[ZendTo] Re: Question related to version of PHP in CentOS VM's
Sergio Rabellino
rabellino at di.unito.it
Thu Aug 19 19:32:28 BST 2010
Duncan, Brian M. ha scritto:
> My intent was not to create a discussion on how open to attack PHP is
> related to other products.
>
> Nesuus was obviously displaying high importance alerts based on the
> PHP banner version that was being returned when I still had expose=on
> in the php.ini.
>
> If you are saying that all the vulnerabilities that are present in the
> version that is installed can only be exploited with poorly coded PHP
> code, then I am not concerned if Jules is not ..
>
Nor i can assure that my code is clean of bug (who can ?) as a bunch of
lines was suggested by me to julian.
The nessus advice is a generic warning about php (i believe also that
5.1.6 it's too old) vulnerabilities, but not all the vulnerabilities are
exploitable by a remote attacker.
In the specific, looking at
http://www.nessus.org/plugins/index.php?view=single&id=28181
and browsing the 3 links about the vulnerabilities CVE* there are some
"unknown" cases for which ths can lead to a problem for an application
as zendto (CVE-2007-5898).
It's clear that upgrade of php it's the better solution for a risk
analysis perspective, but it's not an imperative indication.
The only response to your question is a in-deep check with formal
methods to assure that the system is correct.... Have you some billion
of years to wait for ?
>
>
> BRIAN M. DUNCAN
> Data Security Administrator
> Katten Muchin Rosenman LLP
> 525 W. Monroe Street / Chicago, IL 60661-3693
> p / (312) 577-8045 f / (312) 577-4490
> brian.duncan at kattenlaw.com / www.kattenlaw.com
>
>
>
>
> ------------------------------------------------------------------------
> *From:* zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] *On
> Behalf Of *Sergio Rabellino
> *Sent:* Wednesday, August 18, 2010 6:08 PM
> *To:* zendto at zend.to
> *Subject:* [ZendTo] Re: Question related to version of PHP in CentOS VM's
>
> I'm running php web sites along 10 years, i'd never had a succesful
> attack to php itself, but only to bad (php) programmers.
> I think that nessus it's very conservative in its results, but not
> every buffer overflow can lead to a breach in your system.
> What programming language/environment you believe it's unfaceable ?
> Tomcat/Java or whatsoever ? :-)
>
> regards.
>
> Duncan, Brian M. ha scritto:
>> I've always shied away from using PHP with apache on externally
>> facing web sites in the past due to always seeing a constant flow of
>> new vulnerabilities.
>>
>> Does anyone know if the version of PHP that is current according to
>> CentOS safe?
>>
>> I ran a Nessus scan against my Zendto box and it is listing 6
>> "HIGH" security risks so far that are supposedly tied to PHP
>> version. I just noticed they all refer so far to using PHP 5.2.5 or
>> later. Not sure if any of these are false positives yet.
>>
>>
>> Here is some of the Nessus "HIGH" security scan listed output for any
>> interested:
>>
>>
>>
>> PHP < 5.2.5 Multiple Vulnerabilities
>>
>> *Synopsis:*
>> The remote web server uses a version of PHP that is affected by
>> multiple flaws.
>>
>> *Description:*
>> According to its banner, the version of PHP installed on the remote
>> host is older than 5.2.5. Such versions may be affected by various
>> issues, including but not limited to several buffer overflows.
>>
>> *Risk factor:*
>> High
>>
>> *CVSS Base Score:*7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> *See also:*
>> http://www.php.net/releases/5_2_5.php
>>
>> *Solution:*
>> Upgrade to PHP version 5.2.5 or later.
>>
>> *Plugin output:*
>> PHP version 5.1.6 appears to be running on the remote host based on
>> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> *Plugin ID:*
>> 28181 <http://www.nessus.org/plugins/index.php?view=single&id=28181>
>>
>> *CVE: *
>> CVE-2007-4887, CVE-2007-5898, CVE-2007-5900
>>
>> *BID: *
>> 26403 <http://www.securityfocus.com/bid/26403>
>>
>> *Other references: *
>> OSVDB:38680, OSVDB:38681, OSVDB:38682, OSVDB:38683, OSVDB:38684,
>> OSVDB:38685
>>
>> PHP < 5.2.1 Multiple Vulnerabilities
>>
>> *Synopsis:*
>> The remote web server uses a version of PHP that is affected by
>> multiple flaws.
>>
>> *Description:*
>> According to its banner, the version of PHP installed on the remote
>> host is older than 5.2.1. Such versions may be affected by several
>> issues, including buffer overflows, format string vulnerabilities,
>> arbitrary code execution, 'safe_mode' and 'open_basedir' bypasses,
>> and clobbering of super-globals.
>>
>> *Risk factor:*
>> High
>>
>> *CVSS Base Score:*7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> *See also:*
>> http://www.php.net/releases/5_2_1.php
>>
>> *Solution:*
>> Upgrade to PHP version 5.2.1 or later.
>>
>> *Plugin output:*
>> PHP version 5.1.6 appears to be running on the remote host based on
>> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> *Plugin ID:*
>> 24907 <http://www.nessus.org/plugins/index.php?view=single&id=24907>
>>
>> *CVE: *
>> CVE-2006-6383, CVE-2007-0905, CVE-2007-0906, CVE-2007-0907,
>> CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-1376,
>> CVE-2007-1380, CVE-2007-1453, CVE-2007-1700, CVE-2007-1701,
>> CVE-2007-1824, CVE-2007-1825, CVE-2007-1884, CVE-2007-1885,
>> CVE-2007-1886, CVE-2007-1887, CVE-2007-1890
>>
>> *BID: *
>> 21508 <http://www.securityfocus.com/bid/21508>, 22496
>> <http://www.securityfocus.com/bid/22496>, 22805
>> <http://www.securityfocus.com/bid/22805>, 22806
>> <http://www.securityfocus.com/bid/22806>, 22862
>> <http://www.securityfocus.com/bid/22862>, 22922
>> <http://www.securityfocus.com/bid/22922>, 23119
>> <http://www.securityfocus.com/bid/23119>, 23120
>> <http://www.securityfocus.com/bid/23120>, 23219
>> <http://www.securityfocus.com/bid/23219>, 23233
>> <http://www.securityfocus.com/bid/23233>, 23234
>> <http://www.securityfocus.com/bid/23234>, 23235
>> <http://www.securityfocus.com/bid/23235>, 23236
>> <http://www.securityfocus.com/bid/23236>, 23237
>> <http://www.securityfocus.com/bid/23237>, 23238
>> <http://www.securityfocus.com/bid/23238>
>>
>> *Other references: *
>> OSVDB:32763, OSVDB:32764, OSVDB:32765, OSVDB:32766, OSVDB:32767,
>> OSVDB:32768, OSVDB:32776, OSVDB:32781, OSVDB:33269, OSVDB:33933,
>> OSVDB:33944, OSVDB:33945, OSVDB:33955, OSVDB:33957, OSVDB:33958,
>> OSVDB:33959, OSVDB:33960, OSVDB:34767
>>
>> PHP < 5.2.4 Multiple Vulnerabilities
>>
>> *Synopsis:*
>> The remote web server uses a version of PHP that is affected by
>> multiple flaws.
>>
>> *Description:*
>> According to its banner, the version of PHP installed on the remote
>> host is older than 5.2.4. Such versions may be affected by various
>> issues, including but not limited to several overflows.
>>
>> *Risk factor:*
>> High
>>
>> *CVSS Base Score:*7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> *See also:*
>> http://www.php.net/releases/5_2_4.php
>>
>> *Solution:*
>> Upgrade to PHP version 5.2.4 or later.
>>
>> *Plugin output:*
>> PHP version 5.1.6 appears to be running on the remote host based on
>> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> *Plugin ID:*
>> 25971 <http://www.nessus.org/plugins/index.php?view=single&id=25971>
>>
>> *CVE: *
>> CVE-2007-2872, CVE-2007-3378, CVE-2007-3806
>>
>> *BID: *
>> 24661 <http://www.securityfocus.com/bid/24661>, 24261
>> <http://www.securityfocus.com/bid/24261>, 24922
>> <http://www.securityfocus.com/bid/24922>, 25498
>> <http://www.securityfocus.com/bid/25498>
>>
>> *Other references: *
>> OSVDB:36083, OSVDB:36085, OSVDB:36869
>>
>> PHP < 5.2 Multiple Vulnerabilities
>>
>> *Synopsis:*
>> The remote web server uses a version of PHP that is affected by
>> multiple buffer overflows.
>>
>> *Description:*
>> According to its banner, the version of PHP installed on the remote
>> host is older than 5.2. Such versions may be affected by several
>> buffer overflows. To exploit these issues, an attacker would need the
>> ability to upload an arbitrary PHP script on the remote server, or to
>> be able to manipulate several variables processed by some PHP
>> functions such as htmlentities().
>>
>> *Risk factor:*
>> High
>>
>> *CVSS Base Score:*7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> *See also:*
>> http://www.php.net/releases/5_2_0.php
>>
>> *Solution:*
>> Upgrade to PHP version 5.2.0 or later.
>>
>> *Plugin output:*
>> PHP version 5.1.6 appears to be running on the remote host based on
>> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> *Plugin ID:*
>> 31649 <http://www.nessus.org/plugins/index.php?view=single&id=31649>
>>
>> *CVE: *
>> CVE-2006-5465
>>
>> *BID: *
>> 20879 <http://www.securityfocus.com/bid/20879>
>>
>> *Other references: *
>> OSVDB:30178, OSVDB:30179
>>
>> PHP 5 < 5.2.7 Multiple Vulnerabilities
>>
>> *Synopsis:*
>> The remote web server uses a version of PHP that is affected by
>> multiple flaws.
>>
>> *Description:*
>> According to its banner, the version of PHP installed on the remote
>> host is older than 5.2.7. Such versions may be affected by several
>> security issues : - File truncation can occur when calling
>> 'dba_replace()' with an invalid argument. - There is a buffer
>> overflow in the bundled PCRE library fixed by 7.8. (CVE-2008-2371) -
>> A buffer overflow in the 'imageloadfont()' function in 'ext/gd/gd.c'
>> can be triggered when a specially crafted font is given.
>> (CVE-2008-3658) - There is a buffer overflow in PHP's internal
>> function 'memnstr()', which is exposed to userspace as 'explode()'.
>> (CVE-2008-3659) - When used as a FastCGI module, PHP segfaults when
>> opening a file whose name contains two dots (eg, 'file..php').
>> (CVE-2008-3660) - Multiple directory traversal vulnerabilities in
>> functions such as 'posix_access()', 'chdir()', 'ftok()' may allow a
>> remote attacker to bypass 'safe_mode' restrictions. (CVE-2008-2665
>> and CVE-2008-2666). - A buffer overflow may be triggered when
>> processing long message headers in 'php_imap.c' due to use of an
>> obsolete API call. (CVE-2008-2829) - A heap-based buffer overflow may
>> be triggered via a call to 'mb_check_encoding()', part of the
>> 'mbstring' extension. (CVE-2008-5557) - Missing initialization of
>> 'BG(page_uid)' and 'BG(page_gid)' when PHP is used as an Apache
>> module may allow for bypassing security restriction due to SAPI
>> 'php_getuid()' overloading. (CVE-2008-5624) - Incorrect 'php_value'
>> order for Apache configuration may allow bypassing PHP's 'safe_mode'
>> setting. (CVE-2008-5625) - The ZipArchive:extractTo() method in the
>> ZipArchive extension fails to filter directory traversal sequences
>> from file names. (CVE-2008-5658)
>>
>> *Risk factor:*
>> High
>>
>> *CVSS Base Score:*7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> *See also:*
>> http://securityreason.com/achievement_securityalert/57
>>
>> *See also:*
>> http://securityreason.com/achievement_securityalert/58
>>
>> *See also:*
>> http://securityreason.com/achievement_securityalert/59
>>
>> *See also:*
>> http://www.sektioneins.de/advisories/SE-2008-06.txt
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0238.html
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0239.html
>>
>> *See also:*
>> http://www.openwall.com/lists/oss-security/2008/08/08/2
>>
>> *See also:*
>> http://www.openwall.com/lists/oss-security/2008/08/13/8
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/fulldisclosure/2008-11/0433.html
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/fulldisclosure/2008-12/0089.html
>>
>> *See also:*
>> http://bugs.php.net/bug.php?id=42862
>>
>> *See also:*
>> http://bugs.php.net/bug.php?id=45151
>>
>> *See also:*
>> http://bugs.php.net/bug.php?id=45722
>>
>> *See also:*
>> http://www.php.net/releases/5_2_7.php
>>
>> *See also:*
>> http://www.php.net/ChageLog-5.php#5.2.7
>>
>> *Solution:*
>> Upgrade to PHP version 5.2.8 or later. Note that 5.2.7 was been
>> removed from distribution because of a regression in that version
>> that results in the 'magic_quotes_gpc' setting remaining off even if
>> it was set to on.
>>
>> *Plugin output:*
>> PHP version 5.1.6 appears to be running on the remote host based on
>> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> *Plugin ID:*
>> 35043 <http://www.nessus.org/plugins/index.php?view=single&id=35043>
>>
>> *CVE: *
>> CVE-2008-2371, CVE-2008-2665, CVE-2008-2666, CVE-2008-2829,
>> CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, CVE-2008-5557,
>> CVE-2008-5624, CVE-2008-5625, CVE-2008-5658
>>
>> *BID: *
>> 29796 <http://www.securityfocus.com/bid/29796>, 29797
>> <http://www.securityfocus.com/bid/29797>, 29829
>> <http://www.securityfocus.com/bid/29829>, 30087
>> <http://www.securityfocus.com/bid/30087>, 30649
>> <http://www.securityfocus.com/bid/30649>, 31612
>> <http://www.securityfocus.com/bid/31612>, 32383
>> <http://www.securityfocus.com/bid/32383>, 32625
>> <http://www.securityfocus.com/bid/32625>, 32688
>> <http://www.securityfocus.com/bid/32688>, 32948
>> <http://www.securityfocus.com/bid/32948>
>>
>> *Other references: *
>> OSVDB:46584, OSVDB:46638, OSVDB:46639, OSVDB:46641, OSVDB:46690,
>> OSVDB:47796, OSVDB:47797, OSVDB:47798, OSVDB:50480, OSVDB:51477,
>> OSVDB:52205, OSVDB:52206, OSVDB:52207
>>
>> PHP < 5.2.6 Multiple Vulnerabilities
>>
>> *Synopsis:*
>> The remote web server uses a version of PHP that is affected by
>> multiple flaws.
>>
>> *Description:*
>> According to its banner, the version of PHP installed on the remote
>> host is older than 5.2.6. Such versions may be affected by the
>> following issues : - A stack buffer overflow in FastCGI SAPI. - An
>> integer overflow in printf(). - An security issue arising from
>> improper calculation of the length of PATH_TRANSLATED in cgi_main.c.
>> - A safe_mode bypass in cURL. - Incomplete handling of multibyte
>> chars inside escapeshellcmd(). - Issues in the bundled PCRE fixed by
>> version 7.6.
>>
>> *Risk factor:*
>> High
>>
>> *CVSS Base Score:*7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/bugtraq/2008-03/0321.html
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/fulldisclosure/2008-05/0103.html
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/fulldisclosure/2008-05/0107.html
>>
>> *See also:*
>> http://www.php.net/releases/5_2_6.php
>>
>> *Solution:*
>> Upgrade to PHP version 5.2.6 or later.
>>
>> *Plugin output:*
>> PHP version 5.1.6 appears to be running on the remote host based on
>> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> *Plugin ID:*
>> 32123 <http://www.nessus.org/plugins/index.php?view=single&id=32123>
>>
>> *CVE: *
>> CVE-2007-4850, CVE-2008-0599, CVE-2008-1384, CVE-2008-2050, CVE-2008-2051
>>
>> *BID: *
>> 27413 <http://www.securityfocus.com/bid/27413>, 28392
>> <http://www.securityfocus.com/bid/28392>, 29009
>> <http://www.securityfocus.com/bid/29009>
>>
>> *Other references: *
>> OSVDB:43219, OSVDB:44057, OSVDB:44906, OSVDB:44907, OSVDB:44908,
>> Secunia:30048
>>
>>
>>
>> BRIAN M. DUNCAN
>> Data Security Administrator
>> Katten Muchin Rosenman LLP
>> 525 W. Monroe Street / Chicago, IL 60661-3693
>> p / (312) 577-8045 f / (312) 577-4490
>> brian.duncan at kattenlaw.com / www.kattenlaw.com
>>
>>
>>
>> ===========================================================
>> CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue
>> Service, any tax advice contained herein is not intended or written to be used and cannot be used
>> by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer.
>> ===========================================================
>> CONFIDENTIALITY NOTICE:
>> This electronic mail message and any attached files contain information intended for the exclusive
>> use of the individual or entity to whom it is addressed and may contain information that is
>> proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you
>> are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or
>> distribution of this information may be subject to legal restriction or sanction. Please notify
>> the sender, by electronic mail or telephone, of any unintended recipients and delete the original
>> message without making any copies.
>> ===========================================================
>> NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has
>> elected to be governed by the Illinois Uniform Partnership Act (1997).
>> ===========================================================
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
> --
> Ing. Sergio Rabellino
>
> Università degli Studi di Torino
> Dipartimento di Informatica
> ICT Services Director
> Tel +39-0116706701 Fax +39-011751603
> C.so Svizzera , 185 - 10149 - Torino
>
> <http://www.di.unito.it>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
--
Ing. Sergio Rabellino
Università degli Studi di Torino
Dipartimento di Informatica
ICT Services Director
Tel +39-0116706701 Fax +39-011751603
C.so Svizzera , 185 - 10149 - Torino
<http://www.di.unito.it>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20100819/5c27bb5c/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 4167 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20100819/5c27bb5c/attachment-0001.jpe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.jpg
Type: image/jpeg
Size: 4167 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20100819/5c27bb5c/attachment-0001.jpg
More information about the ZendTo
mailing list