries implemented in PHP that provide
functionality related to IMAP, NNTP, POP3, or local mailboxes.
Back in 2018 it was discovered that the library used by the
imap extension can execute shell commands via RSH or
SSH. Of course, nobody should do this. But then again, nobody should
pass unsafe string from the HTTP request to a function such as
imap_open().
If your code, for some obscure reason, relies on the fact that
imap_open() can be used to execute shell commands then
you need to configure imap.enable_insecure_rsh=1 as of
PHP 7.3. By default, RSH/SSH logins are now disabled and executing
shell commands using imap_open() will no longer
work.
It should go without saying that configuring
imap.enable_insecure_rsh=1 must only be a short-term
solution. In the long run, you need to update your code to not rely
on the imap extension anymore.
openssl_random_pseudo_bytes()
Throws Exceptions
Random data is one of the most important prerequisites for
cryptographic security. With the openssl extension
installed, you can use the function
openssl_random_pseudo_bytes() to generate a random
sequence of bytes.
As of PHP 7.4, this function will throw an Error
exception when you ask for zero (or a negative number of) bytes:
openssl_random_pseudo_bytes(0);PHP Fatal error: Uncaught Error: Length must be greater than 0 in ... While using a fallback makes a lot of sense in many cases, using a cryptographically insecure source of randomness as fallback when -for whatever reason- no suitable source of randomness is available is a very, very bad idea from a security point of view.
Thus, openssl_random_pseudo_bytes() will now throw
an exception in that case, which is more obvious than setting a
boolean flag that has been passed by reference as the second
argument.
If you start seeing those errors or exceptions after upgrading to PHP 7, chances are that you have a problem with data confidentiality and/or weak encryption. Do not take this lightly, but make sure to fully investigate and properly fix the problem!