PHP - Any possible fixes to vulnerability scan report

Hi All,
Just had a vulnerability scan performed and am failing on the following two issues.

PHP < 7.3.28 Email Header Injection

PHP < 7.3.24 Multiple Vulnerabilities

by the look of it the server is running PHP 5.4.16 but cant work out what needed or if it can be updated.



Hi @derilium

Maybe you might start by telling us what version you’re running on your server?

Most of us here just aren’t that telepathic mind-readers… :slight_smile:

And - just for your information - anything RHEL7 or Centos7 based will ALWAYS use a outdated PHP 5.4.
NethServer does have the Option to choose which PHP Version you want to use, eg for a vhost.
But if you blindly put in a php -v on the console, you will get the original PHP 5.4 version.

For Example, NextCloud on NethServer uses either PHP 7.3 or PHP 7.4 out of the box, I’m not quite sure off-hand…

My 2 cents

You can check if the vulnerabilities reported by the vulnerability scan were patched by searching red hat or other sources for the CVE identifiers.
Some vulnerability scanners assume a vulnerability is present just by looking only at the program (php in this case) version number, but red hat uses to port vulnerability patches to “older” versions of the program.


My apologies, i am currently running the latest patched version (updates were last night)


NethServer release 7.9.2009 (final)

Any update on this, was thinking of redirecting the SSL port to another website, i really only need to access sogo on the external limk but would be nice to get the securiyt test with all green ticks

Most NethServer modules use PHP 7.3.29, just for the default webspace PHP 5.4.16 is used. SOGo doesn’t use PHP so it should be safe.

Which security test are you using?

Thanks, its a company called security metrics, no idea on the specific scan though i am waiting back for a reply

Any thoughts on redirecting the default page so when any scans are completed they go to sogo, just thinking would this cause any problem with activesync clients?

Here is the results of the security scan

(5.4.16 under X-Powered-By: PHP/5.4.16) Installed version :
5.4.16 Fixed version : 7.3.28

(5.4.16 under X-Powered-By: PHP/5.4.16) Installed version :
5.4.16 Fixed version : 7.3.24

5.4.16 End of support date : 2015/09/03
Announcement : Supported versions : 7.3.x / 7.4.x / 8.0.x

If i can reduce the impact or at least disable access so when the scans are run there wont be a problem that would be great.

What is the target of the test, a particular vhost, the fqdn of the server or the server ip ?

The FQDN of the server

Install nethserver-rh-php80 and drop a configuration file to use php80 scl to /var/www/html

1 Like

This is an example

No need to be a template, just use the port of php80

Thanks for all the help on this. scanned nwo passed

1 Like