[ZendTo] Re: Question related to version of PHP in CentOS VM's :..
Jules
Jules at Zend.To
Tue Aug 24 15:44:00 BST 2010
Back-porting fixes is standard practise amongst all OS vendors. Moving
to a newer version will change the behaviour of existing features
(almost always) which will break customers' working systems, which is A
Very Bad Thing(tm).
So instead you back-port fixes to keep the functional behaviour the same.
Jules.
On 23/08/2010 21:47, Duncan, Brian M. wrote:
> Thanks Jules,
> I did not realize they back ported fixes for PHP.
> Since Nessus displays information based on version banner, it is
> probably a false positive then. (When advertising version in the php.ini)
>
> BRIAN M. DUNCAN
> Data Security Administrator
> Katten Muchin Rosenman LLP
> 525 W. Monroe Street / Chicago, IL 60661-3693
> p / (312) 577-8045 f / (312) 577-4490
> brian.duncan at kattenlaw.com / www.kattenlaw.com
>
>
> ------------------------------------------------------------------------
> *From:* zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] *On
> Behalf Of *Julian Field
> *Sent:* Monday, August 23, 2010 12:53 PM
> *To:* ZendTo Users
> *Subject:* [ZendTo] Re: Question related to version of PHP in CentOS
> VM's :..
>
>
> RedHat and hence CentOS back port security fixes, so the version
> number is a poor indicator of security holes.
>
> --
> Jules
>
> On 18 Aug 2010, at 07:47 PM, "Duncan, Brian M."
> <brian.duncan at kattenlaw.com <mailto:brian.duncan at kattenlaw.com>> wrote:
>
>> I've always shied away from using PHP with apache on externally
>> facing web sites in the past due to always seeing a constant flow of
>> new vulnerabilities.
>> Does anyone know if the version of PHP that is current according to
>> CentOS safe?
>> I ran a Nessus scan against my Zendto box and it is listing 6
>> "HIGH" security risks so far that are supposedly tied to PHP
>> version. I just noticed they all refer so far to using PHP 5.2.5 or
>> later. Not sure if any of these are false positives yet.
>> Here is some of the Nessus "HIGH" security scan listed output for any
>> interested:
>> PHP < 5.2.5 Multiple Vulnerabilities
>>
>> *Synopsis:*
>> The remote web server uses a version of PHP that is affected by
>> multiple flaws.
>>
>> *Description:*
>> According to its banner, the version of PHP installed on the remote
>> host is older than 5.2.5. Such versions may be affected by various
>> issues, including but not limited to several buffer overflows.
>>
>> *Risk factor:*
>> High
>>
>> *CVSS Base Score:*7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> *See also:*
>> http://www.php.net/releases/5_2_5.php
>>
>> *Solution:*
>> Upgrade to PHP version 5.2.5 or later.
>>
>> *Plugin output:*
>> PHP version 5.1.6 appears to be running on the remote host based on
>> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> *Plugin ID:*
>> 28181 <http://www.nessus.org/plugins/index.php?view=single&id=28181>
>>
>> *CVE: *
>> CVE-2007-4887, CVE-2007-5898, CVE-2007-5900
>>
>> *BID: *
>> 26403 <http://www.securityfocus.com/bid/26403>
>>
>> *Other references: *
>> OSVDB:38680, OSVDB:38681, OSVDB:38682, OSVDB:38683, OSVDB:38684,
>> OSVDB:38685
>>
>> PHP < 5.2.1 Multiple Vulnerabilities
>>
>> *Synopsis:*
>> The remote web server uses a version of PHP that is affected by
>> multiple flaws.
>>
>> *Description:*
>> According to its banner, the version of PHP installed on the remote
>> host is older than 5.2.1. Such versions may be affected by several
>> issues, including buffer overflows, format string vulnerabilities,
>> arbitrary code execution, 'safe_mode' and 'open_basedir' bypasses,
>> and clobbering of super-globals.
>>
>> *Risk factor:*
>> High
>>
>> *CVSS Base Score:*7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> *See also:*
>> http://www.php.net/releases/5_2_1.php
>>
>> *Solution:*
>> Upgrade to PHP version 5.2.1 or later.
>>
>> *Plugin output:*
>> PHP version 5.1.6 appears to be running on the remote host based on
>> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> *Plugin ID:*
>> 24907 <http://www.nessus.org/plugins/index.php?view=single&id=24907>
>>
>> *CVE: *
>> CVE-2006-6383, CVE-2007-0905, CVE-2007-0906, CVE-2007-0907,
>> CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-1376,
>> CVE-2007-1380, CVE-2007-1453, CVE-2007-1700, CVE-2007-1701,
>> CVE-2007-1824, CVE-2007-1825, CVE-2007-1884, CVE-2007-1885,
>> CVE-2007-1886, CVE-2007-1887, CVE-2007-1890
>>
>> *BID: *
>> 21508 <http://www.securityfocus.com/bid/21508>, 22496
>> <http://www.securityfocus.com/bid/22496>, 22805
>> <http://www.securityfocus.com/bid/22805>, 22806
>> <http://www.securityfocus.com/bid/22806>, 22862
>> <http://www.securityfocus.com/bid/22862>, 22922
>> <http://www.securityfocus.com/bid/22922>, 23119
>> <http://www.securityfocus.com/bid/23119>, 23120
>> <http://www.securityfocus.com/bid/23120>, 23219
>> <http://www.securityfocus.com/bid/23219>, 23233
>> <http://www.securityfocus.com/bid/23233>, 23234
>> <http://www.securityfocus.com/bid/23234>, 23235
>> <http://www.securityfocus.com/bid/23235>, 23236
>> <http://www.securityfocus.com/bid/23236>, 23237
>> <http://www.securityfocus.com/bid/23237>, 23238
>> <http://www.securityfocus.com/bid/23238>
>>
>> *Other references: *
>> OSVDB:32763, OSVDB:32764, OSVDB:32765, OSVDB:32766, OSVDB:32767,
>> OSVDB:32768, OSVDB:32776, OSVDB:32781, OSVDB:33269, OSVDB:33933,
>> OSVDB:33944, OSVDB:33945, OSVDB:33955, OSVDB:33957, OSVDB:33958,
>> OSVDB:33959, OSVDB:33960, OSVDB:34767
>>
>> PHP < 5.2.4 Multiple Vulnerabilities
>>
>> *Synopsis:*
>> The remote web server uses a version of PHP that is affected by
>> multiple flaws.
>>
>> *Description:*
>> According to its banner, the version of PHP installed on the remote
>> host is older than 5.2.4. Such versions may be affected by various
>> issues, including but not limited to several overflows.
>>
>> *Risk factor:*
>> High
>>
>> *CVSS Base Score:*7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> *See also:*
>> http://www.php.net/releases/5_2_4.php
>>
>> *Solution:*
>> Upgrade to PHP version 5.2.4 or later.
>>
>> *Plugin output:*
>> PHP version 5.1.6 appears to be running on the remote host based on
>> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> *Plugin ID:*
>> 25971 <http://www.nessus.org/plugins/index.php?view=single&id=25971>
>>
>> *CVE: *
>> CVE-2007-2872, CVE-2007-3378, CVE-2007-3806
>>
>> *BID: *
>> 24661 <http://www.securityfocus.com/bid/24661>, 24261
>> <http://www.securityfocus.com/bid/24261>, 24922
>> <http://www.securityfocus.com/bid/24922>, 25498
>> <http://www.securityfocus.com/bid/25498>
>>
>> *Other references: *
>> OSVDB:36083, OSVDB:36085, OSVDB:36869
>>
>> PHP < 5.2 Multiple Vulnerabilities
>>
>> *Synopsis:*
>> The remote web server uses a version of PHP that is affected by
>> multiple buffer overflows.
>>
>> *Description:*
>> According to its banner, the version of PHP installed on the remote
>> host is older than 5.2. Such versions may be affected by several
>> buffer overflows. To exploit these issues, an attacker would need the
>> ability to upload an arbitrary PHP script on the remote server, or to
>> be able to manipulate several variables processed by some PHP
>> functions such as htmlentities().
>>
>> *Risk factor:*
>> High
>>
>> *CVSS Base Score:*7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> *See also:*
>> http://www.php.net/releases/5_2_0.php
>>
>> *Solution:*
>> Upgrade to PHP version 5.2.0 or later.
>>
>> *Plugin output:*
>> PHP version 5.1.6 appears to be running on the remote host based on
>> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> *Plugin ID:*
>> 31649 <http://www.nessus.org/plugins/index.php?view=single&id=31649>
>>
>> *CVE: *
>> CVE-2006-5465
>>
>> *BID: *
>> 20879 <http://www.securityfocus.com/bid/20879>
>>
>> *Other references: *
>> OSVDB:30178, OSVDB:30179
>>
>> PHP 5 < 5.2.7 Multiple Vulnerabilities
>>
>> *Synopsis:*
>> The remote web server uses a version of PHP that is affected by
>> multiple flaws.
>>
>> *Description:*
>> According to its banner, the version of PHP installed on the remote
>> host is older than 5.2.7. Such versions may be affected by several
>> security issues : - File truncation can occur when calling
>> 'dba_replace()' with an invalid argument. - There is a buffer
>> overflow in the bundled PCRE library fixed by 7.8. (CVE-2008-2371) -
>> A buffer overflow in the 'imageloadfont()' function in 'ext/gd/gd.c'
>> can be triggered when a specially crafted font is given.
>> (CVE-2008-3658) - There is a buffer overflow in PHP's internal
>> function 'memnstr()', which is exposed to userspace as 'explode()'.
>> (CVE-2008-3659) - When used as a FastCGI module, PHP segfaults when
>> opening a file whose name contains two dots (eg, 'file..php').
>> (CVE-2008-3660) - Multiple directory traversal vulnerabilities in
>> functions such as 'posix_access()', 'chdir()', 'ftok()' may allow a
>> remote attacker to bypass 'safe_mode' restrictions. (CVE-2008-2665
>> and CVE-2008-2666). - A buffer overflow may be triggered when
>> processing long message headers in 'php_imap.c' due to use of an
>> obsolete API call. (CVE-2008-2829) - A heap-based buffer overflow may
>> be triggered via a call to 'mb_check_encoding()', part of the
>> 'mbstring' extension. (CVE-2008-5557) - Missing initialization of
>> 'BG(page_uid)' and 'BG(page_gid)' when PHP is used as an Apache
>> module may allow for bypassing security restriction due to SAPI
>> 'php_getuid()' overloading. (CVE-2008-5624) - Incorrect 'php_value'
>> order for Apache configuration may allow bypassing PHP's 'safe_mode'
>> setting. (CVE-2008-5625) - The ZipArchive:extractTo() method in the
>> ZipArchive extension fails to filter directory traversal sequences
>> from file names. (CVE-2008-5658)
>>
>> *Risk factor:*
>> High
>>
>> *CVSS Base Score:*7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> *See also:*
>> http://securityreason.com/achievement_securityalert/57
>>
>> *See also:*
>> http://securityreason.com/achievement_securityalert/58
>>
>> *See also:*
>> http://securityreason.com/achievement_securityalert/59
>>
>> *See also:*
>> http://www.sektioneins.de/advisories/SE-2008-06.txt
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0238.html
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0239.html
>>
>> *See also:*
>> http://www.openwall.com/lists/oss-security/2008/08/08/2
>>
>> *See also:*
>> http://www.openwall.com/lists/oss-security/2008/08/13/8
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/fulldisclosure/2008-11/0433.html
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/fulldisclosure/2008-12/0089.html
>>
>> *See also:*
>> http://bugs.php.net/bug.php?id=42862
>>
>> *See also:*
>> http://bugs.php.net/bug.php?id=45151
>>
>> *See also:*
>> http://bugs.php.net/bug.php?id=45722
>>
>> *See also:*
>> http://www.php.net/releases/5_2_7.php
>>
>> *See also:*
>> http://www.php.net/ChageLog-5.php#5.2.7
>>
>> *Solution:*
>> Upgrade to PHP version 5.2.8 or later. Note that 5.2.7 was been
>> removed from distribution because of a regression in that version
>> that results in the 'magic_quotes_gpc' setting remaining off even if
>> it was set to on.
>>
>> *Plugin output:*
>> PHP version 5.1.6 appears to be running on the remote host based on
>> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> *Plugin ID:*
>> 35043 <http://www.nessus.org/plugins/index.php?view=single&id=35043>
>>
>> *CVE: *
>> CVE-2008-2371, CVE-2008-2665, CVE-2008-2666, CVE-2008-2829,
>> CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, CVE-2008-5557,
>> CVE-2008-5624, CVE-2008-5625, CVE-2008-5658
>>
>> *BID: *
>> 29796 <http://www.securityfocus.com/bid/29796>, 29797
>> <http://www.securityfocus.com/bid/29797>, 29829
>> <http://www.securityfocus.com/bid/29829>, 30087
>> <http://www.securityfocus.com/bid/30087>, 30649
>> <http://www.securityfocus.com/bid/30649>, 31612
>> <http://www.securityfocus.com/bid/31612>, 32383
>> <http://www.securityfocus.com/bid/32383>, 32625
>> <http://www.securityfocus.com/bid/32625>, 32688
>> <http://www.securityfocus.com/bid/32688>, 32948
>> <http://www.securityfocus.com/bid/32948>
>>
>> *Other references: *
>> OSVDB:46584, OSVDB:46638, OSVDB:46639, OSVDB:46641, OSVDB:46690,
>> OSVDB:47796, OSVDB:47797, OSVDB:47798, OSVDB:50480, OSVDB:51477,
>> OSVDB:52205, OSVDB:52206, OSVDB:52207
>>
>> PHP < 5.2.6 Multiple Vulnerabilities
>>
>> *Synopsis:*
>> The remote web server uses a version of PHP that is affected by
>> multiple flaws.
>>
>> *Description:*
>> According to its banner, the version of PHP installed on the remote
>> host is older than 5.2.6. Such versions may be affected by the
>> following issues : - A stack buffer overflow in FastCGI SAPI. - An
>> integer overflow in printf(). - An security issue arising from
>> improper calculation of the length of PATH_TRANSLATED in cgi_main.c.
>> - A safe_mode bypass in cURL. - Incomplete handling of multibyte
>> chars inside escapeshellcmd(). - Issues in the bundled PCRE fixed by
>> version 7.6.
>>
>> *Risk factor:*
>> High
>>
>> *CVSS Base Score:*7.5
>> CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/bugtraq/2008-03/0321.html
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/fulldisclosure/2008-05/0103.html
>>
>> *See also:*
>> http://archives.neohapsis.com/archives/fulldisclosure/2008-05/0107.html
>>
>> *See also:*
>> http://www.php.net/releases/5_2_6.php
>>
>> *Solution:*
>> Upgrade to PHP version 5.2.6 or later.
>>
>> *Plugin output:*
>> PHP version 5.1.6 appears to be running on the remote host based on
>> the following X-Powered-By response header : X-Powered-By: PHP/5.1.6
>>
>> *Plugin ID:*
>> 32123 <http://www.nessus.org/plugins/index.php?view=single&id=32123>
>>
>> *CVE: *
>> CVE-2007-4850, CVE-2008-0599, CVE-2008-1384, CVE-2008-2050, CVE-2008-2051
>>
>> *BID: *
>> 27413 <http://www.securityfocus.com/bid/27413>, 28392
>> <http://www.securityfocus.com/bid/28392>, 29009
>> <http://www.securityfocus.com/bid/29009>
>>
>> *Other references: *
>> OSVDB:43219, OSVDB:44057, OSVDB:44906, OSVDB:44907, OSVDB:44908,
>> Secunia:30048
>>
>> BRIAN M. DUNCAN
>> Data Security Administrator
>> Katten Muchin Rosenman LLP
>> 525 W. Monroe Street / Chicago, IL 60661-3693
>> p / (312) 577-8045 f / (312) 577-4490
>> brian.duncan at kattenlaw.com <mailto:brian.duncan at kattenlaw.com> /
>> www.kattenlaw.com <http://www.kattenlaw.com>
>>
>> ===========================================================
>> CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue
>> Service, any tax advice contained herein is not intended or written to be used and cannot be used
>> by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer.
>> ===========================================================
>> CONFIDENTIALITY NOTICE:
>> This electronic mail message and any attached files contain information intended for the exclusive
>> use of the individual or entity to whom it is addressed and may contain information that is
>> proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you
>> are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or
>> distribution of this information may be subject to legal restriction or sanction. Please notify
>> the sender, by electronic mail or telephone, of any unintended recipients and delete the original
>> message without making any copies.
>> ===========================================================
>> NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has
>> elected to be governed by the Illinois Uniform Partnership Act (1997).
>> ===========================================================
>>
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to <mailto:ZendTo at zend.to>
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
Jules
--
Julian Field MEng CITP CEng
www.Zend.To
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20100824/ff4b306c/attachment-0001.html
More information about the ZendTo
mailing list