HI,
I am being pushed hard by corporate because the instance of PHP we run is 5.2.9 and there are reported security concerns for anything below 5.2.12. I have justified our instance is secure in the majority of security fixes that have been done since 5.2.9 but I am left with this one:
http://web.nvd.nist.gov/view/vuln/detai ... -2009-4143
To be quite frank I am confused as ot what exactly the vunerability is and what steps need to be taken or what measures need ot be in place to mitigate the risk from this?
Could someone who mau know more about this than I please offer advice as to steps to mitigate or define a scenario where this is not a problem? I'm failing to understand what the problem actually is, perhaps I am missing the obvious...
Thanks for any help.
Regards
Jim
Mitigation of following PHP vunerability
Moderator: General Moderators
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: Mitigation of following PHP vunerability
It sounds like there is the ability to corrupt session data and change the session save path. Both could be dangerous. I would recommend doing the work to upgrade to 5.3.
(#10850)
Re: Mitigation of following PHP vunerability
upgrading to 5.3 is easier said than done. If the exact problem was known and the steps to reproduce were known then I could feasibly justify that this is not an issue for I do not use function 'x' or module 'y'.
one of my issues is that Zend have not released zend optimizer for anything above 5.2.10 and one of my third party apps use this. I'm kind of tied to 5.2.9 right now.
one of my issues is that Zend have not released zend optimizer for anything above 5.2.10 and one of my third party apps use this. I'm kind of tied to 5.2.9 right now.
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: Mitigation of following PHP vunerability
I know I keep suggesting big changes
but you might want to look into using APC because it is usually released along with every PHP release.
(#10850)
Re: Mitigation of following PHP vunerability
I was in a similar situation recently and could not upgrade immediately due to compatibility issues with some extensions being used. I didn't look too closely at the ins and outs of it so couldn't comment on what scenarios may or may not be safe. I just patched 5.2.9 with the relevant code changes until we were able to upgrade.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Mitigation of following PHP vunerability
You can either upgrade, build your own session system, or just ignore it.