PHP Vulnerabilities

PHP Vulnerabilities

by David Chau -
Number of replies: 4

Can anyone advise me how I can information regarding how Moodle is managing these vulnerabilities?

 

The following vulnerabilities apply to the Internet-facing site (PHP 5.2.9):

Nov 29 2010

PHP Validation Flaw in utf8_decode() Permits Cross-Site Scripting Attacks and Lets Remote Users Inject SQL Commands

Nov 22 2010

PHP Use After Free in 'ext/imap/php_imap.c' Lets Remote Users Deny Service

Nov 13 2010

PHP mb_strcut() May Disclose Potentially Sensitive Information

Nov 8 2010

PHP Null Pointer Dereference in ZipArchive::getArchiveComment() May Let Remote Users Execute Arbitrary Code

Oct 12 2010

PHP FILTER_VALIDATE_EMAIL Filter Bug Lets Remote Users Deny Service




May 3 2010

PHP dechunk Filter Signed Comparison Error Lets Remote Users Deny Service

Feb 27 2010

PHP Bugs Let Local Users Bypass safe_mode and open_basedir Security Controls

Jan 14 2010

(Red Hat Issues Fix) PHP Bugs Have Unspecified Impact

Dec 18 2009

PHP Session Function Corruption Flaw May Let Remote Users Execute Arbitrary Code

Dec 18 2009

PHP Input Validation Flaw in htmlspecialchars() Permits Cross-Site Scripting Attacks

Nov 20 2009

PHP Bugs Let Local Users Bypass safe_mode and open_basedir Security Controls

Sep 18 2009

PHP Bugs Have Unspecified Impact

Apr 6 2009

PHP Lets Local Users Deny Service in Certain Cases

 

Additional vulnerability applying to the Internal-facing site (PHP 5.2.8):

Dec 24 2008

PHP GD Library imageRotate() Validation Error Lets Users Obtain Potentially Sensitive Information

 



Any advice is appreciated.  Thanks.

Average of ratings: Useful (1)
In reply to David Chau

Re: PHP Vulnerabilities

by Petr Skoda -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Hello,

these are vulnerabilities in PHP binaries, not Moodle code. We are not doing anything to protect against these problems, you must upgrade your PHP instead, sorry.

Please consult the documentation of you OS or distribution, PHP 5.2.x is not supported by the developers of PHP any more, the only chance is that your support contract for OS might include backporting of security fixes to older versions of PHP.

Here are some examples:
* Windows - always upgrade to latest 5.3.x available from http://php.net
* Radhat/CentOS - use built-in update mechanism if using official packages, use yum to update from unofficial repositories, always recompile the latest if using custom builds
* Debian/Ubuntu - use 'apt-get update'

Petr
Average of ratings: -
In reply to Petr Skoda

Re: PHP Vulnerabilities

by David Chau -
Hi Petr, Thanks for your prompt response. Does Moodle certify itself against PHP versions? For instance, which PHP version is certified to work with Moodle 1.9.6. Regards,
Average of ratings: -
In reply to David Chau

Re: PHP Vulnerabilities

by Petr Skoda -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Every Moodle release should be compatible with the current stable PHP versions at the time of release - that is the latest Moodle 1.9.10 is compatible with PHP 5.2.15 and 5.3.4. It usually works fine with older PHP versions that are maintained by RadHat, Debian, etc., the installer and upgrade scripts test the minimal requirements.

In any case nobody should be running Moodle 1.9.6 because many bugs and security issues were fixed in later Moodle versions - it is highly recommended to use Moodle 1.9.10 or 2.0.0 now. Some companies/institutions backport security fixes to older Moodle releases, but it is relatively difficult process and I would not personally recommend that as a long term solution.

Petr
Average of ratings: -