[ZendTo] Re: Question related to version of PHP in CentOS VM's

Julian Field Jules at ecs.soton.ac.uk
Mon Aug 23 18:53:15 BST 2010


RedHat and hence CentOS back port security fixes, so the version number is a poor indicator of security holes.

-- 
Jules

On 18 Aug 2010, at 07:47 PM, "Duncan, Brian M." <brian.duncan at kattenlaw.com> wrote:

> I've always shied away from using PHP with apache on externally facing web sites in the past due to always seeing a constant flow of new vulnerabilities.
>  
> Does anyone know if the version of PHP that is current according to CentOS safe?
>  
> I ran a Nessus scan against my Zendto box and it is listing 6 "HIGH" security risks so far that are supposedly tied to PHP version.  I just noticed they all refer so far to using PHP 5.2.5 or later.  Not sure if any of these are false positives yet.
>  
>  
> Here is some of the Nessus "HIGH" security scan listed output for any interested:
>  
>  
>  
> PHP < 5.2.5 Multiple Vulnerabilities
> 
> Synopsis:
> The remote web server uses a version of PHP that is affected by multiple flaws.
> 
> Description:
> According to its banner, the version of PHP installed on the remote host is older than 5.2.5. Such versions may be affected by various issues, including but not limited to several buffer overflows.
> 
> Risk factor:
> High
> 
> CVSS Base Score:7.5
> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
> 
> See also:
> http://www.php.net/releases/5_2_5.php
> 
> Solution:
> Upgrade to PHP version 5.2.5 or later.
> 
> Plugin output:
> PHP version 5.1.6 appears to be running on the remote host based on the following X-Powered-By response header : X-Powered-By: PHP/5.1.6 
> 
> Plugin ID:
> 28181
> 
> CVE: 
> CVE-2007-4887, CVE-2007-5898, CVE-2007-5900
> 
> BID: 
> 26403
> 
> Other references: 
> OSVDB:38680, OSVDB:38681, OSVDB:38682, OSVDB:38683, OSVDB:38684, OSVDB:38685
> PHP < 5.2.1 Multiple Vulnerabilities
> 
> Synopsis:
> The remote web server uses a version of PHP that is affected by multiple flaws.
> 
> Description:
> According to its banner, the version of PHP installed on the remote host is older than 5.2.1. Such versions may be affected by several issues, including buffer overflows, format string vulnerabilities, arbitrary code execution, 'safe_mode' and 'open_basedir' bypasses, and clobbering of super-globals.
> 
> Risk factor:
> High
> 
> CVSS Base Score:7.5
> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
> 
> See also:
> http://www.php.net/releases/5_2_1.php
> 
> Solution:
> Upgrade to PHP version 5.2.1 or later.
> 
> Plugin output:
> PHP version 5.1.6 appears to be running on the remote host based on the following X-Powered-By response header : X-Powered-By: PHP/5.1.6 
> 
> Plugin ID:
> 24907
> 
> CVE: 
> CVE-2006-6383, CVE-2007-0905, CVE-2007-0906, CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-1376, CVE-2007-1380, CVE-2007-1453, CVE-2007-1700, CVE-2007-1701, CVE-2007-1824, CVE-2007-1825, CVE-2007-1884, CVE-2007-1885, CVE-2007-1886, CVE-2007-1887, CVE-2007-1890
> 
> BID: 
> 21508, 22496, 22805, 22806, 22862, 22922, 23119, 23120, 23219, 23233, 23234, 23235, 23236, 23237, 23238
> 
> Other references: 
> OSVDB:32763, OSVDB:32764, OSVDB:32765, OSVDB:32766, OSVDB:32767, OSVDB:32768, OSVDB:32776, OSVDB:32781, OSVDB:33269, OSVDB:33933, OSVDB:33944, OSVDB:33945, OSVDB:33955, OSVDB:33957, OSVDB:33958, OSVDB:33959, OSVDB:33960, OSVDB:34767
> PHP < 5.2.4 Multiple Vulnerabilities
> 
> Synopsis:
> The remote web server uses a version of PHP that is affected by multiple flaws.
> 
> Description:
> According to its banner, the version of PHP installed on the remote host is older than 5.2.4. Such versions may be affected by various issues, including but not limited to several overflows.
> 
> Risk factor:
> High
> 
> CVSS Base Score:7.5
> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
> 
> See also:
> http://www.php.net/releases/5_2_4.php
> 
> Solution:
> Upgrade to PHP version 5.2.4 or later.
> 
> Plugin output:
> PHP version 5.1.6 appears to be running on the remote host based on the following X-Powered-By response header : X-Powered-By: PHP/5.1.6 
> 
> Plugin ID:
> 25971
> 
> CVE: 
> CVE-2007-2872, CVE-2007-3378, CVE-2007-3806
> 
> BID: 
> 24661, 24261, 24922, 25498
> 
> Other references: 
> OSVDB:36083, OSVDB:36085, OSVDB:36869
> PHP < 5.2 Multiple Vulnerabilities
> 
> Synopsis:
> The remote web server uses a version of PHP that is affected by multiple buffer overflows.
> 
> Description:
> According to its banner, the version of PHP installed on the remote host is older than 5.2. Such versions may be affected by several buffer overflows. To exploit these issues, an attacker would need the ability to upload an arbitrary PHP script on the remote server, or to be able to manipulate several variables processed by some PHP functions such as htmlentities().
> 
> Risk factor:
> High
> 
> CVSS Base Score:7.5
> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
> 
> See also:
> http://www.php.net/releases/5_2_0.php
> 
> Solution:
> Upgrade to PHP version 5.2.0 or later.
> 
> Plugin output:
> PHP version 5.1.6 appears to be running on the remote host based on the following X-Powered-By response header : X-Powered-By: PHP/5.1.6 
> 
> Plugin ID:
> 31649
> 
> CVE: 
> CVE-2006-5465
> 
> BID: 
> 20879
> 
> Other references: 
> OSVDB:30178, OSVDB:30179
> PHP 5 < 5.2.7 Multiple Vulnerabilities
> 
> Synopsis:
> The remote web server uses a version of PHP that is affected by multiple flaws.
> 
> Description:
> According to its banner, the version of PHP installed on the remote host is older than 5.2.7. Such versions may be affected by several security issues : - File truncation can occur when        calling 'dba_replace()' with an invalid argument. - There is a buffer overflow in the bundled PCRE library fixed by 7.8. (CVE-2008-2371) - A buffer overflow in the 'imageloadfont()' function in 'ext/gd/gd.c' can be triggered when a specially crafted font is given. (CVE-2008-3658) - There is a buffer overflow in PHP's internal function 'memnstr()', which is exposed to userspace as 'explode()'. (CVE-2008-3659) - When used as a FastCGI module, PHP segfaults when opening a file whose name contains two dots (eg, 'file..php'). (CVE-2008-3660) - Multiple directory traversal vulnerabilities in functions such as 'posix_access()', 'chdir()', 'ftok()' may allow a remote attacker to bypass 'safe_mode' restrictions. (CVE-2008-2665 and CVE-2008-2666). - A buffer overflow may be triggered when processing long message headers in 'php_imap.c' due to use of an obsolete API call. (CVE-2008-2829) - A heap-based buffer overflow may be triggered via a call to 'mb_check_encoding()', part of the 'mbstring' extension. (CVE-2008-5557) - Missing initialization of 'BG(page_uid)' and 'BG(page_gid)' when PHP is used as an Apache module may allow for bypassing security restriction due to SAPI 'php_getuid()' overloading. (CVE-2008-5624) - Incorrect 'php_value' order for Apache configuration may allow bypassing PHP's 'safe_mode' setting. (CVE-2008-5625) - The ZipArchive:extractTo() method in the ZipArchive extension fails to filter directory traversal sequences from file names. (CVE-2008-5658)
> 
> Risk factor:
> High
> 
> CVSS Base Score:7.5
> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
> 
> See also:
> http://securityreason.com/achievement_securityalert/57
> 
> See also:
> http://securityreason.com/achievement_securityalert/58
> 
> See also:
> http://securityreason.com/achievement_securityalert/59
> 
> See also:
> http://www.sektioneins.de/advisories/SE-2008-06.txt
> 
> See also:
> http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0238.html
> 
> See also:
> http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0239.html
> 
> See also:
> http://www.openwall.com/lists/oss-security/2008/08/08/2
> 
> See also:
> http://www.openwall.com/lists/oss-security/2008/08/13/8
> 
> See also:
> http://archives.neohapsis.com/archives/fulldisclosure/2008-11/0433.html
> 
> See also:
> http://archives.neohapsis.com/archives/fulldisclosure/2008-12/0089.html
> 
> See also:
> http://bugs.php.net/bug.php?id=42862
> 
> See also:
> http://bugs.php.net/bug.php?id=45151
> 
> See also:
> http://bugs.php.net/bug.php?id=45722
> 
> See also:
> http://www.php.net/releases/5_2_7.php
> 
> See also:
> http://www.php.net/ChageLog-5.php#5.2.7
> 
> Solution:
> Upgrade to PHP version 5.2.8 or later. Note that 5.2.7 was been removed from distribution because of a regression in that version that results in the 'magic_quotes_gpc' setting remaining off even if it was set to on.
> 
> Plugin output:
> PHP version 5.1.6 appears to be running on the remote host based on the following X-Powered-By response header : X-Powered-By: PHP/5.1.6 
> 
> Plugin ID:
> 35043
> 
> CVE: 
> CVE-2008-2371, CVE-2008-2665, CVE-2008-2666, CVE-2008-2829, CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, CVE-2008-5557, CVE-2008-5624, CVE-2008-5625, CVE-2008-5658
> 
> BID: 
> 29796, 29797, 29829, 30087, 30649, 31612, 32383, 32625, 32688, 32948
> 
> Other references: 
> OSVDB:46584, OSVDB:46638, OSVDB:46639, OSVDB:46641, OSVDB:46690, OSVDB:47796, OSVDB:47797, OSVDB:47798, OSVDB:50480, OSVDB:51477, OSVDB:52205, OSVDB:52206, OSVDB:52207
> PHP < 5.2.6 Multiple Vulnerabilities
> 
> Synopsis:
> The remote web server uses a version of PHP that is affected by multiple flaws.
> 
> Description:
> According to its banner, the version of PHP installed on the remote host is older than 5.2.6. Such versions may be affected by the following issues : - A stack buffer overflow in FastCGI        SAPI. - An integer overflow in printf(). - An security issue arising from improper calculation of the length of PATH_TRANSLATED in cgi_main.c. - A safe_mode bypass in cURL. - Incomplete handling of multibyte chars inside escapeshellcmd(). - Issues in the bundled PCRE fixed by version 7.6.
> 
> Risk factor:
> High
> 
> CVSS Base Score:7.5
> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
> 
> See also:
> http://archives.neohapsis.com/archives/bugtraq/2008-03/0321.html
> 
> See also:
> http://archives.neohapsis.com/archives/fulldisclosure/2008-05/0103.html
> 
> See also:
> http://archives.neohapsis.com/archives/fulldisclosure/2008-05/0107.html
> 
> See also:
> http://www.php.net/releases/5_2_6.php
> 
> Solution:
> Upgrade to PHP version 5.2.6 or later.
> 
> Plugin output:
> PHP version 5.1.6 appears to be running on the remote host based on the following X-Powered-By response header : X-Powered-By: PHP/5.1.6 
> 
> Plugin ID:
> 32123
> 
> CVE: 
> CVE-2007-4850, CVE-2008-0599, CVE-2008-1384, CVE-2008-2050, CVE-2008-2051
> 
> BID: 
> 27413, 28392, 29009
> 
> Other references: 
> OSVDB:43219, OSVDB:44057, OSVDB:44906, OSVDB:44907, OSVDB:44908, Secunia:30048
>  
> BRIAN M. DUNCAN
> Data Security Administrator
> Katten Muchin Rosenman LLP
> 525 W. Monroe Street / Chicago, IL 60661-3693
> p / (312) 577-8045 f / (312) 577-4490
> brian.duncan at kattenlaw.com / www.kattenlaw.com
> 
>  
> ===========================================================
> CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue
> Service, any tax advice contained herein is not intended or written to be used and cannot be used
> by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer.
> ===========================================================
> CONFIDENTIALITY NOTICE:
> This electronic mail message and any attached files contain information intended for the exclusive
> use of the individual or entity to whom it is addressed and may contain information that is
> proprietary, privileged, confidential and/or exempt from disclosure under applicable law.  If you
> are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or 
> distribution of this information may be subject to legal restriction or sanction.  Please notify
> the sender, by electronic mail or telephone, of any unintended recipients and delete the original 
> message without making any copies.
> ===========================================================
> NOTIFICATION:  Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has
> elected to be governed by the Illinois Uniform Partnership Act (1997).
> ===========================================================
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20100823/d1b13cb9/attachment-0001.html 


More information about the ZendTo mailing list