The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

new security warning about apache in whm?

Discussion in 'EasyApache' started by chadi, Jul 14, 2004.

  1. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    You are running an insecure apache setup. You should run /scripts/easyapache or if you are running cPanel 7.1.9 or later (click here) to upgrade to a newer version as soon as possible to avoid your system being compromised.


    I did the update on current release and still same problem. Why?
     
  2. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    And once again it does not update PHP to 4.38
     
  3. fishfreek

    fishfreek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    16
    Are you checking 4.3.8 in the build apache screen and unchecking the current version?

    I noticed the issue is with php. What is safe version of php to upgrade to? Is there a patch for those whom wish to stay at release 4.3.4?
     
  4. DN-Paul

    DN-Paul Well-Known Member

    Joined:
    Oct 30, 2003
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    I tried updating to 4.3.8 by unchecking 4.3.4 and it didn't work, so I left 4.3.4 checked and also checked 4.3.8 and it worked :)

    No problems yet (apart from mmcache not working :()
     
  5. DDT

    DDT Active Member

    Joined:
    Dec 10, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    I just wonder what changed in apache. Usually the version number changes or something.
    Little red warning box went away but the version number for apache is still the same. It would be nice if the mods here could tell us what was fixed or what would be the expected behaviour of a normal upgrade that installed properly.
    I "guess" it is OK since the box went away but before the apache version numbers always upated too.
     
  6. DN-Paul

    DN-Paul Well-Known Member

    Joined:
    Oct 30, 2003
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    Nothing changed in apache itself so the version number will be the same, the problem is an insecure module (php) - check you rphp version numbers, they will have changed when you did the upgrade.
     
  7. fishfreek

    fishfreek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    16
    This is interesting. One 3 of the 6 cpanel servers I look after I get the security warning but on the other three I do not. When I look at the NEWS page on the three servers that dont have the warning PHP is NOT listed in the top listing of scripts. All of them have phpsuexec enabled.

    On the three servers that DO have the security warning none of them are running phpsuexec and two of them are running php 4.3.4 and one is running 4.3.3. For some reason phpsuexec is not causing the security warning to appear? What is the safe version of PHP to upgrade to?
     
  8. f0urtyfive

    f0urtyfive Member

    Joined:
    Jan 28, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
     
  9. fishfreek

    fishfreek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    16
    Well on one of the servers we are taking offline soon I updated from 4.3.4 to 4.3.5,4.3.6,4.3.7 and finally 4.3.8. Only after updating to 4.3.8 did the security warning go away.

    Just for good measure I updated all of the servers including the ones running phsuexec to 4.3.8.
     
  10. DDT

    DDT Active Member

    Joined:
    Dec 10, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    I was already running php 4.3.8 and that is still what shows. How would I check the "rphp" version outside of what WHM lists automatically?
     
  11. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16
    i tried to update 4 or 5 times but it wouldnt update php 4.3.8 untill i checked both the current version i was running AND 4.3.8 then it finally updated.
     
  12. webline

    webline Member

    Joined:
    Nov 6, 2003
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Singapore
    i am still having problem updating :(
     
  13. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    If you are running phpsuexec you will not get the security warning because the PHP version does not appear in the http headers (whereas it does if using php as a module). The security warning is based on the http header information. The end result is that cpanel is not warning people running phpsuexec that their installation of PHP is vulnerable. :eek:
     
  14. webline

    webline Member

    Joined:
    Nov 6, 2003
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Singapore
    i finally managed to update to 4.3.8 with easyapache default settings and options BUT when i try to update again with options, it was not updated with the new options i clicked.
     
  15. Sinewy

    Sinewy Well-Known Member

    Joined:
    May 15, 2004
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney, Australia
    cPanel Access Level:
    DataCenter Provider
    you may not have the libraries needed by that module installed. some modules like Zip require libzzip.

    cPanel have now removed all php versions except 5.0.0 and 4.3.8 from the easyapache list. they have also updated the curl version :)
     
  16. hbouma

    hbouma Well-Known Member

    Joined:
    Jun 8, 2002
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Is there a particular exploit in pre PHP 4.3.8 versions or is cPanel going to start nagging us when we don't have the latest version of PHP installed?

    Hal
     
  17. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    Here is the changelog for 4.3.8:

    Fixed strip_tags() to correctly handle '\0' characters. (Stefan)
    Improved stability during startup when memory_limit is used. (Stefan)
    Replace alloca() with emalloc() for better stack protection. (Ilia)
    Added missing safe_mode checks inside ftok and itpc. (Ilia)
    Fixed bug #28963 Fixed address allocation routine in IMAP extension. (Ilia)
    Fixed bug #28632 Prevent open_basedir bypass via MySQL's LOAD DATA LOCAL. (Ilia)

    There are exploits, but I am not going to post them here. Use your imagination. :)
     
  18. nitromax

    nitromax Well-Known Member

    Joined:
    Feb 12, 2002
    Messages:
    189
    Likes Received:
    0
    Trophy Points:
    16
    I am unable to upgrade to 4.3.8 because my server does not seem to want to install the new version of curl. Anyone else having this problem and know a solution??? Here are my make errors while updating apache via WHM:


    make curl-7.12.0....... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Done
    make[2]: *** [curl] Error 1
    make[1]: *** [all] Error 2
    make: *** [all-recursive] Error 1


    make curl-7.12.0...(install).... . . Done

    make[2]: *** [curl] Error 1
    make[1]: *** [install] Error 2
    make: *** [install-recursive] Error 1


    Untarring flash......Done
    Using RPM Backend: RPM version 4.0.4
    installed: gettext-0.11.1-2
    Untarring php....Done
    Applying GD FT_ENCODING_MS_SYMBOL patch
    patching file ext/gd/libgd/gdft.c
    Applying CURL curl_formfree patch
    patching file ext/curl/curl.c

    configure php-4.3.8...(--with-apxs=/usr/local/apache/bin/apxs --with-xml --enable-bcmath --enable-calendar --with-curl --with-swf=/usr/local/flash --enable-ftp --with-gettext --with-mcrypt --with-mhash --enable-magic-quotes --with-mysql --with-openssl --enable-discard-path --with-pear --enable-sockets --enable-track-vars --enable-versioning --with-zlib).... . . . . . . . . . . . . . . . . . Done
    configure: error: There is something wrong. Please check config.log for more information.
    make php-4.3.8...(clean).... Done

    make php-4.3.8....... Done

    make php-4.3.8...(install).... Done

    configure php-4.3.8...(--prefix=/usr --with-xml --enable-bcmath --enable-calendar --with-curl --with-swf=/usr/local/flash --enable-ftp --with-gettext --with-mcrypt --with-mhash --enable-magic-quotes --with-mysql --with-openssl --enable-discard-path --with-pear --enable-sockets --enable-track-vars --enable-versioning --with-zlib).... . . . . . . . . . . . . . . . . . . . . . Done
    configure: error: There is something wrong. Please check config.log for more information.
    make php-4.3.8...(clean).... Done

    make php-4.3.8....... Done

    make php-4.3.8...(install).... Done




    But after all of this I still have PHP 4.3.3 and WHM still says I have an insecure apache setup. Any help here would be appreciated.
     
    #18 nitromax, Jul 21, 2004
    Last edited: Jul 21, 2004
  19. Sinewy

    Sinewy Well-Known Member

    Joined:
    May 15, 2004
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney, Australia
    cPanel Access Level:
    DataCenter Provider
  20. mr.wonderful

    mr.wonderful BANNED

    Joined:
    Feb 1, 2004
    Messages:
    345
    Likes Received:
    0
    Trophy Points:
    0
    What 50 boxes? :rolleyes:
     
Loading...

Share This Page