PHP and PCI Compliance

BlkStormy asked:

I have a web server that needs to pass a PCI compiance scan by ControlScan. Everything is good except for a scan they did of the PHP version. I believe I have the latest version that CentOS provides. Here’s what they had to say:

THREAT REFERENCE

Summary:
vulnerable PHP version: 5.2.6

Risk: High (3)
Port: 80/tcp
Protocol: tcp
Threat ID: web_prog_php_version

<—REALLY LONG LIST OF PHP Vulnerabilities Trimmed—>

Information From Target:
Service: http
Sent: GET /javascript/ HTTP/1.0
Host:
User-Agent: Mozilla/4.0

Received: X-Powered-By: PHP/5.2.6

Here’s my version of php:

rpm -qa php
php-5.2.6-1.el5.art

From my understanding, it’s backported so although it’s not the latest version, it still has security patches applied.

I believe I have the latest version installed that CentOS allows (in fact I just did an update a couple weeks ago) Here’s the current output:

yum update php
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* addons: mirror.es.its.nyu.edu
* base: mirror.atlanticmetro.net
* extras: mirrors.advancedhosters.com
* updates: mirror.linux.duke.edu
addons | 1.9 kB 00:00
base | 1.1 kB 00:00
extras | 2.1 kB 00:00
updates | 1.9 kB 00:00
Setting up Update Process
No Packages marked for Update

They asked for the changelog, so I ran:

rpm -q –changelog php

but it lists no CVE’s…. How can I determine if PHP actually contains these vulnerabilities? I’m at the end of my rope with this… It’s frustrating because they’re not actually testing vulnerabilities, they’re just picking up a version number from the headers… :/

My answer:


It’s even worse… You’re using an old, and third party PHP package. Who knows if they’ve ever updated it? It’s certainly not likely that they’ve backported security fixes.

You really should update PHP to the latest available 5.4 or 5.5 version; if you’re using the upstream build or a third party build, that’s the only way you can really be sure. Which means you should probably also update the OS to the latest available version.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.