PHP version check

Question

PHP version check

xsist10 opened this issue 11 years ago · 9 comments

How do you feel about adding a list of PHP versions and their vulnerbility states (cann be used to warn the user if his PHP version needs to be updated)? Would need to either store a resource file (would become outdated quickly) with this data or use an external source to pull a fresh list periodically.

Answer 1 · 2013-12-06T22:06:16.000Z

As in "you're using PHP X and we know about these 5 issues patched since then" kind of thing?

Answer 2 · 2013-12-07T06:09:07.000Z

That's the idea. There is now version switching in the code and the idea of
ini scanning is to secure the current environment based on its
configuration. And your version is part of that configuration.
On 07 Dec 2013 12:06 AM, "Chris Cornutt" notifications@github.com wrote:

As in "you're using PHP X and we know about these 5 issues patched since
then" kind of thing?

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/59#issuecomment-30033687
.

Answer 3 · 2013-12-09T18:48:44.000Z

Here's a gist concept: https://gist.github.com/xsist10/7878272

Answer 4 · 2013-12-11T02:59:13.000Z

Hmm, I wonder if this would be better as a "vulnerability check" kind of command rather than just the regular scan command especially since not all of the CVEs are related directly to ini settings.

I do wonder if this might be stretching things a bit too far though...

Answer 5 · 2013-12-11T06:45:06.000Z

Tthere aren't any tools out there to inform you of your PHP version vulnerabilities (beyond running something like sudo apt-get upgrade php5 in Ubuntu/Debian). Since a lot of production environments tend to stick to stable versions and update infrequently, the versions can get out of date quite quickly.

I agree with having a separate command for it.

Answer 6 · 2013-12-12T02:27:11.000Z

I'm on the fence about this - it almost seems like it could be a separate tool rather than trying to get it into this one. Thoughts?

Answer 7 · 2013-12-12T07:32:46.000Z

Well what is the objective of the tool?

1. Ensure that your PHP environment is following best security practices.

Then it should be included. It could mean adding things like this as well:

Process owner for web execution (not running script execution as root)
PHP Extension versions and vulnerabilities
Is Suhoshin installed?

2. Or ensure that your php.ini configuration ONLY is following best security practices.

Then probably not.

Just FYI, I've been looking around and I can't find a single non-OS/distro specific tool that will tell you if your PHP version is vulnerable. The only tools out there are software updaters for distros like Ubuntu/Debian/etc (which are not always accessable to the developer). I definitely see a need for a portable PHP tool that can fill this hole.

Answer 8 · 2013-12-15T00:56:42.000Z

I think it's probably best to split it off so I start this one up:
https://github.com/psecio/versionscan

Answer 9 · 2013-12-18T02:16:29.000Z

closing this off since the other project is up and going.