Jump to content

Medium Level Vulnerability On Certain Versions Of Php


chuvadenovembro

Recommended Posts

Acabei de receber da WiredTree
 

We are contacting you regarding a medium level PHP vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6420) that impacts certain PHP versions:

* All versions of PHP 5.2.x.
* All versions of PHP 5.3 before 5.3.28.
* All versions of PHP 5.4 before 5.4.23.
* All versions of PHP 5.5 before 5.5.7.

This vulnerability may cause a PHP applications that uses the PHP openssl_x509_parse() function to parse a malicious x509 certificate which and trigger a memory corruption that might result in an arbitrary user level code execution. This means that if any of your cPanel user's PHP scripts connect outbound to third party sites via SSL (HTTPS) you most likely want to consider upgrading your PHP to the most current versions within EasyApache. The rare case that one of your trusted third party sites, of which your PHP scripts are programmed to connect to, is compromised and it starts providing a malicious x509 certificate, this would open up your server to this specific vulnerability.

cPanel, Inc. has released EasyApache 3.22.25 with PHP versions 5.3.28, 5.4.23, and 5.5.7. This release addresses CVE-2013-6420 by fixing bugs in the PHP OpenSSL module.

You can verify your PHP version and upgrade your server at your convenience by following the following steps:

1) Log into your server's WHM as the root user.
2) Go to Home > Software > EasyApache (Apache Update)
3) Click "Start customizing based on profile"
4) Keep your Apache version the same and click "Next Step".
5) Select 5.3.28, 5.4.23, or 5.5.7 as your PHP version and click "Next Step" (PHP 5.4.23 is considered most stable current by cPanel)
6) Scroll to the bottom of the Short Options List and click "Save and Build"

EasyApache will then build your server with the selected PHP version. This process takes ~30 to 40 minutes. WiredTree does not pro-actively upgrade Apache/LSWS, PHP or MySQL on your server due to compatibility issues without prior customer consent as we don't want to break important sites when changing versions on these services.

If you have LiteSpeed WebServer or an older PHP version please see the below sections.

LiteSpeed WebServer: If you have LiteSpeed WebServer it should auto rebuild your LSPHP to match your new version. You can manually rebuild LiteSpeed's PHP version by going to Home Plugins LiteSpeed Web Server Plugin and clicking on Build Matching LSPHP. If it says no action needed you do not have to do anything further. If it shows a mismatch on the PHP versions, hit the rebuild button and it will auto-build PHP for you.

PHP 5.2.x or older: If you have an older PHP version such as PHP 5.2.x, or PHP 4.x, you highly need to consider moving to PHP 5.3.x at a minimum. Any PHP versions below PHP 5.3.x are no longer being updated by the PHP developers and are considered at end of life. Due to the changes within PHP between PHP 4 / PHP 5 and PHP 5.2.x / PHP 5.3.x you need to make sure your site code and scripts are compatible with PHP 5.3.x+ before upgrading. Upgrading PHP without upgrading your legacy site code may cause issues.

If you have any issues with the upgrading your PHP on your server, have any questions or you wish for WiredTree to handle the upgrade for you, please open a new Grove support ticket and we would be happy to assist you!

AtarWeb.com.br • Hospedagem de Site + SSL Grátis
█ Revenda de Hospedagem DirectAdmin SSD + SSL Grátis
Link to comment
Share on other sites

Mais um motivo para fugirem do PHP 5.3

 

O PHP 5.4 e a 5.5 tb foram afetados João. O negócio é manter sempre tudo atualizado.

Mas eis um dos problemas com o CPANEL que não mudou nada em relação ao seu core - vc tem de atualizar TODOS os servidores isoladamente.

O CPANEL foi feito e continua sendo desenvolvido para um mercado de uma década atras.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

Do you agree with our terms?