PHP version changer

[ccr1969]

Theo This is up And Running now

all tests are good

Looks Great!
Any GitHub Repo so we can test?

no repo this a work in progress i run Apache 2.4.17 and Php 5.6.15 by  default right now i can run four different Php versions side by side 3 have suhosion on php 7 not yet but working on that as theres no released php7 source code yet to my knowledge but 5.4 and 5.5 and 5.6 all good
This requires mod_fcgid.so and quite a bit of understanding so maybe in the future but not yet

Hi ccr1969.
can you tell us the steps that you did,
we need php version changer or at least update php version to 5.6

thanks
I run a windows os
You will first have to update Apache i use 2.4.17 vc 11, you will than have to find the appropriate mods,
than get php 5.6.15 our what ever is latest now remember Suhosin needs to be compiled also and if you search my posts you will find excel and Suhosin which i have already Compiled or you can get it here
were i have created and exe to update apache and php in sentora panel automatically
Apache&PHP Updater

[apinto]

Not sure this is secure. And each php must be patched using suhosin.

M B

It might not be secure (I think it is not safe for a production server), but it is a step up and some people might really need it.

Keep testing, and check on security

[ccr1969]

Not sure this is secure. And each php must be patched using suhosin.

M B

It might not be secure (I think it is not safe for a production server), but it is a step up and some people might really need it.

Keep testing, and check on security

i run server security runs for sql injection and other promblems and i place focus on them right now i ha 90 out of 100 which is a b in security this was due to openssl version and i have updated openssl

Hostname
xxxxxxxxxx.tk
Scan date
2016-01-27
Scan Status
Done
Vulnerability Score
90.00 (B)
Vulnerability SummaryHigh
0

Medium
1
OpenSSL Running Version Prior to 1.0.2e

Low
10
SMTP Service Cleartext Login Permitted
OpenSSL Version Detection
SMTP Authentication Methods
HTTP Packet Inspection
Supported SSL Ciphers Suites
Identify Unknown Services via GET Requests
Identify Unknown Services via GET Requests
SSL Verification Test
HTTP TRACE Method XSS Vulnerability
Directory Scanner

Total
11 
Vulnerability by Risk Level
Vulnerability by Service
Vulnerability Count

(Displays High and Medium risk vulnerabilities)

Security Testing
Type
Tests
Failed
PassedInfrastructure Tests
12907
11
12896
Blind SQL Injection
224
0
224
SQL Injection
272
0
272
Cross Site Scripting
464
0
464
Source Disclosure
272
0
272
PHP Code Injection
128
0
128
Windows Command Execution
192
0
192
UNIX Command Execution
208
0
208
UNIX File Disclosure
128
0
128
Windows File Disclosure
432
0
432
Directory Disclosure
272
0
272
Remote File Inclusion
16
0
16
HTTP Header Injection
144
0
144



Medium risk vulnerabilities results for:xxxxxxx.tk

1. OpenSSL Running Version Prior to 1.0.2e (Medium)
back
Port:
https (443/tcp)
Summary:
Multiple vulnerabilities have been found in OpenSSL:
* The ssl3_get_key_exchange function in ssl/s3_clnt.c in OpenSSL 1.0.2 before 1.0.2e allows remote servers to cause a denial of service (segmentation fault) via a zero p value in an anonymous Diffie-Hellman (DH) ServerKeyExchange message.

* The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a Diffie-Hellman (DH) or Diffie-Hellman Ephemeral (DHE) ciphersuite.

* crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.

* The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCSInstall Docs-ISPconfig or CMS application.

Banner: Server: Apache/2.4.17 (Win32) mod_antiloris/0.6.0 OpenSSL/1.0.2d PHP/5.6.15
Installed version: 1.0.2d
Fixed version: 1.0.2e
Recommended Solution:
Upgrade to OpenSSL version 1.0.2e or newer.
More information:
https://www.openssl.org/news/secadv/20151203.txt, and https://mta.openssl.org/pipermail/openss...01540.html
CVE:
CVE-2015-1794
CVE:
CVE-2015-3193
CVE:
CVE-2015-3194
CVE:
CVE-2015-3195
Test ID:
18638

so yes i do run audit checks

[TGates]

That security check has nothing to do with suhosin locking out harmful php commands.

Code:

php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"

Suhosin MUST be enabled and active on ALL php versions in order to protect any Sentora installation.

[ccr1969]

like i said 3 of them are using Suhosin Php 7 is for testing
and Remember the Sentora panel is secured to Suhosin it is the default the other versions run on domains the user specifies it to run  on as in example post  
domain1.com php 5.5
domain2.com php 7
and so on now the Sentora panel is secured by its Suhosin patch Also there is other methods to secure a server not just the so mentioned

Security is not just for panels but all sites

i hope that makes sense to you

there is some security issues iam looking into

Code:

Login Cross Site Request Forgery (CSRF/XSRF)
What does this mean?
The web site seems to be lacking CSRF token on a login form.

What can happen?
An attacker can force an unsuspecting user to sign in to the attacker's account. What can be done
from there depends on the application. Example: An attacker can force an unsuspecting user to login
to the attacker's account, when the user then buys something the credit card is added to the attacker's
account.
Summary
Entry Found at CVSS
1 http://xxxxxxxx.tk/ 6.2
2 http://xxxxxxxxxxxx.tk/index.php 6.2
3 https://xxxxxxxxx/ 6.2
1. Login Cross Site Request Forgery (CSRF/XSRF)
Summary
Found at
http://xxxxxxxxx/
CVSS
6.2 of 10.0
Request Headers
GET / HTTP/1.1
Accept text/html application/xhtml+xml application/xml; q=0.9 image/webp */*; q=0.8
User-Agent Mozilla/5.0 (compatible; Detectify)

Host xxxxxxxx.tk
Cache-Control no-store, no-cache
Pragma no-cache
Accept-Encoding gzip deflate
Connection Keep-Alive
Response Headers
HTTP/1.1 200 OK
Pragma no-cache
Vary Accept-Encoding,User-Agent
Content-Encoding gzip
Keep-Alive timeout=15, max=150
Connection Keep-Alive
Content-Length 1860
Content-Type text/html; charset=UTF-8
Date Tue, 09 Feb 2016 01:50:17 GMT
Expires Thu, 19 Nov 1981 08:52:00 GMT
Set-Cookie PHPSESSID=xxxxxxxxxxxxxxxxxx; path=/
Server Apache/2.4.17 (Win32) mod_antiloris/0.6.0 mod_fcgid/2.3.9 OpenSSL/1.0.2e
PHP/5.6.15
X-Powered-By PHP/5.6.15
Details
<form role="form" method="post" name="frmZForgot" id="frmZForgot" style="display: none;">
<div class="form-group">
<label for="inPassword">E-mail:</label>
<div class="input-group merged">
<span class="input-group-addon"><i class="icon-mail"></i></span>
<input type="text" class="form-control" id="inputEmail" name="inForgotPassword"
placeholder="Email" required="">
</div>
</div>
<div class="form-group text-right">
<a href="javascript:void(0);" id="backtologin">(Back To Login)</a>
</div>
<button type="submit" class="btn btn-primary pull-right btn-margin" name="sublogin2"
value="LogIn">Sign in</button>
<input type="hidden" name="csfr_token"
value="8uu3y7kcg7a4wfugv0uwltexarrjskydic9kzeuskcludf7ckp"> </form>
<form role="form" method="post" name="frmZLogin" id="frmZLogin">
<div class="form-group">
<label for="inputUsername">Username:</label>
<div class="input-group merged">
<span class="input-group-addon"><i class="icon-user-male"></i></span>
<input type="text" class="form-control" id="inputUsername" name="inUsername"
placeholder="Username" required="">
</div>
</div>
<div class="form-group">
<label for="inPassword">Password:</label>
<div class="input-group merged">
<span class="input-group-addon"><i class="icon-key-1"></i></span>
<input type="password" class="form-control" id="inPassword" name="inPassword"
placeholder="Password" required="">
</div>
</div>
<div class="form-group text-right">
<a href="javascript:void(0);" id="forgotpw">(forgot password)</a>
</div>
<div class="form-group">
<input type="checkbox" data-label="Remember Me" name="inRemember"
value="1">Remember me
</div>
<div class="form-group">
<input type="checkbox" data-label="Enable Session Security"
name="inSessionSecurity" checked="">Enable Session Security
</div>
<button type="submit" class="btn btn-primary pull-right btn-margin" name="sublogin2"
value="LogIn">Sign in</button>
<input type="hidden" name="csfr_token"
value="8uu3y7kcg7a4wfugv0uwltexarrjskydic9kzeuskcludf7ckp"> </form>

[TGates]

Well, that's what I meant... Not just 'the panel' but everything involved with the panel and the hosted sites...

Good luck getting this sorted. It would be VERY nice to have!

[Kyrluckechuck]

Well, that's what I meant... Not just 'the panel' but everything involved with the panel and the hosted sites...

Good luck getting this sorted. It would be VERY nice to have!

I originally had AWServer setup on my Windows Server, but I finally made the switch to Ubuntu Server and Sentora, the performance difference is just insane!

Just stumbled upon this thread, and wanted to let you know that I would absolutely LOVE this if you were able to make this a reality, a lifesaver!

I'm not huge on scripting or php security, but if I can help feel free to let me know!

[ccr1969]

well been running multiple test thus far the php changer has run flawlessly security seems to be tight but with all things you never get 100% secure server i may post up a zppy for others to try with instructions on how to set up This will not work with Apache 2.2 this is for Apache 2.4
Do A Back up First You will need other files .
Check back as i prepare a instruction sheet for windows users

[hackkill CraftHosting]

well been running multiple test thus far the php changer has run flawlessly security seems to be tight but with all things you never get 100% secure server i may post up a zppy for others to try with instructions on how to set up This will not work with Apache 2.2 this is for Apache 2.4
Do A Back up First You will need  other files .
Check back as i prepare a instruction sheet for windows users

 
Where is the package ? Link for Download ?  @TGates did you have the Module ?

[hackkill CraftHosting]

Well, that's what I meant... Not just 'the panel' but everything involved with the panel and the hosted sites...

Good luck getting this sorted. It would be VERY nice to have!

Did you have this module ?