[ZendTo] Re: Question related to version of PHP in CentOS VM's

Sergio Rabellino rabellino at di.unito.it
Thu Aug 19 19:32:28 BST 2010



Duncan, Brian M. ha scritto:
> My intent was not to create a discussion on how open to attack PHP is 
> related to other products.
>  
> Nesuus was obviously displaying high importance alerts based on the 
> PHP banner version that was being returned when I still had expose=on 
> in the php.ini. 
>  
> If you are saying that all the vulnerabilities that are present in the 
> version that is installed can only be exploited with poorly coded PHP 
> code, then I am not concerned if Jules is not ..
>  
Nor i can assure that my code is clean of bug (who can ?) as a bunch of 
lines was suggested by me to julian.
The nessus advice is a generic warning about php (i believe also that 
5.1.6 it's too old) vulnerabilities, but not all the vulnerabilities are 
exploitable by a remote attacker.
In the specific, looking at

http://www.nessus.org/plugins/index.php?view=single&id=28181

and browsing the 3 links about the vulnerabilities CVE*  there are some 
"unknown" cases for which ths can lead to a problem for an application 
as zendto (CVE-2007-5898).
It's clear that upgrade of php it's the better solution for a risk 
analysis perspective, but it's not an imperative indication.
The only response to your question is a in-deep check with formal 
methods to assure that the system is correct.... Have you some billion 
of years to wait for ?
>  
>
> BRIAN M. DUNCAN
> Data Security Administrator
> Katten Muchin Rosenman LLP
> 525 W. Monroe Street / Chicago, IL 60661-3693
> p / (312) 577-8045 f / (312) 577-4490
> brian.duncan at kattenlaw.com / www.kattenlaw.com
>  
>
>  
>
> ------------------------------------------------------------------------
> *From:* zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] *On 
> Behalf Of *Sergio Rabellino
> *Sent:* Wednesday, August 18, 2010 6:08 PM
> *To:* zendto at zend.to
> *Subject:* [ZendTo] Re: Question related to version of PHP in CentOS VM's
>
> I'm running php web sites along 10 years, i'd never had a succesful 
> attack to php itself, but only to bad (php) programmers.
> I think that nessus it's very conservative in its results, but not 
> every buffer overflow can lead to a breach in your system.
> What programming language/environment you believe it's unfaceable ? 
> Tomcat/Java or whatsoever ? :-)
>
> regards.
>
> Duncan, Brian M. ha scritto:
>> I've always shied away from using PHP with apache on externally 
>> facing web sites in the past due to always seeing a constant flow of 
>> new vulnerabilities.
>>  
>> Does anyone know if the version of PHP that is current according to 
>> CentOS safe?
>>  
>> I ran a Nessus scan against my Zendto box and it is listing 6 
>> "HIGH" security risks so far that are supposedly tied to PHP 
>> version.  I just noticed they all refer so far to using PHP 5.2.5 or 
>> later.  Not sure if any of these are false positives yet.
>>  
>>  
>> Here is some of the Nessus "HIGH" security scan listed output for any 
>> interested:
>>  
>>  
>>  
>> PHP < 5.2.5 Multiple Vulnerabilities
>>
>> *Synopsis:*
>> The remote web server uses a version of PHP that is affected by 
>> multiple flaws.
>>
>> *Description:*
>> According to its banner, the version of PHP installed on the remote 
>> host is older than 5.2.5. Such versions may be affected by various 
>> issues, including but not limited to several buffer overflows.
>>
>> *Risk factor:*
>> High
>>
>> *CVSS Base Score:*7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> *See also:*
>> http://www.php.net/releases/5_2_5.php
>>
>> *Solution:*
>> Upgrade to PHP version 5.2.5 or later.
>>
>> *Plugin output:*
>> PHP version 5.1.6 appears to be running on the remote host based on 
>> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> *Plugin ID:*
>> 28181 <http://www.nessus.org/plugins/index.php?view=single&id=28181>
>>
>> *CVE: *
>> CVE-2007-4887, CVE-2007-5898, CVE-2007-5900
>>
>> *BID: *
>> 26403 <http://www.securityfocus.com/bid/26403>
>>
>> *Other references: *
>> OSVDB:38680, OSVDB:38681, OSVDB:38682, OSVDB:38683, OSVDB:38684, 
>> OSVDB:38685
>>
>> PHP < 5.2.1 Multiple Vulnerabilities
>>
>> *Synopsis:*
>> The remote web server uses a version of PHP that is affected by 
>> multiple flaws.
>>
>> *Description:*
>> According to its banner, the version of PHP installed on the remote 
>> host is older than 5.2.1. Such versions may be affected by several 
>> issues, including buffer overflows, format string vulnerabilities, 
>> arbitrary code execution, 'safe_mode' and 'open_basedir' bypasses, 
>> and clobbering of super-globals.
>>
>> *Risk factor:*
>> High
>>
>> *CVSS Base Score:*7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> *See also:*
>> http://www.php.net/releases/5_2_1.php
>>
>> *Solution:*
>> Upgrade to PHP version 5.2.1 or later.
>>
>> *Plugin output:*
>> PHP version 5.1.6 appears to be running on the remote host based on 
>> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> *Plugin ID:*
>> 24907 <http://www.nessus.org/plugins/index.php?view=single&id=24907>
>>
>> *CVE: *
>> CVE-2006-6383, CVE-2007-0905, CVE-2007-0906, CVE-2007-0907, 
>> CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-1376, 
>> CVE-2007-1380, CVE-2007-1453, CVE-2007-1700, CVE-2007-1701, 
>> CVE-2007-1824, CVE-2007-1825, CVE-2007-1884, CVE-2007-1885, 
>> CVE-2007-1886, CVE-2007-1887, CVE-2007-1890
>>
>> *BID: *
>> 21508 <http://www.securityfocus.com/bid/21508>, 22496 
>> <http://www.securityfocus.com/bid/22496>, 22805 
>> <http://www.securityfocus.com/bid/22805>, 22806 
>> <http://www.securityfocus.com/bid/22806>, 22862 
>> <http://www.securityfocus.com/bid/22862>, 22922 
>> <http://www.securityfocus.com/bid/22922>, 23119 
>> <http://www.securityfocus.com/bid/23119>, 23120 
>> <http://www.securityfocus.com/bid/23120>, 23219 
>> <http://www.securityfocus.com/bid/23219>, 23233 
>> <http://www.securityfocus.com/bid/23233>, 23234 
>> <http://www.securityfocus.com/bid/23234>, 23235 
>> <http://www.securityfocus.com/bid/23235>, 23236 
>> <http://www.securityfocus.com/bid/23236>, 23237 
>> <http://www.securityfocus.com/bid/23237>, 23238 
>> <http://www.securityfocus.com/bid/23238>
>>
>> *Other references: *
>> OSVDB:32763, OSVDB:32764, OSVDB:32765, OSVDB:32766, OSVDB:32767, 
>> OSVDB:32768, OSVDB:32776, OSVDB:32781, OSVDB:33269, OSVDB:33933, 
>> OSVDB:33944, OSVDB:33945, OSVDB:33955, OSVDB:33957, OSVDB:33958, 
>> OSVDB:33959, OSVDB:33960, OSVDB:34767
>>
>> PHP < 5.2.4 Multiple Vulnerabilities
>>
>> *Synopsis:*
>> The remote web server uses a version of PHP that is affected by 
>> multiple flaws.
>>
>> *Description:*
>> According to its banner, the version of PHP installed on the remote 
>> host is older than 5.2.4. Such versions may be affected by various 
>> issues, including but not limited to several overflows.
>>
>> *Risk factor:*
>> High
>>
>> *CVSS Base Score:*7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> *See also:*
>> http://www.php.net/releases/5_2_4.php
>>
>> *Solution:*
>> Upgrade to PHP version 5.2.4 or later.
>>
>> *Plugin output:*
>> PHP version 5.1.6 appears to be running on the remote host based on 
>> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> *Plugin ID:*
>> 25971 <http://www.nessus.org/plugins/index.php?view=single&id=25971>
>>
>> *CVE: *
>> CVE-2007-2872, CVE-2007-3378, CVE-2007-3806
>>
>> *BID: *
>> 24661 <http://www.securityfocus.com/bid/24661>, 24261 
>> <http://www.securityfocus.com/bid/24261>, 24922 
>> <http://www.securityfocus.com/bid/24922>, 25498 
>> <http://www.securityfocus.com/bid/25498>
>>
>> *Other references: *
>> OSVDB:36083, OSVDB:36085, OSVDB:36869
>>
>> PHP < 5.2 Multiple Vulnerabilities
>>
>> *Synopsis:*
>> The remote web server uses a version of PHP that is affected by 
>> multiple buffer overflows.
>>
>> *Description:*
>> According to its banner, the version of PHP installed on the remote 
>> host is older than 5.2. Such versions may be affected by several 
>> buffer overflows. To exploit these issues, an attacker would need the 
>> ability to upload an arbitrary PHP script on the remote server, or to 
>> be able to manipulate several variables processed by some PHP 
>> functions such as htmlentities().
>>
>> *Risk factor:*
>> High
>>
>> *CVSS Base Score:*7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> *See also:*
>> http://www.php.net/releases/5_2_0.php
>>
>> *Solution:*
>> Upgrade to PHP version 5.2.0 or later.
>>
>> *Plugin output:*
>> PHP version 5.1.6 appears to be running on the remote host based on 
>> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> *Plugin ID:*
>> 31649 <http://www.nessus.org/plugins/index.php?view=single&id=31649>
>>
>> *CVE: *
>> CVE-2006-5465
>>
>> *BID: *
>> 20879 <http://www.securityfocus.com/bid/20879>
>>
>> *Other references: *
>> OSVDB:30178, OSVDB:30179
>>
>> PHP 5 < 5.2.7 Multiple Vulnerabilities
>>
>> *Synopsis:*
>> The remote web server uses a version of PHP that is affected by 
>> multiple flaws.
>>
>> *Description:*
>> According to its banner, the version of PHP installed on the remote 
>> host is older than 5.2.7. Such versions may be affected by several 
>> security issues : - File truncation can occur when calling 
>> 'dba_replace()' with an invalid argument. - There is a buffer 
>> overflow in the bundled PCRE library fixed by 7.8. (CVE-2008-2371) - 
>> A buffer overflow in the 'imageloadfont()' function in 'ext/gd/gd.c' 
>> can be triggered when a specially crafted font is given. 
>> (CVE-2008-3658) - There is a buffer overflow in PHP's internal 
>> function 'memnstr()', which is exposed to userspace as 'explode()'. 
>> (CVE-2008-3659) - When used as a FastCGI module, PHP segfaults when 
>> opening a file whose name contains two dots (eg, 'file..php'). 
>> (CVE-2008-3660) - Multiple directory traversal vulnerabilities in 
>> functions such as 'posix_access()', 'chdir()', 'ftok()' may allow a 
>> remote attacker to bypass 'safe_mode' restrictions. (CVE-2008-2665 
>> and CVE-2008-2666). - A buffer overflow may be triggered when 
>> processing long message headers in 'php_imap.c' due to use of an 
>> obsolete API call. (CVE-2008-2829) - A heap-based buffer overflow may 
>> be triggered via a call to 'mb_check_encoding()', part of the 
>> 'mbstring' extension. (CVE-2008-5557) - Missing initialization of 
>> 'BG(page_uid)' and 'BG(page_gid)' when PHP is used as an Apache 
>> module may allow for bypassing security restriction due to SAPI 
>> 'php_getuid()' overloading. (CVE-2008-5624) - Incorrect 'php_value' 
>> order for Apache configuration may allow bypassing PHP's 'safe_mode' 
>> setting. (CVE-2008-5625) - The ZipArchive:extractTo() method in the 
>> ZipArchive extension fails to filter directory traversal sequences 
>> from file names. (CVE-2008-5658)
>>
>> *Risk factor:*
>> High
>>
>> *CVSS Base Score:*7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> *See also:*
>> http://securityreason.com/achievement_securityalert/57
>>
>> *See also:*
>> http://securityreason.com/achievement_securityalert/58
>>
>> *See also:*
>> http://securityreason.com/achievement_securityalert/59
>>
>> *See also:*
>> http://www.sektioneins.de/advisories/SE-2008-06.txt
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0238.html
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0239.html
>>
>> *See also:*
>> http://www.openwall.com/lists/oss-security/2008/08/08/2
>>
>> *See also:*
>> http://www.openwall.com/lists/oss-security/2008/08/13/8
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/fulldisclosure/2008-11/0433.html
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/fulldisclosure/2008-12/0089.html
>>
>> *See also:*
>> http://bugs.php.net/bug.php?id=42862
>>
>> *See also:*
>> http://bugs.php.net/bug.php?id=45151
>>
>> *See also:*
>> http://bugs.php.net/bug.php?id=45722
>>
>> *See also:*
>> http://www.php.net/releases/5_2_7.php
>>
>> *See also:*
>> http://www.php.net/ChageLog-5.php#5.2.7
>>
>> *Solution:*
>> Upgrade to PHP version 5.2.8 or later. Note that 5.2.7 was been 
>> removed from distribution because of a regression in that version 
>> that results in the 'magic_quotes_gpc' setting remaining off even if 
>> it was set to on.
>>
>> *Plugin output:*
>> PHP version 5.1.6 appears to be running on the remote host based on 
>> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> *Plugin ID:*
>> 35043 <http://www.nessus.org/plugins/index.php?view=single&id=35043>
>>
>> *CVE: *
>> CVE-2008-2371, CVE-2008-2665, CVE-2008-2666, CVE-2008-2829, 
>> CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, CVE-2008-5557, 
>> CVE-2008-5624, CVE-2008-5625, CVE-2008-5658
>>
>> *BID: *
>> 29796 <http://www.securityfocus.com/bid/29796>, 29797 
>> <http://www.securityfocus.com/bid/29797>, 29829 
>> <http://www.securityfocus.com/bid/29829>, 30087 
>> <http://www.securityfocus.com/bid/30087>, 30649 
>> <http://www.securityfocus.com/bid/30649>, 31612 
>> <http://www.securityfocus.com/bid/31612>, 32383 
>> <http://www.securityfocus.com/bid/32383>, 32625 
>> <http://www.securityfocus.com/bid/32625>, 32688 
>> <http://www.securityfocus.com/bid/32688>, 32948 
>> <http://www.securityfocus.com/bid/32948>
>>
>> *Other references: *
>> OSVDB:46584, OSVDB:46638, OSVDB:46639, OSVDB:46641, OSVDB:46690, 
>> OSVDB:47796, OSVDB:47797, OSVDB:47798, OSVDB:50480, OSVDB:51477, 
>> OSVDB:52205, OSVDB:52206, OSVDB:52207
>>
>> PHP < 5.2.6 Multiple Vulnerabilities
>>
>> *Synopsis:*
>> The remote web server uses a version of PHP that is affected by 
>> multiple flaws.
>>
>> *Description:*
>> According to its banner, the version of PHP installed on the remote 
>> host is older than 5.2.6. Such versions may be affected by the 
>> following issues : - A stack buffer overflow in FastCGI SAPI. - An 
>> integer overflow in printf(). - An security issue arising from 
>> improper calculation of the length of PATH_TRANSLATED in cgi_main.c. 
>> - A safe_mode bypass in cURL. - Incomplete handling of multibyte 
>> chars inside escapeshellcmd(). - Issues in the bundled PCRE fixed by 
>> version 7.6.
>>
>> *Risk factor:*
>> High
>>
>> *CVSS Base Score:*7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/bugtraq/2008-03/0321.html
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/fulldisclosure/2008-05/0103.html
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/fulldisclosure/2008-05/0107.html
>>
>> *See also:*
>> http://www.php.net/releases/5_2_6.php
>>
>> *Solution:*
>> Upgrade to PHP version 5.2.6 or later.
>>
>> *Plugin output:*
>> PHP version 5.1.6 appears to be running on the remote host based on 
>> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> *Plugin ID:*
>> 32123 <http://www.nessus.org/plugins/index.php?view=single&id=32123>
>>
>> *CVE: *
>> CVE-2007-4850, CVE-2008-0599, CVE-2008-1384, CVE-2008-2050, CVE-2008-2051
>>
>> *BID: *
>> 27413 <http://www.securityfocus.com/bid/27413>, 28392 
>> <http://www.securityfocus.com/bid/28392>, 29009 
>> <http://www.securityfocus.com/bid/29009>
>>
>> *Other references: *
>> OSVDB:43219, OSVDB:44057, OSVDB:44906, OSVDB:44907, OSVDB:44908, 
>> Secunia:30048
>>
>>  
>>
>> BRIAN M. DUNCAN
>> Data Security Administrator
>> Katten Muchin Rosenman LLP
>> 525 W. Monroe Street / Chicago, IL 60661-3693
>> p / (312) 577-8045 f / (312) 577-4490
>> brian.duncan at kattenlaw.com / www.kattenlaw.com
>>
>>  
>>
>> ===========================================================
>> CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue
>> Service, any tax advice contained herein is not intended or written to be used and cannot be used
>> by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer.
>> ===========================================================
>> CONFIDENTIALITY NOTICE:
>> This electronic mail message and any attached files contain information intended for the exclusive
>> use of the individual or entity to whom it is addressed and may contain information that is
>> proprietary, privileged, confidential and/or exempt from disclosure under applicable law.  If you
>> are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or 
>> distribution of this information may be subject to legal restriction or sanction.  Please notify
>> the sender, by electronic mail or telephone, of any unintended recipients and delete the original 
>> message without making any copies.
>> ===========================================================
>> NOTIFICATION:  Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has
>> elected to be governed by the Illinois Uniform Partnership Act (1997).
>> ===========================================================
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
> -- 
> Ing. Sergio Rabellino
>
> Università degli Studi di Torino
> Dipartimento di Informatica
> ICT Services Director
> Tel +39-0116706701  Fax +39-011751603
> C.so Svizzera , 185 - 10149 - Torino
>
> <http://www.di.unito.it>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

-- 
Ing. Sergio Rabellino

Università degli Studi di Torino
Dipartimento di Informatica
ICT Services Director
Tel +39-0116706701  Fax +39-011751603
C.so Svizzera , 185 - 10149 - Torino

<http://www.di.unito.it>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20100819/5c27bb5c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 4167 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20100819/5c27bb5c/attachment-0001.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.jpg
Type: image/jpeg
Size: 4167 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20100819/5c27bb5c/attachment-0001.jpg 


More information about the ZendTo mailing list