Need Advice on Php Version

[rwoody]

I see back where this is a dedicated server...
You didn't poat any of the server details
Specifically the server Linux OS

There are thousands of installs and most run trouble free for the most part and do not have the issues your are experiencing with ZenCart out-of-the-box/patched for security

Kobra, until now I would have totally agreed with you, but with the advent of Php3.X there are huge changes and Zen-Cart is not compatible. I spoke with another friend of mine today that is a high level individual with credit card security. He reminded me that he had warned these changes were coming awhile back, but at the time I wasn't sure what he meant.

Visa and MasterCard are requiring their merchant providers to have all their eCommerce customer's sites scanned. They do this quarterly so the requirements often change with each scan. They are now insisting on Php 3.2 - or the site fails. I've had this site for five years... so trust me this is a brand new requirement.

Here is the exact response from the scan -
Synopsis : The remote web server uses a version of PHP that is affected by multiple flaws. Description : According to its banner, the version of PHP installed on the remote host is older than 5.3.2

In speaking with them directly, I was informed I need to recompile the server to the latest release - Php5.3.2 (I just did a successful recompile taking the site to 5.2.12 as originally they indicated this would solve their issues;however once I ran the scan again, this new requirement popped up)


In my local test environment so far I've patched the following files in addition to adding the patched files provided in the d/l here:

classes\db\mysql\query_factory.php
includes\functions\functions_lookups.php
init_sanitize.php
template_functions.php

I still have issues with the following files I'm trying to work through.

functions_email.php
includes\classes\class.smtp.php
includes\init_includes\init_templates.php

It seems that once I solve one set of errors and work further through the site's checkout process more arise, so I'm sure these are not the end of it. Nor am I sure I can solve all the issues. I'm not a strong coder.

Ruth

[kobra]

Have you tried compiling to php 5.3.2 and patching with this
http://www.zen-cart.com/forum/showthread.php?t=140960

[rwoody]

Have you tried compiling to php 5.3.2 and patching with this
http://www.zen-cart.com/forum/showthread.php?t=140960

That was the first thing that I did, but it does not go far enough to correct all the issues.

Basic Example: query_factory.php (which was not in that patch)

Line 139 - if (!ereg('^[0-9]', $key))

Correct to: if (!preg_match('/^[0-9]/', $key))

the reference in line 139 is found several times within the file and had to be edited. The other files that I listed had similar changes that were required and have been done.

Now I'm finding issues with functions_email.php and also in sessions.php- so I'm off to research those as they are not so obvious to me.

I'm doing this all in a test environment I set up locally as I did not want to recompile the production server until I knew I'd solved all the issues. I did the same thing before I recompiled to Php 5.2.12 -

[rwoody]

The session file is really confusing me as to what the issue is there. I've made the correction needed on line 223

PHP Code:

if (preg_replace('/[a-zA-Z0-9]/', '', session_id()) != '') session_regenerate_id(); 


This took care of the first error regard ereg_replace, but it's also throwing a "headers already sent" error and there are no white spaces and the opening <?php is at the very top of the page. The exact error is:

PHP Warning: session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cache limiter - headers already sent (output started at includes\functions\sessions.php on line 215

That error was present "before" I edited the file.

Any ideas anyone?

[CJPinder]

Here is the exact response from the scan -
Synopsis : The remote web server uses a version of PHP that is affected by multiple flaws. Description : According to its banner, the version of PHP installed on the remote host is older than 5.3.2

The Apache banner should be switched off so that the scan cannot determine the PHP version.

Regards,
Christian.

[CJPinder]

That was the first thing that I did, but it does not go far enough to correct all the issues.

Once the PHP 5.3 patch has been applied the cart should run fine without any errors. Technically you can still use ereg() you just have to switch of the warning message which is what the patch does.

Regards,
Christian.

[rwoody]

The Apache banner should be switched off so that the scan cannot determine the PHP version.

Regards,
Christian.

Where can I turn that off?

[kuroi]

If you have the 5.3 patch installed correctly, that is what turns off the deprecation warning. I've been reading back over this thread and rather suspect that your problem is that you don't have the patch installed corrected, and are then trying to deal with each warning as though it was an error.

[CJPinder]

Where can I turn that off?

In the httpd.conf you need to add (or edit if they are already there) the following directives...

Code:

[FONT=monospace]
[/FONT]ServerSignature Off[FONT=monospace]
[/FONT]ServerTokens Prod

...You will need to restart Apache (httpd) after making the changes.
Your also need to edit your php.ini file and set the following...

Code:

expose_php = Off

With those settings the scans will not able to determine what version of PHP you are using and they'll stop moaning about old versions.

Regards,
Christian.

[rwoody]

Currently the settings in my http.conf are

ServerSignature Off
ServerTokens ProductOnly

So you are saying change the second line to:

ServerTokens Prod ?