Red Hat 7.x PHP confusion

Wed Mar 17 07:31:16 UTC 2004

I was playing with a vulnerability scanner called "NeVo network
vulnerability observer" with a Red Hat 7.x box that has php-4.1.2-7.1.6
installed on it. Among various other nags (mainly because Red Hat security
updates don't usually update the major version number, but backport
patches), NeVo complained about PHP:

--8<-----------------------------------------------------------------------
The remote host is running a version of PHP which is older than 4.3.2.          
This version contains various flaws that may allow an attacker who has          
the ability to execute PHP scripts in safe_mode on this host to execute         
arbitrary commands with the privileges of the HTTP daemon                       

Solution : Upgrade to PHP 4.3.2                                                 

Plugin ID : 5043                                                                
Bugtraq ID : 7187,7197,7198,7199,7210                                           
80/tcp                                                                          

The remote web server is running a version of PHP which is older than           
4.2.2. This version has a bug in its mail() function which does not             
properly sanitize user input. As a result, users can forge email to make        
it look like it is coming from a different source that the server.              

Solution : Upgrade to PHP 4.2.2                                                 

Plugin ID : 5040                                                                
Bugtraq ID : 5562                                                               
CVE ID : CAN-2002-0985                                                          
80/tcp                                                                          

--8<-----------------------------------------------------------------------

As with the other nags I tried to ensure that the box is not out of date.
With PHP, this turned out difficult.

The mail() vulnerability is plugged in php-4.1.2-7.1.6:

  https://rhn.redhat.com/errata/RHSA-2002-213.html                                

  rpm -q --changelog php                                                          
  * Fri Sep 27 2002 Joe Orton <jorton at redhat.com> 4.1.2-7.1.6                     
  - add security fixes for mail() function; CAN-2002-0985, CAN-2002-0986          

But the other one is more thorny.

The Bugtraq database entry that NeVo mentions
(http://www.securityfocus.com/bid/7198) lists Red Hat 7.0, 7.1, 7.2 and 7.3
as vulnerable, but it says this is for version PHP 4.0.6. Under "PHP
4.1.2", no Red Hat distro is listed as vulnerable.

Red Hat errata does not list any PHP updates for 7.3 after 2002-11-04 (which
is 4.1.2-7.x.6). Fedora Legacy doesn't have a PHP update nor does Progeny
Transition Service. Red Hat 8 and 9 errata does list other problems for PHP
after 2002-11-04 (for example,
https://rhn.redhat.com/errata/RHSA-2003-204.html), but those fixes are not
for 7.x/PHP4.1.x.

The secunia advisory http://secunia.com/advisories/8892/ (which I hope is
the same issue that NeVo nags about), lists only PHP-4.2.x and PHP-4.3.x as
vulnerable. 

I tried to compile a few PHP-4.3.x .src.rpm packages from source, but this
proved problematic, too. The ones from Red Hat 8 or 9 assume apache-2, and
the one I found for apache-1.3 (from mysql.org) would require a _heap_ of
devel packages to build (and those still seemed require quite a lot of .spec
tinkering).

Two questions:

  - Would anyone happen to know if php-4.1.2-7.x.6 is vulnerable to the 
    Bugtraq ID : 7187,7197,7198,7199,7210 issue?
  - Has anyone had success in compiling php-4.3.4 rpm for Red Hat 7.x?
    Is it worth it, and can I expect problems with apache-1.3 and/or
    the existing php scripts?

(Luckily the web server is not world-accessible and the php scripts are not
mission critical.)

-- v -- 

v at iki.fi