[BlueOnyx:10457] Re: More PCI DSS Issues
Richard Barker
rc at probass.com
Sun May 6 10:15:41 -05 2012
Ok someone needs to tell the CC companies, ETrust and
https://www.securitymetrics.com/
RC
On 5/6/2012 11:03 AM, Michael Stauber wrote:
> Hi Richard,
>
>> This one is on 5106R but has client hosted php 5.3.8 on the server php
>> is 5.1.6
>>
>> Description: vulnerable PHP version: 5.3.8 Severity: Area of Concern
>> CVE: CVE-2011-4885
>> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4885> Impact:
>> Remote attackers may be able to gain unauthorized access to the web
>> server, cause a denial of serviceor information disclosure, or execute
>> arbitrary code. Resolution PHP should be
>> [http://www.php.net/downloads.php] upgraded to 5.2.17 or higher for
>> 5.2.x, to 5.3.10 or higher for 5.3.x, and to a version higher than 6.0
>> dev for 6.0.x when available. Note that the PHP project announced the
>> end of support for PHP 5.2 with the release of
>> [http://www.php.net/archive/2010.php#id2 010-12-16-1
>> <http://www.php.net/archive/2010.php#id2010-12-16-1>] PHP 5.2.16 on 2010
>> December 16. Although there was a
>> [http://www.php.net/archive/2011.php#id2 011-01-06-1
>> <http://www.php.net/archive/2011.php#id2011-01-06-1>] PHP 5.2.17 release
>> to fix a critical problem on certain vulnerable platforms (CVE-2010-4645
>> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4645>), the
>> PHP project encourages users of PHP 5.2 to upgrade to 5.3, and offers a
>> [http://us.php.net/migration53] guide to migrating from 5.2 to 5.3.
>> Vulnerability Details: Service: http Sent: GET /scripts/ HTTP/1.0 Host:
>> www.mydomain.com User-Agent: Mozilla/4.0 Received: X-Powered-By: PHP/5.3.8
> Well, yes. PHP-5.3.8 is quite a bit behind. But the info texts your
> "vulnerability checker" dumps there is also outdated by recent events over at
> php.net.
>
> PHP-5.2 is EOL, so the advice to switch to PHP-5.2.17 is rather frivolous.
>
> PHP 5.3.12 and PHP 5.4.2 have been released three days ago to fix a failed fix
> for a CGI related vulnerability that had been around for 7-8 years (it didn't
> apply to us as we were not using PHP as CGI).
>
> So you should switch to PHP-5.3.12 soon if you use a third party PHP like
> mine.
>
--
+---------------------------------------------+
Richard C. Barker Sr.
+---------------------------------------------+
More information about the Blueonyx
mailing list