Critical Vulnerabilities Found in PhpStorm, Immediate Update Advised

phpstorm-wp-feature

JetBrains announced today that it has released a security update for PhpStorm and all of its other IntelliJ-based IDEs due to a set of critical vulnerabilities:

The cross-site request forgery (CSRF) flaw in the IDE’s built-in webserver allowed an attacker to access local file system from a malicious web page without user consent.

Over-permissive CORS settings allowed attackers to use a malicious website in order to access various internal API endpoints, gain access to data saved by the IDE, and gather various meta-information like IDE version or open a project.

PhpStorm is by far the most favored IDE for PHP developers. It’s also widely used among WordPress developers, especially since version 8 added official support for WordPress.

The update issued today patches the critical vulnerabilities inside the underlying IntelliJ platform that powers nearly a dozen popular IDEs. Installing the update is as easy as selecting ‘Check for Updates’ inside the IDE. Alternatively, customers can download the most recent version from JetBrains.com and the security announcement includes links to download older versions.

Although the JetBrains security team is not aware of these vulnerabilities having been exploited, immediate update is recommended.

4

4 responses to “Critical Vulnerabilities Found in PhpStorm, Immediate Update Advised”

  1. Now there is weird bug, my PHPStorm started to remove newly created projects after upgraded to latest 2016.1.1

  2. @hmatche – as Sarah quoted in her post, the security issues revolve around built-in web server and over permissive CORS settings which allowed unauthorized access to internal API endpoints. I don’t believe PHPStorm is open source so there likely isn’t any public source code to look at.

  3. JetBrains did a good job communicating with customers who registered and downloaded those affected tools. I don’t use PHPStorm, but I use PyCharm which is affected as well and I got an email one day before this post notifying me of the vulnerability.

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: