Koozali.org: home of the SME Server

Owncloud claims PHP 5.3.3 is vulnerable

Offline stephdl

  • *
  • 1,523
  • +0/-0
    • Linux et Geekeries
Owncloud claims PHP 5.3.3 is vulnerable
« on: June 03, 2013, 06:36:59 PM »
I'm working on owncloud V5 currently and now directly after the installation during the first setting we see a warning about a php vulnerability.
Quote
Your PHP version is vulnerable to the NULL Byte attack (CVE-2006-7243)
Please update your PHP installation to use ownCloud securely.

however our friend of clearos seem to be concerned too :p
as i found a post on this topic.

it seems that owncloud don't look about the php version (around 5.3.3), but if the vulnerability exists in our php code.

Maybe a part of the solution will be to upgrade php to 5.4 or higher, but i don't know if it is possible.

Your thoughts before to go to bugzilla :p
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Owncloud claims PHP 5.3.3 is vulnerable
« Reply #1 on: June 03, 2013, 09:11:37 PM »
Your thoughts before to go to bugzilla :p

My thoughts are that you are being irresponsible posting this here, rather than to bugzilla with the 'security' box checked.

Offline stephdl

  • *
  • 1,523
  • +0/-0
    • Linux et Geekeries
Re: Owncloud claims PHP 5.3.3 is vulnerable
« Reply #2 on: June 03, 2013, 09:23:21 PM »
 :-)
hide vulnerability this is a microsoft method. Moreover it is not a SME vulnerability since it comes from php and thus lot of distros are concerned.
But i wasn't aware of this possibility to check a"security"box in bugzilla, can you be more talkative about that...who read  this specific bug of security if the box is checked ?
« Last Edit: June 03, 2013, 09:24:53 PM by stephdl »
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Owncloud claims PHP 5.3.3 is vulnerable
« Reply #3 on: June 03, 2013, 09:27:19 PM »
hide vulnerability this is a microsoft method.

Please do some reading on 'responsible disclosure'.

Quote
But i wasn't aware of this possibility to check a"security"box in bugzilla, can you be more talkative about that...who read  this specific bug of security if the box is checked ?

Members of the SME server security team.

Offline stephdl

  • *
  • 1,523
  • +0/-0
    • Linux et Geekeries
Re: Owncloud claims PHP 5.3.3 is vulnerable
« Reply #4 on: June 03, 2013, 11:07:20 PM »
For frenchies like me...follow this link http://en.wikipedia.org/wiki/Responsible_disclosure but i realize that i'm completely full debian as i can read this in the chapter 3 of their Debian Social Contract : We will not hide problems

Thank for sharing your experience CB
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: Owncloud claims PHP 5.3.3 is vulnerable
« Reply #5 on: June 04, 2013, 04:12:32 PM »
stephdl

Quote
...debian....We will not hide problems....

sme developers are not hiding problems.
They prefer a process whereby security issues can be reported securely, without publicly drawing further attention to the problem(s) & highlighting the fact to thousands of hackers, that sme server may have a security vulnerability.
sme developers prefer to quietly fix the security issue, then publicly announce the bug & release appropriate updated packages at the same time.
That way users can fix their servers before hackers have a chance to gain access via the security bug or issue.
This has been the sme way for many years now, & is a good approach in my opinion.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline azche24

  • *
  • 163
  • +0/-0
    • http://az-law.de
Re: Owncloud claims PHP 5.3.3 is vulnerable
« Reply #6 on: June 10, 2013, 06:47:28 AM »
edit: bug filed since 22.05.2013 and made notice in howto@wiki
« Last Edit: June 10, 2013, 08:54:14 AM by azche24 »
Alexander Ziemann, Berlin - DE

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: Owncloud claims PHP 5.3.3 is vulnerable
« Reply #7 on: June 10, 2013, 07:33:56 AM »
stephdl

Did you post the bug as suggested by Charlie ?

azche24

If a bug has been posted then the matter should be fixed in due course.
If you want something in the wiki more quickly than that, then please request wiki edit access & make the appropriate change yourself. It's very easy to do, & as a community it's good if everyone contributes something positive as they become aware of it. Many hands make light work. Look in your forum user profile to request wiki edit group membership. Thanks
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline ReetP

  • *
  • 3,947
  • +6/-0
Re: Owncloud claims PHP 5.3.3 is vulnerable
« Reply #8 on: June 14, 2013, 02:40:41 PM »
Bug has been posted :

http://bugs.contribs.org/show_bug.cgi?id=7613

Includes workaround to update PHP
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline stephdl

  • *
  • 1,523
  • +0/-0
    • Linux et Geekeries
Re: Owncloud claims PHP 5.3.3 is vulnerable
« Reply #9 on: June 16, 2013, 08:15:12 PM »
stephdl

Did you post the bug as suggested by Charlie ?

Sorry but i haven't had time to do it these last days, but as i can see someone did it some days before i noticed the issue, so as i say often in french " il est souvent urgent d'attendre" (it is often urgent to wait)
i have updated the wiki page to point to the workaround http://wiki.contribs.org/OwnCloud#Warning
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!