re: PHP 5.3.10 Released [Case 57077, Case 57160]

**alphawolf50** · 02-05-2012 05:48 PM

Originally Posted by aww

Suhosin's default is higher than php's so you have to set it lower.

If you set it lower than php's default of 1000, then the php bug cannot happen (in theory) because the last variable will never make it to php.
[...]
You may need to set them higher if you are running some poorly designed software - but whatever you do, never set it to 1000 or higher, unless your PHP max_input_vars is also higher (always set it less)

I believe this is slightly incorrect. The bug only occurs when the the number of variables is greater than max_input_vars. This article takes a look at the actual code: Critical PHP Remote Vuln Introduced in Hashtable DOS Patch | TheXploit | Security Blog

My default installation of suhosin has these settings: (by default, I mean the EasyApache defaults, not the defaults as specified by suhosin).

Code:

suhosin.cookie.max_vars = 100
suhosin.get.max_vars = 100
suhosin.post.max_vars = 1000
suhosin.request.max_vars = 1000

Since PHP's max_input_vars is also default 1000, there is no way to trigger the vulnerability with your typical cPanel suhosin installation. If there are 1001 variables, suhosin will kill the request, preventing the vulnerability from being exploited. So to revise what you were saying: as long as suhosin.request.max_vars is less than or equal to php's max_input_vars, you will be safe.

Note: according to suhosin documentation, suhosin.request.max_vars acts as an upper limit to the other input methods (cookie|get|post), so it is really the only one you have to worry about.

**Reado** · 02-06-2012 04:11 AM

It's been days since 5.3.10 was released and still no word from cPanel! When you say you're working on it, what's to work on? Surely it's the same as 5.3.9 (which you've already released) but just includes 1 security fix. A day or two maybe, but several days???

**ThinIce** · 02-06-2012 08:01 AM

Am also patiently waiting for this. Understand that QA takes time, however it might have been good to have posted some official advice to this thread of the best course of action. "Downgrade to php5.3.8 with Suhosin" (if this is indeed the correct course of action). Otherwise people just see "security release not yet provided".

**deth4uall** · 02-06-2012 08:57 AM

I would like to see a feature in EasyApache that allows you to upgrade to the latest, even if it is not officially released by cPanel (with tons of warnings stating that cPanel hasn't approved it quite yet or is the process of approving it).

There have been several times I have had to wait at least a week for cPanel to get through their testing because they refused to let it be released, all the while I have to sit back on less secure versions.

**accretor** · 02-06-2012 10:18 AM

Originally Posted by PlotHost

It will be available in few days. We just should wait a little.

Um... a few days where any hacker can execute arbitrary code on our servers?! That seems rather blasé.

**eva2000** · 02-06-2012 10:42 AM

Originally Posted by deth4uall

I would like to see a feature in EasyApache that allows you to upgrade to the latest, even if it is not officially released by cPanel (with tons of warnings stating that cPanel hasn't approved it quite yet or is the process of approving it).

There have been several times I have had to wait at least a week for cPanel to get through their testing because they refused to let it be released, all the while I have to sit back on less secure versions.

haven't done it in years, but in the past i've easily compiled/upgraded PHP via source tarball on WHM/Cpanel without issues without waiting for WHM/Cpanel PHP update. WHM/Cpanel PHP is just installed from source.

i.e.

/home/cpeasyapache/src/php-5.3.x

**deth4uall** · 02-06-2012 04:45 PM

Originally Posted by eva2000

haven't done it in years, but in the past i've easily compiled/upgraded PHP via source tarball on WHM/Cpanel without issues without waiting for WHM/Cpanel PHP update. WHM/Cpanel PHP is just installed from source.

i.e.

/home/cpeasyapache/src/php-5.3.x

Oh wow, okay go figure it would something as easy as that. Will it show up in the EasyApache profile?

**alphawolf50** · 02-06-2012 04:55 PM

Originally Posted by ThinIce

Am also patiently waiting for this. Understand that QA takes time, however it might have been good to have posted some official advice to this thread of the best course of action. "Downgrade to php5.3.8 with Suhosin" (if this is indeed the correct course of action). Otherwise people just see "security release not yet provided".

There's no need to downgrade -- if you have Suhosin with the default settings, you are safe under PHP 5.3.9. You can check by checking the output of these two commands:

Code:

# php -i | grep 'suhosin.request.max_vars'
suhosin.request.max_vars => 1000 => 1000

# php -i | grep 'max_input_vars'
max_input_vars => 1000 => 1000

If suhosin.request.max_vars is less than or equal to max_input_vars, then you are protected.

Also, using ModSecurity with a decent set of rules will go a long ways toward protecting you as well. Supposedly the ASL rules already limit the request variables to 1000. Other rules exist that detect things like hex encoded and null characters that are typical in hacking attempts.

**cPanelDon** · 02-06-2012 11:50 PM

EasyApache 3.8.6 is now available; in this build PHP 5.3.10 replaces 5.3.9. The change log is available here: http://docs.cpanel.net/twiki/bin/vie...syApache#3.8.6

**Kise S.** · 02-07-2012 03:19 AM

thank you very much

**java_dude** · 02-07-2012 08:28 PM

Thank you! I updated early this morning.

**cPanelDavidG** · 02-08-2012 08:10 AM

This is now implemented in all update tiers so I am going to archive this thread now.

LinkBack

Thread Tools