The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is PHP 5.2.5 (cli) (built: Mar 13 2009 08:11:32) secure?

Discussion in 'Security' started by mking213, Dec 2, 2009.

  1. mking213

    mking213 Member

    Joined:
    Feb 25, 2007
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    151
    Im wondering... PHP 5.2.5 is fairly old considering, does cPanel release updates to this version of PHP (i.e. is it patched against CVE-2008-0599, CVE-2008-2051, CVE-2008-2108 etc...) and is it "secure"?

    Mike K.
     
    #1 mking213, Dec 2, 2009
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    8
    Trophy Points:
    193
    PHP 5.2.5 is indeed a bit old and you would do good upgrading ...

    However, PHP is not automatically updated with Cpanel updates but
    is available to you when you rebuild (and upgrade) your Apache server.

    You have your choice of 3 ways to upgrade your PHP ...

    1. Use "Easyapache" in WHM to upgrade both Apache and PHP

    2. In SSH, run /scripts/easyapache

    3. Manually compile PHP
    Code:
    # php -i | grep "configure"
(take a note of the options shown as you'll need those again)
# cd /usr/local/src
# wget -N http://www.php.net/get/php-5.2.11.tar.bz2/from/this/mirror
# tar jxvf ./php-5.2.11.tar.bz2
# cd ./php-5.2.11
# ./configure   (!!!! PUT YOUR PREVIOUS OPTIONS HERE !!!!)
# make
# make check
# make install
    The first 2 options above are both menu driven!

    Any of the above will get you upgraded!

    Regarding your security questions, getting you moved up from 5.2.5 to 5.2.11 will help greatly
    but I would also recommend switching to SuPHP if you not already using it for your PHP type
    and also installing the "SuHosin" extension which will help with some types of code exploits.

    --Spiral
     
    #2 Spiral, Dec 3, 2009
    Last edited: Dec 3, 2009
  3. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    8
    Trophy Points:
    168
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    At the time of writing the latest PHP version included in EasyApache is PHP 5.2.11. Regarding the specified CVE reports I did not see where they would affect version 5.2.11 and it appeared the CVE IDs listed are for PHP version 5.2.5 or older. As with any PHP version there may a level of risk, but using available security features (e.g., mod_security, SuPHP, Suhosin) and keeping as up-to-date as possible should help to mitigate the risk involved.

    I would consider using EasyApache to update both Apache and PHP.

    Here is the menu path to run EasyApache via root access to WHM:
    WHM: Main >> Software >> EasyApache (Apache Update)

    Here is the command to run EasyApache via root SSH access:
    Code:
    # /scripts/easyapache
    Related Documentation:
    EasyApache (Apache Update)
    Apache & cPanel/WHM
     
    #3 cPanelDon, Dec 7, 2009
  4. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    7
    Trophy Points:
    318
    Location:
    back woods of NC, USA
    Just so you will feel better. there is no such thing as a secure php
    version :) only versions where known holes have been plugged. in that case you need to update.
     
    #4 rpmws, Dec 8, 2009
(You must log in or sign up to post here.)

Share This Page