[BlueOnyx:10456] Re: More PCI DSS Issues

Michael Stauber mstauber at blueonyx.it
Sun May 6 10:03:21 -05 2012 

Hi Richard,

> This one is on 5106R but has client hosted php 5.3.8 on the server php
> is 5.1.6
> 
> Description: vulnerable PHP version: 5.3.8 Severity: Area of Concern
> CVE: CVE-2011-4885
> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4885> Impact:
> Remote attackers may be able to gain unauthorized access to the web
> server, cause a denial of serviceor information disclosure, or execute
> arbitrary code. Resolution PHP should be
> [http://www.php.net/downloads.php] upgraded to 5.2.17 or higher for
> 5.2.x, to 5.3.10 or higher for 5.3.x, and to a version higher than 6.0
> dev for 6.0.x when available. Note that the PHP project announced the
> end of support for PHP 5.2 with the release of
> [http://www.php.net/archive/2010.php#id2 010-12-16-1
> <http://www.php.net/archive/2010.php#id2010-12-16-1>] PHP 5.2.16 on 2010
> December 16. Although there was a
> [http://www.php.net/archive/2011.php#id2 011-01-06-1
> <http://www.php.net/archive/2011.php#id2011-01-06-1>] PHP 5.2.17 release
> to fix a critical problem on certain vulnerable platforms (CVE-2010-4645
> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4645>), the
> PHP project encourages users of PHP 5.2 to upgrade to 5.3, and offers a
> [http://us.php.net/migration53] guide to migrating from 5.2 to 5.3.
> Vulnerability Details: Service: http Sent: GET  /scripts/ HTTP/1.0 Host:
> www.mydomain.com User-Agent: Mozilla/4.0 Received: X-Powered-By: PHP/5.3.8

Well, yes. PHP-5.3.8 is quite a bit behind. But the info texts your 
"vulnerability checker" dumps there is also outdated by recent events over at 
php.net. 

PHP-5.2 is EOL, so the advice to switch to PHP-5.2.17 is rather frivolous.

PHP 5.3.12 and PHP 5.4.2 have been released three days ago to fix a failed fix 
for a CGI related vulnerability that had been around for 7-8 years (it didn't 
apply to us as we were not using PHP as CGI).

So you should switch to PHP-5.3.12 soon if you use a third party PHP like 
mine.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list