Mitigation of following PHP vunerability

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
hairyjim
Forum Contributor
Posts: 219
Joined: Wed Nov 13, 2002 9:04 am
Location: Warwickshire, UK

Mitigation of following PHP vunerability

Post by hairyjim »

HI,

I am being pushed hard by corporate because the instance of PHP we run is 5.2.9 and there are reported security concerns for anything below 5.2.12. I have justified our instance is secure in the majority of security fixes that have been done since 5.2.9 but I am left with this one:

http://web.nvd.nist.gov/view/vuln/detai ... -2009-4143

To be quite frank I am confused as ot what exactly the vunerability is and what steps need to be taken or what measures need ot be in place to mitigate the risk from this?

Could someone who mau know more about this than I please offer advice as to steps to mitigate or define a scenario where this is not a problem? I'm failing to understand what the problem actually is, perhaps I am missing the obvious...

Thanks for any help.

Regards
Jim
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Mitigation of following PHP vunerability

Post by Christopher »

It sounds like there is the ability to corrupt session data and change the session save path. Both could be dangerous. I would recommend doing the work to upgrade to 5.3.
(#10850)
hairyjim
Forum Contributor
Posts: 219
Joined: Wed Nov 13, 2002 9:04 am
Location: Warwickshire, UK

Re: Mitigation of following PHP vunerability

Post by hairyjim »

upgrading to 5.3 is easier said than done. If the exact problem was known and the steps to reproduce were known then I could feasibly justify that this is not an issue for I do not use function 'x' or module 'y'.

one of my issues is that Zend have not released zend optimizer for anything above 5.2.10 and one of my third party apps use this. I'm kind of tied to 5.2.9 right now.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Mitigation of following PHP vunerability

Post by Christopher »

I know I keep suggesting big changes ;) but you might want to look into using APC because it is usually released along with every PHP release.
(#10850)
redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Re: Mitigation of following PHP vunerability

Post by redmonkey »

I was in a similar situation recently and could not upgrade immediately due to compatibility issues with some extensions being used. I didn't look too closely at the ins and outs of it so couldn't comment on what scenarios may or may not be safe. I just patched 5.2.9 with the relevant code changes until we were able to upgrade.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Mitigation of following PHP vunerability

Post by kaisellgren »

You can either upgrade, build your own session system, or just ignore it.
Post Reply