PHP - Any possible fixes to vulnerability scan report

derilium · February 2, 2022, 7:48pm

Hi All,
Just had a vulnerability scan performed and am failing on the following two issues.

PHP < 7.3.28 Email Header Injection

PHP < 7.3.24 Multiple Vulnerabilities

by the look of it the server is running PHP 5.4.16 but cant work out what needed or if it can be updated.

Thanks

rob

Andy_Wismer · February 2, 2022, 7:59pm

Hi @derilium

Maybe you might start by telling us what version you’re running on your server?

Most of us here just aren’t that telepathic mind-readers…

And - just for your information - anything RHEL7 or Centos7 based will ALWAYS use a outdated PHP 5.4.
NethServer does have the Option to choose which PHP Version you want to use, eg for a vhost.
But if you blindly put in a php -v on the console, you will get the original PHP 5.4 version.

For Example, NextCloud on NethServer uses either PHP 7.3 or PHP 7.4 out of the box, I’m not quite sure off-hand…

My 2 cents
Andy

dnutan · February 2, 2022, 8:11pm

You can check if the vulnerabilities reported by the vulnerability scan were patched by searching red hat or other sources for the CVE identifiers.
Some vulnerability scanners assume a vulnerability is present just by looking only at the program (php in this case) version number, but red hat uses to port vulnerability patches to “older” versions of the program.

derilium · February 3, 2022, 7:59am

My apologies, i am currently running the latest patched version (updates were last night)

3.10.0-1160.53.1.el7.x86_64

NethServer release 7.9.2009 (final)

derilium · February 3, 2022, 8:12pm

Any update on this, was thinking of redirecting the SSL port to another website, i really only need to access sogo on the external limk but would be nice to get the securiyt test with all green ticks

mrmarkuz · February 3, 2022, 8:54pm

Most NethServer modules use PHP 7.3.29, just for the default webspace PHP 5.4.16 is used. SOGo doesn’t use PHP so it should be safe.

Which security test are you using?

derilium · February 6, 2022, 9:30am

Thanks, its a company called security metrics, no idea on the specific scan though i am waiting back for a reply

derilium · March 12, 2022, 6:55am

Any thoughts on redirecting the default page so when any scans are completed they go to sogo, just thinking would this cause any problem with activesync clients?

derilium · March 16, 2022, 1:42pm

Here is the results of the security scan

(5.4.16 under X-Powered-By: PHP/5.4.16) Installed version :
5.4.16 Fixed version : 7.3.28

(5.4.16 under X-Powered-By: PHP/5.4.16) Installed version :
5.4.16 Fixed version : 7.3.24

5.4.16 End of support date : 2015/09/03
Announcement : http://php.net/supported-versions.php Supported versions : 7.3.x / 7.4.x / 8.0.x

If i can reduce the impact or at least disable access so when the scans are run there wont be a problem that would be great.

stephdl · March 17, 2022, 7:03am

What is the target of the test, a particular vhost, the fqdn of the server or the server ip ?

derilium · March 17, 2022, 6:38pm

The FQDN of the server

stephdl · March 17, 2022, 6:58pm

Install nethserver-rh-php80 and drop a configuration file to use php80 scl to /var/www/html

stephdl · March 17, 2022, 6:59pm

This is an example

github.com

stephdl/nethserver-php-scl/blob/ns7/root/etc/e-smith/templates/etc/httpd/conf.d/www.conf/10base

{
my $php = $httpd{'PhpVersion'} || 'default';
return '# Use the default php version' if ($php eq 'default');

my $tcp; 
$tcp = 9056 if ($php eq 'php56');
$tcp = 9070 if ($php eq 'php70');
$tcp = 9071 if ($php eq 'php71');
$tcp = 9072 if ($php eq 'php72');
$tcp = 9073 if ($php eq 'php73');
$tcp = 9074 if ($php eq 'php74');

$OUT .= qq(
# set a different php version
<Directory "/var/www/html">
  <FilesMatch \.php\$>
        SetHandler "proxy:fcgi://127.0.0.1:$tcp"
  </FilesMatch>
</Directory>
);

This file has been truncated. show original

No need to be a template, just use the port of php80

derilium · March 22, 2022, 7:22am

Thanks for all the help on this. scanned nwo passed