ePanorama.net » PHP

How to install PHP 7.x as PHP-FPM & FastCGI for ISPConfig 3.1 with apt on Debian 8 and 9

Tomi Engdahl — Sat, 15 Jul 2017 09:19:32 +0000

https://www.howtoforge.com/tutorial/how-to-install-php-7-for-ispconfig-3-from-debian-packages-on-debian-8-and-9/?lipi=urn%3Ali%3Apage%3Ad_flagship3_feed%3B%2FwhvEjEgRhisaaV5VB6iug%3D%3D

available now. PHP 7.1 is the next generation of the PHP programming language, it is up to 2 times faster than PHP 5.6 and 14 times faster than PHP 5.0 according to the release notes. The new PHP version is not 100% compatible with PHP 5.x as some deprecated API’s have been removed.

3 Critical Zero-Day Flaws Found in PHP 7 — One Remains Unpatched!

Tomi Engdahl — Thu, 29 Dec 2016 15:05:39 +0000

http://thehackernews.com/2016/12/php-7-update.html?m=1 Newest PHP version has security issues, and so has some older versions. →

Vulnerability httpoxy for PHP, Go, Python and others

Tomi Engdahl — Fri, 05 Aug 2016 05:54:12 +0000

A CGI application vulnerability called httpoxy was announced in July with coordinated disclosure from many vendors. httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. The vulnerability allows an attacker to remotely set the HTTP_PROXY environment variable on affected servers which can lead to a number of bad consequences. This can lead to a remotely exploitable vulnerability.This vulnerability mainly affects applications that use “classic” CGI execution models. For PHP (both CGI and mod_php versions) whether you are vulnerable depends on your specific application code and PHP libraries. If your run Python or Go under CGI, they can also be vulnerable. httpoxy has a number of CVEs assigned to it.

This issue is not new, but has just became to limelight again. HTTPOXY affects clients that honor the HTTP_PROXY variable and use it for their proxy configuration and server side applications which use HTTP_PROXY as real or emulated variable in their environment. This bug was first discovered over 15 years ago – but still in July 2016 researchers found that the vulnerability was still exploitable in PHP. So, the bug was lying dormant for years, like a latent infection: pox. To put it plainly: there is no way to trust the value of an HTTP_ env var in a CGI environment and you should block the Proxy header.

Best advice is to patch as soon as possible. Immediate mitigation before patching can be performed by blocking ‘Proxy’ request headers as early as possible - httproxy.org has released details for many enviroments (Apache, OpenBSD, Nginx/FastCGI and others). If you’re running PHP or CGI, you should block the Proxy header now. Blocking can be done in web server, web load balancer, web proxy or cloud proxy service.

The vulnerability is easily remotely exploitable and servers can be scanned for it, for details on that read HTTPOXY Vulnerability: How to protect and test your web server article that recommends https://httpoxy.rehmann.co/ service for testing your own servers.

How to Safely Store Your Users’ Passwords in 2016 – Paragon Initiative Enterprises Blog

Tomi Engdahl — Fri, 19 Feb 2016 16:44:55 +0000

Modern, Secure, Salted Password Hashing Made Simple https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016 Posted from WordPress for Android →