[ZendTo] Re: Question related to version of PHP in CentOS VM's
Julian Field
Jules at Zend.To
Mon Aug 23 18:56:11 BST 2010
Please do remember that I did not write all the code present in ZendTo, it started off life as a different project by other people. But I will rapidly fix any problems brought to my attention with constructive advice on how to fix them.
--
Jules
On 19 Aug 2010, at 02:21 PM, "Duncan, Brian M." <brian.duncan at kattenlaw.com> wrote:
> My intent was not to create a discussion on how open to attack PHP is related to other products.
>
> Nesuus was obviously displaying high importance alerts based on the PHP banner version that was being returned when I still had expose=on in the php.ini.
>
> If you are saying that all the vulnerabilities that are present in the version that is installed can only be exploited with poorly coded PHP code, then I am not concerned if Jules is not ..
>
>
> BRIAN M. DUNCAN
> Data Security Administrator
> Katten Muchin Rosenman LLP
> 525 W. Monroe Street / Chicago, IL 60661-3693
> p / (312) 577-8045 f / (312) 577-4490
> brian.duncan at kattenlaw.com / www.kattenlaw.com
>
>
>
>
> From: zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] On Behalf Of Sergio Rabellino
> Sent: Wednesday, August 18, 2010 6:08 PM
> To: zendto at zend.to
> Subject: [ZendTo] Re: Question related to version of PHP in CentOS VM's
>
> I'm running php web sites along 10 years, i'd never had a succesful attack to php itself, but only to bad (php) programmers.
> I think that nessus it's very conservative in its results, but not every buffer overflow can lead to a breach in your system.
> What programming language/environment you believe it's unfaceable ? Tomcat/Java or whatsoever ? :-)
>
> regards.
>
> Duncan, Brian M. ha scritto:
>>
>> I've always shied away from using PHP with apache on externally facing web sites in the past due to always seeing a constant flow of new vulnerabilities.
>>
>> Does anyone know if the version of PHP that is current according to CentOS safe?
>>
>> I ran a Nessus scan against my Zendto box and it is listing 6 "HIGH" security risks so far that are supposedly tied to PHP version. I just noticed they all refer so far to using PHP 5.2.5 or later. Not sure if any of these are false positives yet.
>>
>>
>> Here is some of the Nessus "HIGH" security scan listed output for any interested:
>>
>>
>>
>> PHP < 5.2.5 Multiple Vulnerabilities
>>
>> Synopsis:
>> The remote web server uses a version of PHP that is affected by multiple flaws.
>>
>> Description:
>> According to its banner, the version of PHP installed on the remote host is older than 5.2.5. Such versions may be affected by various issues, including but not limited to several buffer overflows.
>>
>> Risk factor:
>> High
>>
>> CVSS Base Score:7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> See also:
>> http://www.php.net/releases/5_2_5.php
>>
>> Solution:
>> Upgrade to PHP version 5.2.5 or later.
>>
>> Plugin output:
>> PHP version 5.1.6 appears to be running on the remote host based on the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> Plugin ID:
>> 28181
>>
>> CVE:
>> CVE-2007-4887, CVE-2007-5898, CVE-2007-5900
>>
>> BID:
>> 26403
>>
>> Other references:
>> OSVDB:38680, OSVDB:38681, OSVDB:38682, OSVDB:38683, OSVDB:38684, OSVDB:38685
>> PHP < 5.2.1 Multiple Vulnerabilities
>>
>> Synopsis:
>> The remote web server uses a version of PHP that is affected by multiple flaws.
>>
>> Description:
>> According to its banner, the version of PHP installed on the remote host is older than 5.2.1. Such versions may be affected by several issues, including buffer overflows, format string vulnerabilities, arbitrary code execution, 'safe_mode' and 'open_basedir' bypasses, and clobbering of super-globals.
>>
>> Risk factor:
>> High
>>
>> CVSS Base Score:7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> See also:
>> http://www.php.net/releases/5_2_1.php
>>
>> Solution:
>> Upgrade to PHP version 5.2.1 or later.
>>
>> Plugin output:
>> PHP version 5.1.6 appears to be running on the remote host based on the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> Plugin ID:
>> 24907
>>
>> CVE:
>> CVE-2006-6383, CVE-2007-0905, CVE-2007-0906, CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-1376, CVE-2007-1380, CVE-2007-1453, CVE-2007-1700, CVE-2007-1701, CVE-2007-1824, CVE-2007-1825, CVE-2007-1884, CVE-2007-1885, CVE-2007-1886, CVE-2007-1887, CVE-2007-1890
>>
>> BID:
>> 21508, 22496, 22805, 22806, 22862, 22922, 23119, 23120, 23219, 23233, 23234, 23235, 23236, 23237, 23238
>>
>> Other references:
>> OSVDB:32763, OSVDB:32764, OSVDB:32765, OSVDB:32766, OSVDB:32767, OSVDB:32768, OSVDB:32776, OSVDB:32781, OSVDB:33269, OSVDB:33933, OSVDB:33944, OSVDB:33945, OSVDB:33955, OSVDB:33957, OSVDB:33958, OSVDB:33959, OSVDB:33960, OSVDB:34767
>> PHP < 5.2.4 Multiple Vulnerabilities
>>
>> Synopsis:
>> The remote web server uses a version of PHP that is affected by multiple flaws.
>>
>> Description:
>> According to its banner, the version of PHP installed on the remote host is older than 5.2.4. Such versions may be affected by various issues, including but not limited to several overflows.
>>
>> Risk factor:
>> High
>>
>> CVSS Base Score:7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> See also:
>> http://www.php.net/releases/5_2_4.php
>>
>> Solution:
>> Upgrade to PHP version 5.2.4 or later.
>>
>> Plugin output:
>> PHP version 5.1.6 appears to be running on the remote host based on the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> Plugin ID:
>> 25971
>>
>> CVE:
>> CVE-2007-2872, CVE-2007-3378, CVE-2007-3806
>>
>> BID:
>> 24661, 24261, 24922, 25498
>>
>> Other references:
>> OSVDB:36083, OSVDB:36085, OSVDB:36869
>> PHP < 5.2 Multiple Vulnerabilities
>>
>> Synopsis:
>> The remote web server uses a version of PHP that is affected by multiple buffer overflows.
>>
>> Description:
>> According to its banner, the version of PHP installed on the remote host is older than 5.2. Such versions may be affected by several buffer overflows. To exploit these issues, an attacker would need the ability to upload an arbitrary PHP script on the remote server, or to be able to manipulate several variables processed by some PHP functions such as htmlentities().
>>
>> Risk factor:
>> High
>>
>> CVSS Base Score:7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> See also:
>> http://www.php.net/releases/5_2_0.php
>>
>> Solution:
>> Upgrade to PHP version 5.2.0 or later.
>>
>> Plugin output:
>> PHP version 5.1.6 appears to be running on the remote host based on the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> Plugin ID:
>> 31649
>>
>> CVE:
>> CVE-2006-5465
>>
>> BID:
>> 20879
>>
>> Other references:
>> OSVDB:30178, OSVDB:30179
>> PHP 5 < 5.2.7 Multiple Vulnerabilities
>>
>> Synopsis:
>> The remote web server uses a version of PHP that is affected by multiple flaws.
>>
>> Description:
>> According to its banner, the version of PHP installed on the remote host is older than 5.2.7. Such versions may be affected by several security issues : - File truncation can occur when calling 'dba_replace()' with an invalid argument. - There is a buffer overflow in the bundled PCRE library fixed by 7.8. (CVE-2008-2371) - A buffer overflow in the 'imageloadfont()' function in 'ext/gd/gd.c' can be triggered when a specially crafted font is given. (CVE-2008-3658) - There is a buffer overflow in PHP's internal function 'memnstr()', which is exposed to userspace as 'explode()'. (CVE-2008-3659) - When used as a FastCGI module, PHP segfaults when opening a file whose name contains two dots (eg, 'file..php'). (CVE-2008-3660) - Multiple directory traversal vulnerabilities in functions such as 'posix_access()', 'chdir()', 'ftok()' may allow a remote attacker to bypass 'safe_mode' restrictions. (CVE-2008-2665 and2
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20100823/899fb446/attachment.html
More information about the ZendTo
mailing list