I have a web server that needs to pass a PCI compiance scan by ControlScan. Everything is good except for a scan they did of the PHP version. I believe I have the latest version that CentOS provides. Here’s what they had to say:
vulnerable PHP version: 5.2.6
Risk: High (3)
Threat ID: web_prog_php_version
<—REALLY LONG LIST OF PHP Vulnerabilities Trimmed—>
Information From Target:
Received: X-Powered-By: PHP/5.2.6
Here’s my version of php:
rpm -qa php
From my understanding, it’s backported so although it’s not the latest version, it still has security patches applied.
I believe I have the latest version installed that CentOS allows (in fact I just did an update a couple weeks ago) Here’s the current output:
yum update php
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* addons: mirror.es.its.nyu.edu
* base: mirror.atlanticmetro.net
* extras: mirrors.advancedhosters.com
* updates: mirror.linux.duke.edu
addons | 1.9 kB 00:00
base | 1.1 kB 00:00
extras | 2.1 kB 00:00
updates | 1.9 kB 00:00
Setting up Update Process
No Packages marked for Update
They asked for the changelog, so I ran:
rpm -q –changelog php
but it lists no CVE’s…. How can I determine if PHP actually contains these vulnerabilities? I’m at the end of my rope with this… It’s frustrating because they’re not actually testing vulnerabilities, they’re just picking up a version number from the headers… :/
It’s even worse… You’re using an old, and third party PHP package. Who knows if they’ve ever updated it? It’s certainly not likely that they’ve backported security fixes.
You really should update PHP to the latest available 5.4 or 5.5 version; if you’re using the upstream build or a third party build, that’s the only way you can really be sure. Which means you should probably also update the OS to the latest available version.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.