<html><body bgcolor="#FFFFFF"><div><br>RedHat and hence CentOS back port security fixes, so the version number is a poor indicator of security holes.</div><div><br>-- <div>Jules</div></div><div><br>On 18 Aug 2010, at 07:47 PM, "Duncan, Brian M." <<a href="mailto:brian.duncan@kattenlaw.com">brian.duncan@kattenlaw.com</a>> wrote:<br><br></div><div><span></span></div><blockquote type="cite"><div>
<div dir="ltr" align="left"><font face="Arial" color="#0000ff" size="2"><span class="823452818-18082010">I've always shied away from using PHP with apache on
externally facing web sites in the past due to always seeing a constant
flow of new vulnerabilities.</span></font></div>
<div><font face="Arial" color="#0000ff" size="2"></font> </div>
<div><span class="823452818-18082010"><font face="Arial" color="#0000ff" size="2">Does
anyone know if the version of PHP that is current according to CentOS
safe?</font></span></div>
<div><span class="823452818-18082010"><font face="Arial" color="#0000ff" size="2"></font></span> </div>
<div><span class="823452818-18082010"><font face="Arial" color="#0000ff" size="2">I ran
a Nessus scan against my Zendto box and it is listing 6 "HIGH" security
risks so far that are supposedly tied to PHP version. I just noticed they
all refer so far to using PHP 5.2.5 or later. Not sure if any of these are
false positives yet.</font></span></div>
<div><span class="823452818-18082010"><font face="Arial" color="#0000ff" size="2"></font></span> </div>
<div><span class="823452818-18082010"><font face="Arial" color="#0000ff" size="2"></font></span> </div>
<div><span class="823452818-18082010"><font face="Arial" color="#0000ff" size="2">Here
is some of the Nessus "HIGH" security scan listed output for any
interested:</font></span></div>
<div><span class="823452818-18082010"><font face="Arial" color="#0000ff" size="2"></font></span> </div>
<div><span class="823452818-18082010"><font face="Arial" color="#0000ff" size="2"></font></span> </div>
<div><span class="823452818-18082010"><font face="Arial" color="#0000ff" size="2"></font></span> </div>
<div><span class="823452818-18082010">
<table cellspacing="0" cellpadding="2" width="70%" align="center" border="0">
<tbody>
<tr class="plugin_sev_high">
<td class="plugin_label" align="left">PHP < 5.2.5 Multiple
Vulnerabilities</td></tr>
<tr class="info_bg">
<td class="info_text" colspan="2">
<div class="plugin_output"><br><b>Synopsis:</b><br>The remote web server
uses a version of PHP that is affected by multiple
flaws.<br><br><b>Description:</b><br>According to its banner, the version
of PHP installed on the remote host is older than 5.2.5. Such versions may
be affected by various issues, including but not limited to several buffer
overflows.<br><br><b>Risk factor:</b><br>High<br><br><b>CVSS Base
Score:</b>7.5<br>CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P<br><br><b>See
also:</b><br><a href="http://www.php.net/releases/5_2_5.php">http://www.php.net/releases/5_2_5.php</a><br><br><b>Solution:</b><br>Upgrade
to PHP version 5.2.5 or later.<br><br><b>Plugin output:</b><br>PHP version
5.1.6 appears to be running on the remote host based on the following
X-Powered-By response header : X-Powered-By: PHP/5.1.6 <br><br><b>Plugin
ID:</b><br><a href="http://www.nessus.org/plugins/index.php?view=single&id=28181">28181</a><br><br><b>CVE:
</b><br>CVE-2007-4887, CVE-2007-5898, CVE-2007-5900<br><br><b>BID:
</b><br><a href="http://www.securityfocus.com/bid/26403">26403</a><br><br><b>Other
references: </b><br>OSVDB:38680, OSVDB:38681, OSVDB:38682, OSVDB:38683,
OSVDB:38684, OSVDB:38685</div></td></tr></tbody></table>
<div class="divider"></div><font face="Arial" color="#0000ff" size="2"></font>
<table cellspacing="0" cellpadding="2" width="70%" align="center" border="0">
<tbody>
<tr class="plugin_sev_high">
<td class="plugin_label" align="left">PHP < 5.2.1 Multiple
Vulnerabilities</td></tr>
<tr class="info_bg">
<td class="info_text" colspan="2">
<div class="plugin_output"><br><b>Synopsis:</b><br>The remote web server
uses a version of PHP that is affected by multiple
flaws.<br><br><b>Description:</b><br>According to its banner, the version
of PHP installed on the remote host is older than 5.2.1. Such versions may
be affected by several issues, including buffer overflows, format string
vulnerabilities, arbitrary code execution, 'safe_mode' and 'open_basedir'
bypasses, and clobbering of super-globals.<br><br><b>Risk
factor:</b><br>High<br><br><b>CVSS Base
Score:</b>7.5<br>CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P<br><br><b>See
also:</b><br><a href="http://www.php.net/releases/5_2_1.php">http://www.php.net/releases/5_2_1.php</a><br><br><b>Solution:</b><br>Upgrade
to PHP version 5.2.1 or later.<br><br><b>Plugin output:</b><br>PHP version
5.1.6 appears to be running on the remote host based on the following
X-Powered-By response header : X-Powered-By: PHP/5.1.6 <br><br><b>Plugin
ID:</b><br><a href="http://www.nessus.org/plugins/index.php?view=single&id=24907">24907</a><br><br><b>CVE:
</b><br>CVE-2006-6383, CVE-2007-0905, CVE-2007-0906, CVE-2007-0907,
CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-1376, CVE-2007-1380,
CVE-2007-1453, CVE-2007-1700, CVE-2007-1701, CVE-2007-1824, CVE-2007-1825,
CVE-2007-1884, CVE-2007-1885, CVE-2007-1886, CVE-2007-1887,
CVE-2007-1890<br><br><b>BID: </b><br><a href="http://www.securityfocus.com/bid/21508">21508</a>, <a href="http://www.securityfocus.com/bid/22496">22496</a>, <a href="http://www.securityfocus.com/bid/22805">22805</a>, <a href="http://www.securityfocus.com/bid/22806">22806</a>, <a href="http://www.securityfocus.com/bid/22862">22862</a>, <a href="http://www.securityfocus.com/bid/22922">22922</a>, <a href="http://www.securityfocus.com/bid/23119">23119</a>, <a href="http://www.securityfocus.com/bid/23120">23120</a>, <a href="http://www.securityfocus.com/bid/23219">23219</a>, <a href="http://www.securityfocus.com/bid/23233">23233</a>, <a href="http://www.securityfocus.com/bid/23234">23234</a>, <a href="http://www.securityfocus.com/bid/23235">23235</a>, <a href="http://www.securityfocus.com/bid/23236">23236</a>, <a href="http://www.securityfocus.com/bid/23237">23237</a>, <a href="http://www.securityfocus.com/bid/23238">23238</a><br><br><b>Other
references: </b><br>OSVDB:32763, OSVDB:32764, OSVDB:32765, OSVDB:32766,
OSVDB:32767, OSVDB:32768, OSVDB:32776, OSVDB:32781, OSVDB:33269,
OSVDB:33933, OSVDB:33944, OSVDB:33945, OSVDB:33955, OSVDB:33957,
OSVDB:33958, OSVDB:33959, OSVDB:33960,
OSVDB:34767</div></td></tr></tbody></table>
<div class="divider"></div><font face="Arial" color="#0000ff" size="2"></font>
<table cellspacing="0" cellpadding="2" width="70%" align="center" border="0">
<tbody>
<tr class="plugin_sev_high">
<td class="plugin_label" align="left">PHP < 5.2.4 Multiple
Vulnerabilities</td></tr>
<tr class="info_bg">
<td class="info_text" colspan="2">
<div class="plugin_output"><font face="Arial" color="#0000ff" size="2"></font><br><b>Synopsis:</b><br>The remote web server uses a version
of PHP that is affected by multiple
flaws.<br><br><b>Description:</b><br>According to its banner, the version
of PHP installed on the remote host is older than 5.2.4. Such versions may
be affected by various issues, including but not limited to several
overflows.<br><br><b>Risk factor:</b><br>High<br><br><b>CVSS Base
Score:</b>7.5<br>CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P<br><br><b>See
also:</b><br><a href="http://www.php.net/releases/5_2_4.php">http://www.php.net/releases/5_2_4.php</a><br><br><b>Solution:</b><br>Upgrade
to PHP version 5.2.4 or later.<br><br><b>Plugin output:</b><br>PHP version
5.1.6 appears to be running on the remote host based on the following
X-Powered-By response header : X-Powered-By: PHP/5.1.6 <br><br><b>Plugin
ID:</b><br><a href="http://www.nessus.org/plugins/index.php?view=single&id=25971">25971</a><br><br><b>CVE:
</b><br>CVE-2007-2872, CVE-2007-3378, CVE-2007-3806<br><br><b>BID:
</b><br><a href="http://www.securityfocus.com/bid/24661">24661</a>, <a href="http://www.securityfocus.com/bid/24261">24261</a>, <a href="http://www.securityfocus.com/bid/24922">24922</a>, <a href="http://www.securityfocus.com/bid/25498">25498</a><br><br><b>Other
references: </b><br>OSVDB:36083, OSVDB:36085,
OSVDB:36869</div></td></tr></tbody></table>
<div class="divider"></div><font face="Arial" color="#0000ff" size="2"></font>
<table cellspacing="0" cellpadding="2" width="70%" align="center" border="0">
<tbody>
<tr class="plugin_sev_high">
<td class="plugin_label" align="left">PHP < 5.2 Multiple
Vulnerabilities</td></tr>
<tr class="info_bg">
<td class="info_text" colspan="2">
<div class="plugin_output"><br><b>Synopsis:</b><br>The remote web server
uses a version of PHP that is affected by multiple buffer
overflows.<br><br><b>Description:</b><br>According to its banner, the
version of PHP installed on the remote host is older than 5.2. Such
versions may be affected by several buffer overflows. To exploit these
issues, an attacker would need the ability to upload an arbitrary PHP
script on the remote server, or to be able to manipulate several variables
processed by some PHP functions such as htmlentities().<br><br><b>Risk
factor:</b><br>High<br><br><b>CVSS Base
Score:</b>7.5<br>CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P<br><br><b>See
also:</b><br><a href="http://www.php.net/releases/5_2_0.php">http://www.php.net/releases/5_2_0.php</a><br><br><b>Solution:</b><br>Upgrade
to PHP version 5.2.0 or later.<br><br><b>Plugin output:</b><br>PHP version
5.1.6 appears to be running on the remote host based on the following
X-Powered-By response header : X-Powered-By: PHP/5.1.6 <br><br><b>Plugin
ID:</b><br><a href="http://www.nessus.org/plugins/index.php?view=single&id=31649">31649</a><br><br><b>CVE:
</b><br>CVE-2006-5465<br><br><b>BID: </b><br><a href="http://www.securityfocus.com/bid/20879">20879</a><br><br><b>Other
references: </b><br>OSVDB:30178, OSVDB:30179</div></td></tr></tbody></table>
<div class="divider"></div><font face="Arial" color="#0000ff" size="2"></font>
<table cellspacing="0" cellpadding="2" width="70%" align="center" border="0">
<tbody>
<tr class="plugin_sev_high">
<td class="plugin_label" align="left">PHP 5 < 5.2.7 Multiple
Vulnerabilities</td></tr>
<tr class="info_bg">
<td class="info_text" colspan="2">
<div class="plugin_output"><br><b>Synopsis:</b><br>The remote web server
uses a version of PHP that is affected by multiple
flaws.<br><br><b>Description:</b><br>According to its banner, the version
of PHP installed on the remote host is older than 5.2.7. Such versions may
be affected by several security issues : - File truncation can occur when
calling 'dba_replace()' with an invalid argument. - There is a buffer
overflow in the bundled PCRE library fixed by 7.8. (CVE-2008-2371) - A
buffer overflow in the 'imageloadfont()' function in 'ext/gd/gd.c' can be
triggered when a specially crafted font is given. (CVE-2008-3658) - There
is a buffer overflow in PHP's internal function 'memnstr()', which is
exposed to userspace as 'explode()'. (CVE-2008-3659) - When used as a
FastCGI module, PHP segfaults when opening a file whose name contains two
dots (eg, 'file..php'). (CVE-2008-3660) - Multiple directory traversal
vulnerabilities in functions such as 'posix_access()', 'chdir()', 'ftok()'
may allow a remote attacker to bypass 'safe_mode' restrictions.
(CVE-2008-2665 and CVE-2008-2666). - A buffer overflow may be triggered
when processing long message headers in 'php_imap.c' due to use of an
obsolete API call. (CVE-2008-2829) - A heap-based buffer overflow may be
triggered via a call to 'mb_check_encoding()', part of the 'mbstring'
extension. (CVE-2008-5557) - Missing initialization of 'BG(page_uid)' and
'BG(page_gid)' when PHP is used as an Apache module may allow for
bypassing security restriction due to SAPI 'php_getuid()' overloading.
(CVE-2008-5624) - Incorrect 'php_value' order for Apache configuration may
allow bypassing PHP's 'safe_mode' setting. (CVE-2008-5625) - The
ZipArchive:extractTo() method in the ZipArchive extension fails to filter
directory traversal sequences from file names.
(CVE-2008-5658)<br><br><b>Risk factor:</b><br>High<br><br><b>CVSS Base
Score:</b>7.5<br>CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P<br><br><b>See
also:</b><br><a href="http://securityreason.com/achievement_securityalert/57">http://securityreason.com/achievement_securityalert/57</a><br><br><b>See
also:</b><br>http://securityreason.com/achievement_securityalert/58<br><br><b>See
also:</b><br>http://securityreason.com/achievement_securityalert/59<br><br><b>See
also:</b><br>http://www.sektioneins.de/advisories/SE-2008-06.txt<br><br><b>See
also:</b><br>http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0238.html<br><br><b>See
also:</b><br>http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0239.html<br><br><b>See
also:</b><br>http://www.openwall.com/lists/oss-security/2008/08/08/2<br><br><b>See
also:</b><br>http://www.openwall.com/lists/oss-security/2008/08/13/8<br><br><b>See
also:</b><br>http://archives.neohapsis.com/archives/fulldisclosure/2008-11/0433.html<br><br><b>See
also:</b><br>http://archives.neohapsis.com/archives/fulldisclosure/2008-12/0089.html<br><br><b>See
also:</b><br>http://bugs.php.net/bug.php?id=42862<br><br><b>See
also:</b><br>http://bugs.php.net/bug.php?id=45151<br><br><b>See
also:</b><br>http://bugs.php.net/bug.php?id=45722<br><br><b>See
also:</b><br>http://www.php.net/releases/5_2_7.php<br><br><b>See
also:</b><br>http://www.php.net/ChageLog-5.php#5.2.7<br><br><b>Solution:</b><br>Upgrade
to PHP version 5.2.8 or later. Note that 5.2.7 was been removed from
distribution because of a regression in that version that results in the
'magic_quotes_gpc' setting remaining off even if it was set to
on.<br><br><b>Plugin output:</b><br>PHP version 5.1.6 appears to be
running on the remote host based on the following X-Powered-By response
header : X-Powered-By: PHP/5.1.6 <br><br><b>Plugin ID:</b><br><a href="http://www.nessus.org/plugins/index.php?view=single&id=35043">35043</a><br><br><b>CVE:
</b><br>CVE-2008-2371, CVE-2008-2665, CVE-2008-2666, CVE-2008-2829,
CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, CVE-2008-5557, CVE-2008-5624,
CVE-2008-5625, CVE-2008-5658<br><br><b>BID: </b><br><a href="http://www.securityfocus.com/bid/29796">29796</a>, <a href="http://www.securityfocus.com/bid/29797">29797</a>, <a href="http://www.securityfocus.com/bid/29829">29829</a>, <a href="http://www.securityfocus.com/bid/30087">30087</a>, <a href="http://www.securityfocus.com/bid/30649">30649</a>, <a href="http://www.securityfocus.com/bid/31612">31612</a>, <a href="http://www.securityfocus.com/bid/32383">32383</a>, <a href="http://www.securityfocus.com/bid/32625">32625</a>, <a href="http://www.securityfocus.com/bid/32688">32688</a>, <a href="http://www.securityfocus.com/bid/32948">32948</a><br><br><b>Other
references: </b><br>OSVDB:46584, OSVDB:46638, OSVDB:46639, OSVDB:46641,
OSVDB:46690, OSVDB:47796, OSVDB:47797, OSVDB:47798, OSVDB:50480,
OSVDB:51477, OSVDB:52205, OSVDB:52206,
OSVDB:52207</div></td></tr></tbody></table>
<div class="divider"></div><font face="Arial" color="#0000ff" size="2"></font><font face="Arial" color="#0000ff" size="2"></font><font face="Arial" color="#0000ff" size="2"></font>
<table cellspacing="0" cellpadding="2" width="70%" align="center" border="0">
<tbody>
<tr class="plugin_sev_high">
<td class="plugin_label" align="left">PHP < 5.2.6 Multiple
Vulnerabilities</td></tr>
<tr class="info_bg">
<td class="info_text" colspan="2">
<div class="plugin_output"><br><b>Synopsis:</b><br>The remote web server
uses a version of PHP that is affected by multiple
flaws.<br><br><b>Description:</b><br>According to its banner, the version
of PHP installed on the remote host is older than 5.2.6. Such versions may
be affected by the following issues : - A stack buffer overflow in FastCGI
SAPI. - An integer overflow in printf(). - An security issue arising from
improper calculation of the length of PATH_TRANSLATED in cgi_main.c. - A
safe_mode bypass in cURL. - Incomplete handling of multibyte chars inside
escapeshellcmd(). - Issues in the bundled PCRE fixed by version
7.6.<br><br><b>Risk factor:</b><br>High<br><br><b>CVSS Base
Score:</b>7.5<br>CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P<br><br><b>See
also:</b><br><a href="http://archives.neohapsis.com/archives/bugtraq/2008-03/0321.html">http://archives.neohapsis.com/archives/bugtraq/2008-03/0321.html</a><br><br><b>See
also:</b><br>http://archives.neohapsis.com/archives/fulldisclosure/2008-05/0103.html<br><br><b>See
also:</b><br>http://archives.neohapsis.com/archives/fulldisclosure/2008-05/0107.html<br><br><b>See
also:</b><br>http://www.php.net/releases/5_2_6.php<br><br><b>Solution:</b><br>Upgrade
to PHP version 5.2.6 or later.<br><br><b>Plugin output:</b><br>PHP version
5.1.6 appears to be running on the remote host based on the following
X-Powered-By response header : X-Powered-By: PHP/5.1.6 <br><br><b>Plugin
ID:</b><br><a href="http://www.nessus.org/plugins/index.php?view=single&id=32123">32123</a><br><br><b>CVE:
</b><br>CVE-2007-4850, CVE-2008-0599, CVE-2008-1384, CVE-2008-2050,
CVE-2008-2051<br><br><b>BID: </b><br><a href="http://www.securityfocus.com/bid/27413">27413</a>, <a href="http://www.securityfocus.com/bid/28392">28392</a>, <a href="http://www.securityfocus.com/bid/29009">29009</a><br><br><b>Other
references: </b><br>OSVDB:43219, OSVDB:44057, OSVDB:44906, OSVDB:44907,
OSVDB:44908, Secunia:30048</div></td></tr></tbody></table></span></div>
<div><span class="823452818-18082010"><font face="Arial" color="#0000ff" size="2"></font></span> </div><!-- Converted from text/plain format -->
<p><font size="2">BRIAN M. DUNCAN<br>Data Security Administrator<br>Katten Muchin
Rosenman LLP<br>525 W. Monroe Street / Chicago, IL 60661-3693<br>p / (312)
577-8045 f / (312) 577-4490<br><a href="mailto:brian.duncan@kattenlaw.com">brian.duncan@kattenlaw.com</a> /
<a href="http://www.kattenlaw.com"><a href="http://www.kattenlaw.com">www.kattenlaw.com</a></a><br></font></p>
<div class="moz-signature">
<center><font face="Arial" color="#0000ff" size="2"></font> </center></div>
<table><tbody><tr><td bgcolor="#ffffff"><font color="#000000"><pre>===========================================================
CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue
Service, any tax advice contained herein is not intended or written to be used and cannot be used
by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer.
===========================================================
CONFIDENTIALITY NOTICE:
This electronic mail message and any attached files contain information intended for the exclusive
use of the individual or entity to whom it is addressed and may contain information that is
proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you
are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or
distribution of this information may be subject to legal restriction or sanction. Please notify
the sender, by electronic mail or telephone, of any unintended recipients and delete the original
message without making any copies.
===========================================================
NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has
elected to be governed by the Illinois Uniform Partnership Act (1997).
===========================================================</pre></font></td></tr></tbody></table>
</div><div><span>_______________________________________________</span><br><span>ZendTo mailing list</span><br><span><a href="mailto:ZendTo@zend.to">ZendTo@zend.to</a></span><br><span><a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></span></div></blockquote></body></html>