Results 1 to 9 of 9

Thread: PCI-DSS Compliance and PHP

  1. #1
    Join Date
    Oct 2012
    Beans
    4

    PCI-DSS Compliance and PHP

    I'm trying to make my server PCI-DSS compliant. I run a third party scanner and it tells me this:

    PHP < 5.3.15 or PHP < 5.4.5 Multiple Vulnerabilities

    - An unspecified overflow vulnerability exists in the function '_php_stream_scandir' in the file 'main/streams/streams.c'. (CVE-2012-2688)
    - An unspecified error exists that can allow the 'open_basedir' constraint to be bypassed.(CVE-2012-3365)
    I'm running Ubunutu Server 12.04 LTS, I installed php5 with apt-get. php -v reports PHP 5.3.10-1ubuntu3.4.
    At the time of this post, when I look at the change logs at http://changelogs.ubuntu.com/changel...u3.4/changelog I can see CVE-2012-2688 is resolved but CVE-2012-3365 is not.

    PHP 5.3.10-1ubuntu3.4 is the latest package. What's the best resolve this. Do I need to compile from source or should I wait for a package update? Compiling seems like it could cause a lot of issues and also i would have to recompile for each update.

    I was using Ubuntu 10.04 and installed 12.04 to fix pci-dss compliance issues. I was surprised(i just assumed it would be,my own fault) when I found out the latest packaged version of php isn't compliant. Any ideas on whats the best way to deal with this.?

    Thanks,Brian

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: PCI-DSS Compliance and PHP

    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    Oct 2012
    Beans
    4

    Re: PCI-DSS Compliance and PHP

    Thanks for the info. I'm required to pass the 3rd party scanner to get PCI-DSS compliant. Ubunutu may say it's not a security risk but PCI-DSS says it is. So what can I do?

  4. #4
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: PCI-DSS Compliance and PHP

    RedHat says it isn't a security risk either because those features aren't supposed to be used as security features.

    Your best bet would be to compile PHP from source, but then you are going to be tasked with keeping it up to date (and the possible breakage that goes along with it).

    Also see here:
    http://www.php.net/security-note.php
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  5. #5
    Join Date
    Oct 2012
    Beans
    4

    Re: PCI-DSS Compliance and PHP

    That's what I was thinking. But like you said compiling yourself creates more work on updates and may possibly cause more problems than you would fix. This really puts you in a bind if you want to use Ubunutu and PHP and be PCI-DSS compliant. Guess compiling is the only option.
    Thanks for the help.

  6. #6
    Join Date
    Aug 2006
    Location
    Somewhere in the hell
    Beans
    294
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: PCI-DSS Compliance and PHP

    Quote Originally Posted by coldlamper View Post
    That's what I was thinking. But like you said compiling yourself creates more work on updates and may possibly cause more problems than you would fix. This really puts you in a bind if you want to use Ubunutu and PHP and be PCI-DSS compliant. Guess compiling is the only option.
    Thanks for the help.
    I wonder why you not pentest your PHP application yourself to confirm that if it is vulnerabilty to the CVE-2012-3365 or not?

    Samiux

  7. #7
    Join Date
    Oct 2012
    Beans
    4

    Re: PCI-DSS Compliance and PHP

    Because I don't think that it is questionable if the vulnerability is there or not.

    Am I wrong in thinking that?

  8. #8
    Join Date
    Aug 2006
    Location
    Somewhere in the hell
    Beans
    294
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: PCI-DSS Compliance and PHP

    Quote Originally Posted by coldlamper View Post
    Because I don't think that it is questionable if the vulnerability is there or not.

    Am I wrong in thinking that?
    In my opinion, if there is a known vulnerability, it is a high risk for your network/application.

    So that, you should make sure if the vulnerability is existed in your application/network or not.

    If the vulnerability is existed, you need to fix it by applying the security patches or setting up some snort rules (or IDS/IPS rules).

    However, it is very hard to proof your network/application is 100% free from vulnerability as some of the vulnerabilities are not disclosed or discovered.

    Samiux

  9. #9
    Join Date
    Jun 2008
    Beans
    11

    Re: PCI-DSS Compliance and PHP

    Hey guys... I'm having this same problem too. I REALLY, REALLY don't want to compile PHP from source even though I know how to. Is there any way to force PHP up to 5.3.15?

    I've tried disputing these issues with the compliance service but they're about as useful as talking to a rock.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •