[ZendTo] Re: Question related to version of PHP in CentOS VM's
Sergio Rabellino
rabellino at di.unito.it
Thu Aug 19 00:07:39 BST 2010
I'm running php web sites along 10 years, i'd never had a succesful
attack to php itself, but only to bad (php) programmers.
I think that nessus it's very conservative in its results, but not every
buffer overflow can lead to a breach in your system.
What programming language/environment you believe it's unfaceable ?
Tomcat/Java or whatsoever ? :-)
regards.
Duncan, Brian M. ha scritto:
> I've always shied away from using PHP with apache on externally facing
> web sites in the past due to always seeing a constant flow of new
> vulnerabilities.
>
> Does anyone know if the version of PHP that is current according to
> CentOS safe?
>
> I ran a Nessus scan against my Zendto box and it is listing 6
> "HIGH" security risks so far that are supposedly tied to PHP version.
> I just noticed they all refer so far to using PHP 5.2.5 or later. Not
> sure if any of these are false positives yet.
>
>
> Here is some of the Nessus "HIGH" security scan listed output for any
> interested:
>
>
>
> PHP < 5.2.5 Multiple Vulnerabilities
>
> *Synopsis:*
> The remote web server uses a version of PHP that is affected by
> multiple flaws.
>
> *Description:*
> According to its banner, the version of PHP installed on the remote
> host is older than 5.2.5. Such versions may be affected by various
> issues, including but not limited to several buffer overflows.
>
> *Risk factor:*
> High
>
> *CVSS Base Score:*7.5
> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>
> *See also:*
> http://www.php.net/releases/5_2_5.php
>
> *Solution:*
> Upgrade to PHP version 5.2.5 or later.
>
> *Plugin output:*
> PHP version 5.1.6 appears to be running on the remote host based on
> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>
> *Plugin ID:*
> 28181 <http://www.nessus.org/plugins/index.php?view=single&id=28181>
>
> *CVE: *
> CVE-2007-4887, CVE-2007-5898, CVE-2007-5900
>
> *BID: *
> 26403 <http://www.securityfocus.com/bid/26403>
>
> *Other references: *
> OSVDB:38680, OSVDB:38681, OSVDB:38682, OSVDB:38683, OSVDB:38684,
> OSVDB:38685
>
> PHP < 5.2.1 Multiple Vulnerabilities
>
> *Synopsis:*
> The remote web server uses a version of PHP that is affected by
> multiple flaws.
>
> *Description:*
> According to its banner, the version of PHP installed on the remote
> host is older than 5.2.1. Such versions may be affected by several
> issues, including buffer overflows, format string vulnerabilities,
> arbitrary code execution, 'safe_mode' and 'open_basedir' bypasses, and
> clobbering of super-globals.
>
> *Risk factor:*
> High
>
> *CVSS Base Score:*7.5
> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>
> *See also:*
> http://www.php.net/releases/5_2_1.php
>
> *Solution:*
> Upgrade to PHP version 5.2.1 or later.
>
> *Plugin output:*
> PHP version 5.1.6 appears to be running on the remote host based on
> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>
> *Plugin ID:*
> 24907 <http://www.nessus.org/plugins/index.php?view=single&id=24907>
>
> *CVE: *
> CVE-2006-6383, CVE-2007-0905, CVE-2007-0906, CVE-2007-0907,
> CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-1376,
> CVE-2007-1380, CVE-2007-1453, CVE-2007-1700, CVE-2007-1701,
> CVE-2007-1824, CVE-2007-1825, CVE-2007-1884, CVE-2007-1885,
> CVE-2007-1886, CVE-2007-1887, CVE-2007-1890
>
> *BID: *
> 21508 <http://www.securityfocus.com/bid/21508>, 22496
> <http://www.securityfocus.com/bid/22496>, 22805
> <http://www.securityfocus.com/bid/22805>, 22806
> <http://www.securityfocus.com/bid/22806>, 22862
> <http://www.securityfocus.com/bid/22862>, 22922
> <http://www.securityfocus.com/bid/22922>, 23119
> <http://www.securityfocus.com/bid/23119>, 23120
> <http://www.securityfocus.com/bid/23120>, 23219
> <http://www.securityfocus.com/bid/23219>, 23233
> <http://www.securityfocus.com/bid/23233>, 23234
> <http://www.securityfocus.com/bid/23234>, 23235
> <http://www.securityfocus.com/bid/23235>, 23236
> <http://www.securityfocus.com/bid/23236>, 23237
> <http://www.securityfocus.com/bid/23237>, 23238
> <http://www.securityfocus.com/bid/23238>
>
> *Other references: *
> OSVDB:32763, OSVDB:32764, OSVDB:32765, OSVDB:32766, OSVDB:32767,
> OSVDB:32768, OSVDB:32776, OSVDB:32781, OSVDB:33269, OSVDB:33933,
> OSVDB:33944, OSVDB:33945, OSVDB:33955, OSVDB:33957, OSVDB:33958,
> OSVDB:33959, OSVDB:33960, OSVDB:34767
>
> PHP < 5.2.4 Multiple Vulnerabilities
>
> *Synopsis:*
> The remote web server uses a version of PHP that is affected by
> multiple flaws.
>
> *Description:*
> According to its banner, the version of PHP installed on the remote
> host is older than 5.2.4. Such versions may be affected by various
> issues, including but not limited to several overflows.
>
> *Risk factor:*
> High
>
> *CVSS Base Score:*7.5
> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>
> *See also:*
> http://www.php.net/releases/5_2_4.php
>
> *Solution:*
> Upgrade to PHP version 5.2.4 or later.
>
> *Plugin output:*
> PHP version 5.1.6 appears to be running on the remote host based on
> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>
> *Plugin ID:*
> 25971 <http://www.nessus.org/plugins/index.php?view=single&id=25971>
>
> *CVE: *
> CVE-2007-2872, CVE-2007-3378, CVE-2007-3806
>
> *BID: *
> 24661 <http://www.securityfocus.com/bid/24661>, 24261
> <http://www.securityfocus.com/bid/24261>, 24922
> <http://www.securityfocus.com/bid/24922>, 25498
> <http://www.securityfocus.com/bid/25498>
>
> *Other references: *
> OSVDB:36083, OSVDB:36085, OSVDB:36869
>
> PHP < 5.2 Multiple Vulnerabilities
>
> *Synopsis:*
> The remote web server uses a version of PHP that is affected by
> multiple buffer overflows.
>
> *Description:*
> According to its banner, the version of PHP installed on the remote
> host is older than 5.2. Such versions may be affected by several
> buffer overflows. To exploit these issues, an attacker would need the
> ability to upload an arbitrary PHP script on the remote server, or to
> be able to manipulate several variables processed by some PHP
> functions such as htmlentities().
>
> *Risk factor:*
> High
>
> *CVSS Base Score:*7.5
> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>
> *See also:*
> http://www.php.net/releases/5_2_0.php
>
> *Solution:*
> Upgrade to PHP version 5.2.0 or later.
>
> *Plugin output:*
> PHP version 5.1.6 appears to be running on the remote host based on
> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>
> *Plugin ID:*
> 31649 <http://www.nessus.org/plugins/index.php?view=single&id=31649>
>
> *CVE: *
> CVE-2006-5465
>
> *BID: *
> 20879 <http://www.securityfocus.com/bid/20879>
>
> *Other references: *
> OSVDB:30178, OSVDB:30179
>
> PHP 5 < 5.2.7 Multiple Vulnerabilities
>
> *Synopsis:*
> The remote web server uses a version of PHP that is affected by
> multiple flaws.
>
> *Description:*
> According to its banner, the version of PHP installed on the remote
> host is older than 5.2.7. Such versions may be affected by several
> security issues : - File truncation can occur when calling
> 'dba_replace()' with an invalid argument. - There is a buffer overflow
> in the bundled PCRE library fixed by 7.8. (CVE-2008-2371) - A buffer
> overflow in the 'imageloadfont()' function in 'ext/gd/gd.c' can be
> triggered when a specially crafted font is given. (CVE-2008-3658) -
> There is a buffer overflow in PHP's internal function 'memnstr()',
> which is exposed to userspace as 'explode()'. (CVE-2008-3659) - When
> used as a FastCGI module, PHP segfaults when opening a file whose name
> contains two dots (eg, 'file..php'). (CVE-2008-3660) - Multiple
> directory traversal vulnerabilities in functions such as
> 'posix_access()', 'chdir()', 'ftok()' may allow a remote attacker to
> bypass 'safe_mode' restrictions. (CVE-2008-2665 and CVE-2008-2666). -
> A buffer overflow may be triggered when processing long message
> headers in 'php_imap.c' due to use of an obsolete API call.
> (CVE-2008-2829) - A heap-based buffer overflow may be triggered via a
> call to 'mb_check_encoding()', part of the 'mbstring' extension.
> (CVE-2008-5557) - Missing initialization of 'BG(page_uid)' and
> 'BG(page_gid)' when PHP is used as an Apache module may allow for
> bypassing security restriction due to SAPI 'php_getuid()' overloading.
> (CVE-2008-5624) - Incorrect 'php_value' order for Apache configuration
> may allow bypassing PHP's 'safe_mode' setting. (CVE-2008-5625) - The
> ZipArchive:extractTo() method in the ZipArchive extension fails to
> filter directory traversal sequences from file names. (CVE-2008-5658)
>
> *Risk factor:*
> High
>
> *CVSS Base Score:*7.5
> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>
> *See also:*
> http://securityreason.com/achievement_securityalert/57
>
> *See also:*
> http://securityreason.com/achievement_securityalert/58
>
> *See also:*
> http://securityreason.com/achievement_securityalert/59
>
> *See also:*
> http://www.sektioneins.de/advisories/SE-2008-06.txt
>
> *See also:*
> http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0238.html
>
> *See also:*
> http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0239.html
>
> *See also:*
> http://www.openwall.com/lists/oss-security/2008/08/08/2
>
> *See also:*
> http://www.openwall.com/lists/oss-security/2008/08/13/8
>
> *See also:*
> http://archives.neohapsis.com/archives/fulldisclosure/2008-11/0433.html
>
> *See also:*
> http://archives.neohapsis.com/archives/fulldisclosure/2008-12/0089.html
>
> *See also:*
> http://bugs.php.net/bug.php?id=42862
>
> *See also:*
> http://bugs.php.net/bug.php?id=45151
>
> *See also:*
> http://bugs.php.net/bug.php?id=45722
>
> *See also:*
> http://www.php.net/releases/5_2_7.php
>
> *See also:*
> http://www.php.net/ChageLog-5.php#5.2.7
>
> *Solution:*
> Upgrade to PHP version 5.2.8 or later. Note that 5.2.7 was been
> removed from distribution because of a regression in that version that
> results in the 'magic_quotes_gpc' setting remaining off even if it was
> set to on.
>
> *Plugin output:*
> PHP version 5.1.6 appears to be running on the remote host based on
> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>
> *Plugin ID:*
> 35043 <http://www.nessus.org/plugins/index.php?view=single&id=35043>
>
> *CVE: *
> CVE-2008-2371, CVE-2008-2665, CVE-2008-2666, CVE-2008-2829,
> CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, CVE-2008-5557,
> CVE-2008-5624, CVE-2008-5625, CVE-2008-5658
>
> *BID: *
> 29796 <http://www.securityfocus.com/bid/29796>, 29797
> <http://www.securityfocus.com/bid/29797>, 29829
> <http://www.securityfocus.com/bid/29829>, 30087
> <http://www.securityfocus.com/bid/30087>, 30649
> <http://www.securityfocus.com/bid/30649>, 31612
> <http://www.securityfocus.com/bid/31612>, 32383
> <http://www.securityfocus.com/bid/32383>, 32625
> <http://www.securityfocus.com/bid/32625>, 32688
> <http://www.securityfocus.com/bid/32688>, 32948
> <http://www.securityfocus.com/bid/32948>
>
> *Other references: *
> OSVDB:46584, OSVDB:46638, OSVDB:46639, OSVDB:46641, OSVDB:46690,
> OSVDB:47796, OSVDB:47797, OSVDB:47798, OSVDB:50480, OSVDB:51477,
> OSVDB:52205, OSVDB:52206, OSVDB:52207
>
> PHP < 5.2.6 Multiple Vulnerabilities
>
> *Synopsis:*
> The remote web server uses a version of PHP that is affected by
> multiple flaws.
>
> *Description:*
> According to its banner, the version of PHP installed on the remote
> host is older than 5.2.6. Such versions may be affected by the
> following issues : - A stack buffer overflow in FastCGI SAPI. - An
> integer overflow in printf(). - An security issue arising from
> improper calculation of the length of PATH_TRANSLATED in cgi_main.c. -
> A safe_mode bypass in cURL. - Incomplete handling of multibyte chars
> inside escapeshellcmd(). - Issues in the bundled PCRE fixed by version
> 7.6.
>
> *Risk factor:*
> High
>
> *CVSS Base Score:*7.5
> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>
> *See also:*
> http://archives.neohapsis.com/archives/bugtraq/2008-03/0321.html
>
> *See also:*
> http://archives.neohapsis.com/archives/fulldisclosure/2008-05/0103.html
>
> *See also:*
> http://archives.neohapsis.com/archives/fulldisclosure/2008-05/0107.html
>
> *See also:*
> http://www.php.net/releases/5_2_6.php
>
> *Solution:*
> Upgrade to PHP version 5.2.6 or later.
>
> *Plugin output:*
> PHP version 5.1.6 appears to be running on the remote host based on
> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>
> *Plugin ID:*
> 32123 <http://www.nessus.org/plugins/index.php?view=single&id=32123>
>
> *CVE: *
> CVE-2007-4850, CVE-2008-0599, CVE-2008-1384, CVE-2008-2050, CVE-2008-2051
>
> *BID: *
> 27413 <http://www.securityfocus.com/bid/27413>, 28392
> <http://www.securityfocus.com/bid/28392>, 29009
> <http://www.securityfocus.com/bid/29009>
>
> *Other references: *
> OSVDB:43219, OSVDB:44057, OSVDB:44906, OSVDB:44907, OSVDB:44908,
> Secunia:30048
>
>
>
> BRIAN M. DUNCAN
> Data Security Administrator
> Katten Muchin Rosenman LLP
> 525 W. Monroe Street / Chicago, IL 60661-3693
> p / (312) 577-8045 f / (312) 577-4490
> brian.duncan at kattenlaw.com / www.kattenlaw.com
>
>
>
> ===========================================================
> CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue
> Service, any tax advice contained herein is not intended or written to be used and cannot be used
> by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer.
> ===========================================================
> CONFIDENTIALITY NOTICE:
> This electronic mail message and any attached files contain information intended for the exclusive
> use of the individual or entity to whom it is addressed and may contain information that is
> proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or
> distribution of this information may be subject to legal restriction or sanction. Please notify
> the sender, by electronic mail or telephone, of any unintended recipients and delete the original
> message without making any copies.
> ===========================================================
> NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has
> elected to be governed by the Illinois Uniform Partnership Act (1997).
> ===========================================================
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
--
Ing. Sergio Rabellino
Università degli Studi di Torino
Dipartimento di Informatica
ICT Services Director
Tel +39-0116706701 Fax +39-011751603
C.so Svizzera , 185 - 10149 - Torino
<http://www.di.unito.it>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20100819/b355c0e9/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.jpg
Type: image/jpeg
Size: 4167 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20100819/b355c0e9/attachment-0001.jpg
More information about the ZendTo
mailing list