The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Workaround for CVE-2011-4885 on PHP 5.2.17

Discussion in 'Workarounds and Optimization' started by cPanelPaulT, Feb 11, 2012.

  1. cPanelPaulT

    cPanelPaulT Member
    Staff Member

    Joined:
    Aug 12, 2010
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    CVE-2011-4885 Affects PHP <= 5.3.8
    CVE - CVE-2011-4885 (under review)

    CVE-2012-0830 Only exists because of incorrect fix for 2011-4885, so in other words, in only applies to PHP 5.3.9 which has already been removed in EasyApache in favor of 5.3.10.

    The best course of action is fix this CVE is to upgrade to PHP 5.3.10. We understand that sometimes upgrading to 5.3.x is not possible due to third party code not being ported yet. If you must stay on PHP 5.2.x then you can use Suhosin to "patch" the CVE.

    Since PHP's max_input_vars parameter defaults to 1000, there is no way to trigger the vulnerability with your typical cPanel Suhosin installation as it's request.max_vars parameter is also 1000. If there are 1001 variables, suhosin will kill the request, preventing the vulnerability from being exploited. So as long as suhosin.request.max_vars is less than or equal to PHP's max_input_vars, you will be safe.

    Eg.
    root@vps [~]# php -i | grep max_input_vars
    max_input_vars => 1000 => 1000
    root@vps [~]# php -i | grep suhosin.request.max_vars
    suhosin.request.max_vars => 1000 => 1000

    Those are both default settings, so if you don't already have Suhosin installed, then run "/scripts/phpextensionmgr install PHPSuHosin". When that finishes, do "php -v | grep -i Suhosin" to verify it is present. You should have something like this:

    root@vps [/]# php -v | grep -i Suhosin
    with Suhosin v0.9.33, Copyright (c) 2007-2012, by SektionEins GmbH
     
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Is cPanel going to provide a patched version of 5.2 to address this?

    M
     
  3. cPanelPaulT

    cPanelPaulT Member
    Staff Member

    Joined:
    Aug 12, 2010
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel is not providing a patched 5.2.17 version, customers using 5.2.17 should upgrade to 5.3.10 as that version has been fixed upstream. We are supplying the above workaround for those customers who cannot for whatever reason upgrade to 5.3.x yet.
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Hmm. cPanel patched its internal PHP (5.2.9) that is used for cPanel/WHM in EasyApache 3.9.1. So the internal cPanel PHP is fine, yes?

    EasyApache Changelog for 3.9.1 includes:

    Fixed case 57078: EasyApache: Apply fix for CVE-2012-0830 to PHP 5.2.9
    Implemented case 56287: Patch PHP 5.2.9 for CVE-2011-4885

    So, and I must ask this, why wouldn't you also patch the 5.2.17 that is _currently_ available in various tiers?

    M
     
  5. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    mtindor has a really good question there.

    Combine this with the suhosin issue reported at http://forums.cpanel.net/f5/easyapache-3-9-1-problem-suhosin-258101.html and I'm extremely nervous. (Apparently EA 3.9.1 creates other problems with suhosin and PHP 5.2.17)

    I have a few servers that I cannot up to PHP 5.3 because of customer site script compatibility, so I'm running PHP 5.2.17 and suhosin and suPHP.

    This is kind of scary :(
     
  6. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    It's wishful thinking. But, cPanel's own documents state "cPanel does not back-port security fixes from the most recent version of PHP to older versions". I am not sure what I was thinking, but my memory is serving me better today and I don't recall cPanel ever backporting any PHP patches. The last patch released was from PHP.net themselves, but somehow I was thinking it was a cPanel patch.

    If it makes you feel any better, Suhosin 0.9.33 on PHP 5.2.17 appear to be working fine together for me, other than the annoyance mentioned above that was easy enough to fix.

    Mike
     
  7. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Actually that does help ease my mind a bit, thank you Mike.
     
  8. cPanelPaulT

    cPanelPaulT Member
    Staff Member

    Joined:
    Aug 12, 2010
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Per case 57381, EasyApache 3.10.2 now includes a patch in PHP 5.2.17 for CVE-2011-4885, so the mentioned workaround is not necessary.
     
  9. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Maybe this post will help others, maybe not, but I just thought maybe I should add it for those who are on the fence and in doubt...

    After much headache over what to do in regard to all of this (and before cPanel came up with a patch solution) I decided to just take the plunge and recompile / upgrade to php 5.3.10 and just deal with the aftermath. And guess what?

    It wasn't so bad afterall - only a very small percentage of my customers were running scripts that had an issue with it, and most of them only needed small adjustments to their script coding to resolve any errors. Mainly what you'll run into is a date.time deprecation error on old scripts which is fairly simple to fix (for now) by changing a line or two in the function calls from those old scripts. A couple google searches and a couple file changes takes care of it for now.

    So far out of many scripts there is only one that is throwing a huge number of errors after 5.3, but it's a very old very custom script that is poorly coded and so far out of date that it's time the webmaster just move on.

    And so in a way I'm thankful for being pushed in the direction of simply moving with the tide. If you're out there reading this right now and you're scared to death to upgrade to php5.3.x because of a few customers, it's time to open a new box with 5.3.x and migrate some accounts to see what happens. The majority of most major / common scripts will deal with it just fine (almost all of the popular scripts have latest versions that are php 5.3.x ready), and the ones that don't are issues that you're going to face eventually anyway.

    I know this reply was not technically helpful and productive, but on a human level I can say that I know what you're stressing about and after just taking the plunge I personally feel it's a great weight lifted off my shoulders. It's time to stop letting a few customers hold you back from the inevitable.

    I'm wishing good luck to everyone who is a small hosting business and struggling with this decision. Moving to updated servers and latest platforms have benefits that far outweigh hinging your business on that 2 or 3 customers that are holding you back. Nobody liked Windows 95 when it came out but eventually XP showed the way, and this is kind of a similar scenario.

    Many thanks to cPanel for doing everything you can to bridge the gap for those who are in transition.
     
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Well put, Metro2!

    Your contribution to this thread and these forums is appreciated. We all learn when we all share the knowledge.

    Thanks!
     
  11. samm1996

    samm1996 Member

    Joined:
    Sep 10, 2012
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Tangerang, Indonesia
    cPanel Access Level:
    Root Administrator
    This is very helpful :D
     
Loading...
Similar Threads - Workaround CVE 2011
  1. cachout58
    Replies:
    5
    Views:
    303

Share This Page