PHP versions prior to 5.3.12 and 5.4.2 are vulnerable.

Printable View

9 Apr 2014, 01:36 AM
jetx

PHP versions prior to 5.3.12 and 5.4.2 are vulnerable.

1. PHP CGI Bug - http://arstechnica.com/security/2014...-22-months-on/ --- PHP versions prior to 5.3.12 and 5.4.2 are vulnerable.

As I still have a zencart site left I need to ask for clarification on this post by DrByte today. I understand that 1.51 does not work under php 5.4 without code modification. I do not see exactly what modifications are required.

secondly, does the Dr mean (versions prior to 5.3.12 and 5.4.2 are vulnerable) therefore any version prior to 5.4.2 is vulnerable?.
9 Apr 2014, 04:32 AM
DrByte

Re: PHP versions prior to 5.3.12 and 5.4.2 are vulnerable.

Quote:

Originally Posted by jetx

does the Dr mean (versions prior to 5.3.12 and 5.4.2 are vulnerable) therefore any version prior to 5.4.2 is vulnerable?.

My understanding of the statement (it wasn't mine, I was only quoting it) is that PHP 5.3.1 thru 5.3.11 are vulnerable, and 5.4.0 and 5.4.1 are vulnerable. The quoted article makes no mention of PHP 5.2.xxx versions specifically, but I haven't pursued that further; you may wish to.
9 Apr 2014, 09:54 PM
RodG

Re: PHP versions prior to 5.3.12 and 5.4.2 are vulnerable.

PHP V5.2.X is reaching end of life. There are multiple vulnerabilities. The URL below lists them. This URL is specifically for v5.2.17 which is/was the default version used by a number of distribution of the time and is still in widespread use :-(
http://www.cvedetails.com/vulnerabil...HP-5.2.17.html
10 Apr 2014, 02:16 AM
jetx

Re: PHP versions prior to 5.3.12 and 5.4.2 are vulnerable.

My issue is whether upgrading php to 5.5. will break zencart. Does anyone know what, if any, files are going to require code edits. Thanks.

note: besides timezone.
10 Apr 2014, 02:30 AM
jetx

Re: PHP versions prior to 5.3.12 and 5.4.2 are vulnerable.

From this: http://www.zen-cart.com/entry.php?6-...nd-5-5-and-5-6

I would suspect that many mods will not function correctly under php 5.5.

List of current mods (if anybody knows, please comment). I really don't want to upgrade and find the site is broken.

discount mod, table discounts (swguy)
COWOA
Ceon Manual Card
Cross Sell Advanced (prowebs)
Direct Bank Deposit
Testimonial Manager
10 Apr 2014, 03:21 AM
jetx

Re: PHP versions prior to 5.3.12 and 5.4.2 are vulnerable.

http://www.zen-cart.com/showthread.p...g-offset/page4

= a big can of worms.. No dev confirmed fix for 1.51, just a lot of attempts. So in order to run the site error free it is necessary to retain a vulnerable version of php. Is this basically correct?
10 Apr 2014, 03:25 AM
jetx

Re: PHP versions prior to 5.3.12 and 5.4.2 are vulnerable.

So, to run securely I would need to recompile php as an apache module rather than cgi? Just confirming, thanks.
10 Apr 2014, 06:40 AM
jetx

Re: PHP versions prior to 5.3.12 and 5.4.2 are vulnerable.

Upgraded php to 5.3.28, deprecated but I suppose better than what I had (5.2.1.7). Thanks for the link DrB.

All times are GMT +1. The time now is 10:43 AM.