While PHP 7.2.34 patched several known flaws from previous 7.2 iterations, it remains susceptible to unpatched vulnerabilities discovered after November 2020. Additionally, it is frequently targeted in conjunction with web server misconfigurations or specific PHP extensions. 1. Remote Code Execution (RCE) via PHP-FPM (CVE-2019-11043)
This flaw affected the openssl_encrypt() function when using AES-CCM mode with a 12-byte Initialization Vector (IV). In these cases, PHP only utilized the first 7 bytes of the IV, significantly reducing the encryption strength and potentially compromising the integrity of encrypted data. php 7.2.34 exploit github
A sophisticated technique documented on GitHub exploits an interesting PHP behavior: when a Local File Inclusion (LFI) vulnerability exists and a segmentation fault is triggered in PHP, the temporary files PHP creates are never deleted. An attacker can then search for and locate these files via the LFI to achieve arbitrary code execution. While PHP 7