Hi Richard, > This one is on 5106R but has client hosted php 5.3.8 on the server php > is 5.1.6 > > Description: vulnerable PHP version: 5.3.8 Severity: Area of Concern > CVE: CVE-2011-4885 > <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4885> Impact: > Remote attackers may be able to gain unauthorized access to the web > server, cause a denial of serviceor information disclosure, or execute > arbitrary code. Resolution PHP should be > [http://www.php.net/downloads.php] upgraded to 5.2.17 or higher for > 5.2.x, to 5.3.10 or higher for 5.3.x, and to a version higher than 6.0 > dev for 6.0.x when available. Note that the PHP project announced the > end of support for PHP 5.2 with the release of > [http://www.php.net/archive/2010.php#id2 010-12-16-1 > <http://www.php.net/archive/2010.php#id2010-12-16-1>] PHP 5.2.16 on 2010 > December 16. Although there was a > [http://www.php.net/archive/2011.php#id2 011-01-06-1 > <http://www.php.net/archive/2011.php#id2011-01-06-1>] PHP 5.2.17 release > to fix a critical problem on certain vulnerable platforms (CVE-2010-4645 > <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4645>), the > PHP project encourages users of PHP 5.2 to upgrade to 5.3, and offers a > [http://us.php.net/migration53] guide to migrating from 5.2 to 5.3. > Vulnerability Details: Service: http Sent: GET /scripts/ HTTP/1.0 Host: > www.mydomain.com User-Agent: Mozilla/4.0 Received: X-Powered-By: PHP/5.3.8
Well, yes. PHP-5.3.8 is quite a bit behind. But the info texts your "vulnerability checker" dumps there is also outdated by recent events over at php.net. PHP-5.2 is EOL, so the advice to switch to PHP-5.2.17 is rather frivolous. PHP 5.3.12 and PHP 5.4.2 have been released three days ago to fix a failed fix for a CGI related vulnerability that had been around for 7-8 years (it didn't apply to us as we were not using PHP as CGI). So you should switch to PHP-5.3.12 soon if you use a third party PHP like mine. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list [email protected] http://mail.blueonyx.it/mailman/listinfo/blueonyx
