I was playing with a vulnerability scanner called "NeVo network vulnerability observer" with a Red Hat 7.x box that has php-4.1.2-7.1.6 installed on it. Among various other nags (mainly because Red Hat security updates don't usually update the major version number, but backport patches), NeVo complained about PHP: --8<----------------------------------------------------------------------- The remote host is running a version of PHP which is older than 4.3.2. This version contains various flaws that may allow an attacker who has the ability to execute PHP scripts in safe_mode on this host to execute arbitrary commands with the privileges of the HTTP daemon Solution : Upgrade to PHP 4.3.2 Plugin ID : 5043 Bugtraq ID : 7187,7197,7198,7199,7210 80/tcp The remote web server is running a version of PHP which is older than 4.2.2. This version has a bug in its mail() function which does not properly sanitize user input. As a result, users can forge email to make it look like it is coming from a different source that the server. Solution : Upgrade to PHP 4.2.2 Plugin ID : 5040 Bugtraq ID : 5562 CVE ID : CAN-2002-0985 80/tcp --8<----------------------------------------------------------------------- As with the other nags I tried to ensure that the box is not out of date. With PHP, this turned out difficult. The mail() vulnerability is plugged in php-4.1.2-7.1.6: https://rhn.redhat.com/errata/RHSA-2002-213.html rpm -q --changelog php * Fri Sep 27 2002 Joe Orton <jorton@xxxxxxxxxx> 4.1.2-7.1.6 - add security fixes for mail() function; CAN-2002-0985, CAN-2002-0986 But the other one is more thorny. The Bugtraq database entry that NeVo mentions (http://www.securityfocus.com/bid/7198) lists Red Hat 7.0, 7.1, 7.2 and 7.3 as vulnerable, but it says this is for version PHP 4.0.6. Under "PHP 4.1.2", no Red Hat distro is listed as vulnerable. Red Hat errata does not list any PHP updates for 7.3 after 2002-11-04 (which is 4.1.2-7.x.6). Fedora Legacy doesn't have a PHP update nor does Progeny Transition Service. Red Hat 8 and 9 errata does list other problems for PHP after 2002-11-04 (for example, https://rhn.redhat.com/errata/RHSA-2003-204.html), but those fixes are not for 7.x/PHP4.1.x. The secunia advisory http://secunia.com/advisories/8892/ (which I hope is the same issue that NeVo nags about), lists only PHP-4.2.x and PHP-4.3.x as vulnerable. I tried to compile a few PHP-4.3.x .src.rpm packages from source, but this proved problematic, too. The ones from Red Hat 8 or 9 assume apache-2, and the one I found for apache-1.3 (from mysql.org) would require a _heap_ of devel packages to build (and those still seemed require quite a lot of .spec tinkering). Two questions: - Would anyone happen to know if php-4.1.2-7.x.6 is vulnerable to the Bugtraq ID : 7187,7197,7198,7199,7210 issue? - Has anyone had success in compiling php-4.3.4 rpm for Red Hat 7.x? Is it worth it, and can I expect problems with apache-1.3 and/or the existing php scripts? (Luckily the web server is not world-accessible and the php scripts are not mission critical.) -- v -- v@xxxxxx -- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list