PHP version changer

[ccr1969]

Not sure this is secure. And each php must be patched using suhosin.

M B

It might not be secure (I think it is not safe for a production server), but it is a step up and some people might really need it.

Keep testing, and check on security

i run server security runs for sql injection and other promblems and i place focus on them right now i ha 90 out of 100 which is a b in security this was due to openssl version and i have updated openssl

Hostname
xxxxxxxxxx.tk
Scan date
2016-01-27
Scan Status
Done
Vulnerability Score
90.00 (B)
Vulnerability SummaryHigh
0

Medium
1
OpenSSL Running Version Prior to 1.0.2e

Low
10
SMTP Service Cleartext Login Permitted
OpenSSL Version Detection
SMTP Authentication Methods
HTTP Packet Inspection
Supported SSL Ciphers Suites
Identify Unknown Services via GET Requests
Identify Unknown Services via GET Requests
SSL Verification Test
HTTP TRACE Method XSS Vulnerability
Directory Scanner

Total
11 
Vulnerability by Risk Level
Vulnerability by Service
Vulnerability Count

(Displays High and Medium risk vulnerabilities)

Security Testing
Type
Tests
Failed
PassedInfrastructure Tests
12907
11
12896
Blind SQL Injection
224
0
224
SQL Injection
272
0
272
Cross Site Scripting
464
0
464
Source Disclosure
272
0
272
PHP Code Injection
128
0
128
Windows Command Execution
192
0
192
UNIX Command Execution
208
0
208
UNIX File Disclosure
128
0
128
Windows File Disclosure
432
0
432
Directory Disclosure
272
0
272
Remote File Inclusion
16
0
16
HTTP Header Injection
144
0
144



Medium risk vulnerabilities results for:xxxxxxx.tk

1. OpenSSL Running Version Prior to 1.0.2e (Medium)
back
Port:
https (443/tcp)
Summary:
Multiple vulnerabilities have been found in OpenSSL:
* The ssl3_get_key_exchange function in ssl/s3_clnt.c in OpenSSL 1.0.2 before 1.0.2e allows remote servers to cause a denial of service (segmentation fault) via a zero p value in an anonymous Diffie-Hellman (DH) ServerKeyExchange message.

* The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a Diffie-Hellman (DH) or Diffie-Hellman Ephemeral (DHE) ciphersuite.

* crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.

* The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCSInstall Docs-ISPconfig or CMS application.

Banner: Server: Apache/2.4.17 (Win32) mod_antiloris/0.6.0 OpenSSL/1.0.2d PHP/5.6.15
Installed version: 1.0.2d
Fixed version: 1.0.2e
Recommended Solution:
Upgrade to OpenSSL version 1.0.2e or newer.
More information:
https://www.openssl.org/news/secadv/20151203.txt, and https://mta.openssl.org/pipermail/openss...01540.html
CVE:
CVE-2015-1794
CVE:
CVE-2015-3193
CVE:
CVE-2015-3194
CVE:
CVE-2015-3195
Test ID:
18638

so yes i do run audit checks