Critical Vulnerabilities Found in PhpStorm, Immediate Update Advised

phpstorm-wp-feature

JetBrains announced today that it has released a security update for PhpStorm and all of its other IntelliJ-based IDEs due to a set of critical vulnerabilities:

The cross-site request forgery (CSRF) flaw in the IDE’s built-in webserver allowed an attacker to access local file system from a malicious web page without user consent.

Over-permissive CORS settings allowed attackers to use a malicious website in order to access various internal API endpoints, gain access to data saved by the IDE, and gather various meta-information like IDE version or open a project.

PhpStorm is by far the most favored IDE for PHP developers. It’s also widely used among WordPress developers, especially since version 8 added official support for WordPress.

The update issued today patches the critical vulnerabilities inside the underlying IntelliJ platform that powers nearly a dozen popular IDEs. Installing the update is as easy as selecting ‘Check for Updates’ inside the IDE. Alternatively, customers can download the most recent version from JetBrains.com and the security announcement includes links to download older versions.

Although the JetBrains security team is not aware of these vulnerabilities having been exploited, immediate update is recommended.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let's discuss your ideas.

4 Comments


  1. Now there is weird bug, my PHPStorm started to remove newly created projects after upgraded to latest 2016.1.1

    Report


  2. where the bug present ?
    any bug public source code ?

    Report


  3. @hmatche – as Sarah quoted in her post, the security issues revolve around built-in web server and over permissive CORS settings which allowed unauthorized access to internal API endpoints. I don’t believe PHPStorm is open source so there likely isn’t any public source code to look at.

    Report


  4. JetBrains did a good job communicating with customers who registered and downloaded those affected tools. I don’t use PHPStorm, but I use PyCharm which is affected as well and I got an email one day before this post notifying me of the vulnerability.

    Report

Comments are closed.