php - zend security

Support for security such as Firewalls and securing linux
Post Reply
vara
Posts: 6
Joined: 2006/01/17 16:40:09

php - zend security

Post by vara » 2006/12/07 20:36:23

I have contracted a security company to do an external vulnerability & penetration assessment of our servers. I have the latest updates installed and all and they came back with the following:

PHP Zend Engine Multiple Flaws
Description
The version of PHP running on this host has several flaws in the way that it handles session based web requests. These flaws are due to several buffer overflow errors in the Zend web engine which serves as underlying framework code for all versions of PHP.
By sending in a malformed URL to a PHP page utilizing sessions, a malicious user could potentially execute arbitrary code on this host.

This is one of many links they provided on this.
http://www.osvdb.org/displayvuln.php?osvdb_id=28230

My question is this,
The version of PHP we use is 4.3.9 with Zend engine 1.3.0. This version of PHP (which includes Zend engine built in) is the latest version from the updates - 4.3.9-3.22. The vulnerability assessment links state that we should update to Zend Engine version 2.2.1a. This version is not available in the PHP4 tree but is for PHP5. I am assuming that these flaws were fixed.

There were a couple of other php flaws (not so serious) that were also found based on the version of php we have running.

Can anyone confirm that this version of php is the latest and as up-to-date as php version 4.4.4 from the php.net site.
Thanks,
vara

jasonxoxide
Posts: 80
Joined: 2006/09/11 14:35:48
Location: Exton, PA
Contact:

Re: php - zend security

Post by jasonxoxide » 2006/12/07 20:55:17

They cannot say that a flaw exists based solely on the software version. RedHat backports bug fixes and patches to their "stable" versions. Unless that company actually tested and were able to exploit the server then I wouldn't worry about it.

http://www.redhat.com/advice/speaks_backport.html

If they did run tests on your site and were able to exploit a hole then you can either use the RPMs for PHP 5 in the centosplus repo or you can follow the link in my sig for directions on building RPMs for PHP 5.2.0.

vara
Posts: 6
Joined: 2006/01/17 16:40:09

Re: php - zend security

Post by vara » 2006/12/07 21:41:47

That's what I thought and tried to get across to them. I just got off the phone with them and they wanted to check how we update the server. I told them through yum with all the latest updates. They then figured out backporting and I sent them the link. Looks like all is good.
Thanks for your response jasonxoxide.

Post Reply

Return to “CentOS 4 - Security Support”