Using a website, apache php configuration on red hat 5.5. [root@server ~]# php -version
PHP 5.5.25 (cli) (built: Jun 12 2016 12:37:38)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2015 Zend Technologies
[root@server ~]# httpd -version
Server version: Apache/2.2.3
Server built: Mar 4 2010 09:57:54
I have a website hosted which is published on both 80 and 443. I have received a full set of vulnerabilities looking like below -
Vulnerability - PHP Vulnerability: CVE-2007-1824 Recommended_Action - Upgrade to PHP version 5.2.1 Download and apply the upgrade from:
Vulnerability - PHP Fixed possible invalid read in glob() win32 implementation PHP Fixed iconv_*() functions to limit argument sizes (CVE-2007-4840)
Recommended action - Upgrade to PHP version 5.2.4
Download and apply the upgrade from:
http :// museum.php.net/php5/php-5.2.4.tar.gz
Upgrade to PHP version 5.2.5Download and apply the upgrade from:
http :// museum.php.net/php5/php-5.2.5.tar.gz
What i fail to understand is from where is it detecting an old version of php. I dont have it installed on the server.
When i do a find php, this is what i get. I have installed v5.5.25 on my server.
[root@server ~]# find / -name php
/var/lib/php
/usr/bin/php
/usr/local/lib/php
/usr/local/bin/php
/usr/local/php
/usr/local/include/php
/usr/lib64/php
/appl/softwares/php-7.0.7/sapi/cli/php
/appl/softwares/php-5.5.25/sapi/cli/php
[root@server ~]#
Please help.
This has been solved. It was a very basic problem with having 2 versions of php installed on the server. php -v shows 5.5.25 and phpinfo() was showing the older version(5.1.6)
As the vulnerability report had been taken for my website, and apache was using 5.1.16, i was getting the older vulnerabilities.
This has been fixed by adding the correct libphp5.so in the LoadModule in httpd.conf.
A common error, however, a different issue to find the error.
Thank you.