PHP-Version

[guenter]

Hallo Experten,

mein Strato V-Server mit Ubuntu 8.04LTS
Plesk 9.2.3 läuft eigentlich soweit ganz ordendlich.

Jedoch meldet der Strato Security-Scan regelmäßig kritische Sicherheitslücken durch das PHP.

In Plesk wird folgende Version angezeigt: 5.2.4-2ubuntu5.7

Alle Updates sind drauf, was mache ich falsch?

Günter

[harv]

welche lücken werden den gemeldet?

[guenter]

Hallo harv,

danke für deine Unterstützung:

Hier mal der LOG gekürzt auf die 9 Einträge mit Risiko: high

Gruß Günter


PHP Interruptions and Calltime Arbitrary Code Execution Vulnerability [ Web application abuses ] Risiko: high

Port: 80



Overview:
PHP is prone to a vulnerability that an attacker could exploit to
execute arbitrary code with the privileges of the user running the
affected application. Successful exploits will compromise the
application and possibly the computer.


References:
http://www.securityfocus.com/bid/35867
http://www.php.net
http://www.blackhat.com/presentations/b ... -PAPER.pdf


Risk factor : High
BID : 35867


PHP Security Bypass and File Writing Vulnerability - Dec08 [ Web application abuses ] Risiko: high

Port: 80



Overview: The host is running PHP and is prone to Security Bypass and File
Writing vulnerability.

Vulnerability Insight:
The flaw is caused due to,
- An error in initialization of 'page_uid' and 'page_gid' global variables
for use by the SAPI 'php_getuid' function, which bypass the safe_mode
restrictions.
- When 'safe_mode' is enabled through a 'php_admin_flag' setting in
'httpd.conf' file, which does not enforce the 'error_log', 'safe_mode
restrictions.
- In 'ZipArchive::extractTo' function which allows attacker to write files
via a ZIP file.

Impact:
Successful exploitation could allow remote attackers to write arbitrary file,
bypass security restrictions and cause directory traversal attacks.

Impact Level: System/Application

Affected Software/OS:
PHP versions prior to 5.2.7.

Fix: Upgrade to version 5.2.7 or later
http://www.php.net/downloads.php

References:
http://www.php.net/ChangeLog-5.php#5.2.7
http://www.php.net/archive/2008.php#id2008-12-07-1
http://www.securityfocus.com/archive/1/ ... 0/threaded

CVSS Score:
CVSS Base Score : 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
Risk factor: High
CVE : CVE-2008-5624, CVE-2008-5625, CVE-2008-5658
BID : 32383, 32625, 32688




Apache mod_proxy_ftp Module Command Injection Vulnerability (Linux) [ General ] Risiko: high

Port: 80


Overview: The host is running Apache and is prone to Command Injection
vulnerability.

Vulnerability Insight:
The flaw is due to error in the mod_proxy_ftp module which can be exploited
via vectors related to the embedding of these commands in the Authorization
HTTP header.

Impact:
Successful exploitation could allow remote attackers to bypass intended access
restrictions in the context of the affected application, and can cause the
arbitrary command injection.

Impact Level: Application

Affected Software/OS:
Apache HTTP Server on Linux.

Fix:
No solution or patch is available as on 15th September, 2009. Information
regarding this issue will be updated once the solution details are available.
For updates refer, http://www.apache.org/

References:
http://intevydis.com/vd-list.shtml
http://httpd.apache.org/docs/2.0/mod/mod_proxy_ftp.html

CVSS Score:
CVSS Base Score : 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P)
CVSS Temporal Score : 6.7
Risk factor: High
CVE : CVE-2009-3095
BID : 36254


PHP Multiple Vulnerabilities - Sep09 [ General ] Risiko: high

Port: 80


Overview: This host is running PHP and is prone to multiple vulnerabilities.

Vulnerability Insight:
- An error in 'php_openssl_apply_verification_policy' function that does not
properly perform certificate validation.
- An input validation error exists in the processing of 'exif' data.
- An unspecified error exists related to the sanity check for the color index
in the 'imagecolortransparent' function.

Impact:
Successful exploitation will let the attackers to spoof certificates and can
cause unknown impacts in the context of the web application.

Impact Level: Application

Affected Software/OS:
PHP version prior to 5.2.11

Fix: Upgrade to version 5.2.11 or later
http://www.php.net/downloads.php

References:
http://secunia.com/advisories/36791
http://www.php.net/releases/5_2_11.php
http://www.php.net/ChangeLog-5.php#5.2.11
http://www.openwall.com/lists/oss-security/2009/09/20/1

CVSS Score:
CVSS Base Score : 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P)
CVSS Temporal Score : 5.5
Risk factor: High
CVE : CVE-2009-3291, CVE-2009-3292, CVE-2009-3293
BID : 36449



MySQL Empty Bit-String Literal Denial of Service Vulnerability [ Denial of Service ] Risiko: high

Port: 3306


Overview : This host is running MySQL, which is prone to Denial of Service
Vulnerability.

Vulnerability Insight :

Issue is due to error while processing an empty bit string literal via
a specially crafted SQL statement.

Impact : Successful exploitation by remote attackers could cause denying
access to legitimate users.

Impact Level : Application

Affected Software/OS :
MySQL versions prior to 5.0.x - 5.0.66,
5.1.x - 5.1.26, and
6.0.x - 6.0.5 on all running platform.

Fix : Update to version 5.0.66 or 5.1.26 or 6.0.6 or later.
http://dev.mysql.com/downloads/

References :
http://secunia.com/advisories/31769/
http://bugs.mysql.com/bug.php?id=35658
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-26.html

CVSS Score :
CVSS Base Score : 7.1 (AV:N/AC:M/Au:NR/C:N/I:N/A:C)
CVSS Temporal Score : 5.6
Risk factor : High
CVE : CVE-2008-3963
BID : 31081

MySQL sql_parse.cc Multiple Format String Vulnerabilities [ Denial of Service ] Risiko: high

Port: 3306



Overview: The host is running MySQL and is prone to Multiple Format String
vulnerabilities.

Vulnerability Insight:
The flaws are due to error in the 'dispatch_command' function in sql_parse.cc
in libmysqld/ which can caused via format string specifiers in a database name
in a 'COM_CREATE_DB' or 'COM_DROP_DB' request.

Impact:
Successful exploitation could allow remote authenticated users to cause a Denial
of Service and possibly have unspecified other attacks.

Impact Level: Application

Affected Software/OS:
MySQL version 4.0.0 to 5.0.83 on all running platform.

Fix: Upgrade to MySQL version 5.1.36 or later
http://dev.mysql.com/downloads

References:
http://www.osvdb.org/55734
http://secunia.com/advisories/35767
http://xforce.iss.net/xforce/xfdb/51614
http://www.securityfocus.com/archive/1/ ... 0/threaded

CVSS Score:
CVSS Base Score : 8.5 (AV:N/AC:M/Au:SI/C:C/I:C/A:C)
CVSS Temporal Score : 6.7
Risk factor: High
CVE : CVE-2009-2446
BID : 35609



Multiple Vulnerabilities in PHP August-08 [ Misc. ] Risiko: high

Port: 80



Overview: The host is installed with PHP, that is prone to multiple
vulnerabilities.

Vulnerability Insight:
The flaws are caused by,
- an unspecified stack overflow error in FastCGI SAPI (fastcgi.c).
- an error during path translation in cgi_main.c.
- an error with an unknown impact/attack vectors.
- an unspecified error within the processing of incomplete multibyte
characters in escapeshellcmd() API function.
- error in curl/interface.c in the cURL library(libcurl), which could be
exploited by attackers to bypass safe_mode security restrictions.
- an error in PCRE. i.e buffer overflow error when handling a character class
containing a very large number of characters with codepoints greater than
255(UTF-8 mode).

Impact:
Successful exploitation could result in remote arbitrary code execution,
security restrictions bypass, access to restricted files, denial of service.

Impact Level: System

Affected Software/OS:
PHP version prior to 5.2.6

Fix:
Upgrade to PHP version 5.2.6 or above,
http://www.php.net/downloads.php

References:
http://pcre.org/changelog.txt
http://www.php.net/ChangeLog-5.php
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0176
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0178
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0086

CVSS Score:
CVSS Base Score : 9.0 (AV:N/AC:L/Au:NR/C:P/I:P/A:C)
CVSS Temporal Score : 7.0
Risk factor : High
CVE : CVE-2008-2050, CVE-2008-2051, CVE-2007-4850, CVE-2008-0599, CVE-2008-0674
BID : 29009, 27413, 27786
Other references : CB-A:08-0118


Heap-based buffer overflow in mbstring extension for PHP [ Buffer overflow ] Risiko: high

Port: 80



Overview: The host is running PHP and is prone to Buffer Overflow
vulnerability.

Vulnerability Insight:
The flaw is caused due to error in mbfilter_htmlent.c file in the mbstring
extension. These can be exploited via mb_convert_encoding, mb_check_encoding,
mb_convert_variables, and mb_parse_str functions.

Impact:
Successful exploitation could allow attackers to execute arbitrary code via
a crafted string containing an HTML entity.

Impact Level: Application

Affected Software/OS:
PHP version 4.3.0 to 5.2.6 on all running platform.

Fix: Upgrade to version 5.2.7 or later,
http://www.php.net/downloads.php

References:
http://bugs.php.net/bug.php?id=45722
http://archives.neohapsis.com/archives/ ... /0477.html

CVSS Score:
CVSS Base Score : 10.0 (AV:N/AC:L/Au:NR/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
Risk factor: High
CVE : CVE-2008-5557
BID : 32948



MySQL 5.x Unspecified Buffer Overflow Vulnerability [ Databases ] Risiko: high

Port: 3306

Overview:
MySQL is prone to a buffer-overflow vulnerability because if fails to
perform adequate boundary checks on user-supplied data.

An attacker can leverage this issue to execute arbitrary code within
the context of the vulnerable application. Failed exploit attempts
will result in a denial-of-service condition.

This issue affects MySQL 5.x; other versions may also be vulnerable.

References:
http://www.securityfocus.com/bid/36242
http://www.mysql.com/
http://intevydis.com/company.shtml

Risk factor : High
BID : 36242

[Fr33z3m4n]

Ohne mir jetzt wirklich alles durchgelesen zu haben, würde ich mal vorschlagen, dass du deine PHP Version updatest.
ggf. sind danach die Risiken weg.

[guenter]

warum macht das Plesk dann nicht?

oder

apt-get update
apt-get upgrade
apt-get dist-upgrade

Gruß Günter

[harv]

Weil Plesk sich nur selbst aktualisiert.

ich schließe mich Fr33z3m4n an also einmal

Code:

apt-get update
apt-get upgrade

und eventuell danach auch einmal

Code:

apt-get dist-upgrade

das ist aber in verbindung mit plesk mit vorsicht zu genießen eventuell musst du danach auch noch plesk nochmal drüber installieren

Code:

autoinstaller

[guenter]

Hallo harv,

das apt-get habe ich selber vorgeschlagen ;-)
bringt nur leider nix.
Kann es sein, daß da Ubuntu sein eigenes PHP-Süppchen kocht und eigene Versionsnummern vergibt?

Gruß Günter

[harv]

das apt-get habe ich selber vorgeschlagen ;-)

ja ich weiss nur das ich auf das Problem mit dem Distryupdate hinweisen wollte

Kann es sein, daß da Ubuntu sein eigenes PHP-Süppchen kocht und eigene Versionsnummern vergibt?

Nein die Versionsnummern stimmen schon, die Frage ist nur ob es für Ubuntu schon ein neueres Packet gibt ansonsten heissts selber bauen

bringt nur leider nix.

welche quellen hast du denn im Apt-get?