Join the community today
Become a Member

Security PHP 8.1.28, 8.2.18, 8.3.6 Security Updates & Backported Fixes For PHP 7.2/7.3/7.4/8.0

Discussion in 'Centmin Mod News' started by eva2000, Apr 22, 2024.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    54,340
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    2:00 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    PHP has released security & bug fix updates specifically for PHP 8.1.28, 8.2.18 and 8.3.6 (CVE-2024-2756 & CVE-2024-3096). Centmin Mod has backported relevant security fixes for EOL PHP 5.6/7.0/7.1/7.2/7.3/7.4/8.0 versions. For Centmin Mod 124.00stable and 130.00beta01, you can update to those versions if you haven't already. And if you're already on Centmin Mod 124.00stable or 130.00beta01, you can pull this latest update to your server via cmupdate command.

    Centmin Mod 124.00stable supports max PHP 8.1 branch, for PHP 8.2 and PHP 8.3, you need to switch and update to Centmin Mod 130.00beta01 as outlined here.

    Ensure that you run cmupdate command to update your Centmin Mod local server code BEFORE you run the centmin.sh menu option 5 to update their PHP versions.

    PHP Releases


    • PHP 8.3.6 - is latest newest PHP 8.3 minor version
    • PHP 8.2.18 - latest newest PHP 8.2 minor version
    • PHP 8.1.28 - latest newest PHP 8.1 minor version. Centmin Mod tests at PHP 8.1.0 vs 8.0.13 vs 7.4.26 vs 7.3.33 vs 7.2.34 Benchmarks
    • PHP 8.0.30 - last release in PHP 8.0 branch which is now end of life - no more bug fixes or security updates.
    • PHP 7.4.33 - last release in PHP 7.3 branch which is now end of life - no more bug fixes or security updates. See PHP 7.4 End Of Life November 2022. If you're still using PHP 7.4.33, run cmupdate and re-run centmin.sh menu option 5 to recompile PHP 7.4.33 with backported security patch fixes.
    • PHP 7.2.34 - last release in PHP 7.2 branch which is now end of life - no more bug fixes or security updates. If you're still using PHP 7.2.34, run cmupdate and re-run centmin.sh menu option 5 to recompile PHP 7.2.34 with backported security patch fixes.
    • PHP 7.1.33 - last release in PHP 7.1 branch which is now end of life - no more bug fix or security updates. If you're still using PHP 7.1.33, run cmupdate and re-run centmin.sh menu option 5 to recompile PHP 7.1.33 with backported security patch fixes.
    • PHP 7.0.33 - last release in PHP 7.0 branch which is now end of life - no more bug fix or security updates. If you're still using PHP 7.0.33, run cmupdate and re-run centmin.sh menu option 5 to recompile PHP 7.0.33 with backported security patch fixes.
    • PHP 8.0.30, 7.4.33, 7.3.33, 7.2.34, 7.1.33, 7.0.33 & 5.6.40 are EOL as security and maintenance updates have ended. However, I have backported PHP 8.1+ security fixes to PHP 5.6, 7.0, 7.1, 7.2, 7.3, 7.4 and 8.0 branches for Centmin Mod 124.00stable/130.00beta01 and newer branches.

    PHP Change logs for



    Updating PHP On Centmin Mod LEMP Stacks


    • If you're on Centmin Mod 123.08stable and want PHP 7.1, 7.2, 7.3, 7.4, 8.0, or 8.1 support, you will need to update your server from Centmin Mod 123.08stable/123.09beta01 to either 124.00stable and 130.00beta01 first. If you want PHP 8.2/8.3 support only Centmin Mod 130.00beta01 will support that version.
      Code (Text):
      --------------------------------------------------------
             Centmin Mod Updater Sub-Menu           
      --------------------------------------------------------
      1). Setup Centmin Mod Github Environment
      2). Update Centmin Mod Current Branch
      3). Update Centmin Mod Newer Branch
      4). Exit
      --------------------------------------------------------
      Enter option [ 1 - 4 ] 3
      --------------------------------------------------------
      
    • For Centmin Mod 124.00stable or 130.00beta01 and newer, first update to latest version code via SSH command = cmupdate (same equivalent to centmin.sh menu option 23 submenu option 2 method). Then run centmin.sh menu option 5 to update to either PHP versions 8.3.6, 8.2.18, 8.1.28, 8.0.30 or 7.4.33 .
    • If you are on Centmin Mod 123.08stable and concerned about losing customisations when you upgrade to Centmin Mod 124.00stable or 130.00beta01, read this guide on how to upgrade and keep most of your customisations at How to upgrade Centmin Mod + backing up customisations.

    Centmin Mod 130.00beta01 PHP Update Example


    Code (Text):
    --------------------------------------------------------
         Centmin Mod Menu 130.00beta01 centminmod.com
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  Option Being Revised (TBA)
    7).  Option Being Revised (TBA)
    8).  Option Being Revised (TBA)
    9).  Option Being Revised (TBA)
    10). Memcached Server Re-install
    11). MariaDB MySQL Upgrade & Management
    12). Zend OpCache Install/Re-install
    13). Install/Reinstall Redis PHP Extension
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: zstd,pigz,pbzip2,lbzip2
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Install/Re-Install
    21). Data Transfer (TBA)
    22). Add Wordpress Nginx vhost + Cache Plugin
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 5
    

    Code (Text):
    PHP Upgrade/Downgrade - Would you like to continue? [y/n] y
    
    ----------------------------------------------------------------
    Install which version of PHP? (i.e. 7.3.33, 7.4.33, 8.0.30, 8.1.28, 8.2.18, 8.3.6, NGDEBUG)
    PHP 7.x/7.1.x/7.2.x/7.3.x is GA Stable but still may have broken PHP extensions.
    NGDEBUG is PHP 8.4 dev builds minus incompatible PHP extensions
    ----------------------------------------------------------------
    
    Current PHP Version: 8.2.17
    Latest PHP Version Installable: 8.3.6, 8.2.18, 8.1.28, 8.0.30
    
    Enter PHP Version number you want to upgrade/downgrade to: 8.3.6
    
    Do you still want to continue? [y/n] y
    
    ----------------------------------------------------------------
    existing php.ini will be backed up at /usr/local/lib/php.ini-oldversion_210424-210926
    ----------------------------------------------------------------
    
    -----------------------------------------------------------------------------------------
    Detected PHP 8.3 branch.
    You can compile Zend OPcache (Zend Optimizer Plus+) support
    as an alternative to using APC Cache or Xcache cache.
    But Zend OPcache only provides PHP opcode cache and
    DOESN'T do data caching, so if your web apps such as Wordpress,
    Drupal or vBulletin require data caching to APC or Xcache,
    it won't work with Zend OPcache.
    
    -----------------------------------------------------------------------------------------
    Do you want to use Zend OPcache [y/n] ? y
    

    Code (Text):
    php -v
    PHP 8.3.6 (cli) (built: Apr 21 2024 21:13:36) (NTS)
    Copyright (c) The PHP Group
    Zend Engine v4.3.6, Copyright (c) Zend Technologies
        with Zend OPcache v8.3.6, Copyright (c), by Zend Technologies
    

    with Argon2 hash algorithm support and libsodium PHP extension
    Code (Text):
    php -r 'print_r(get_defined_constants());' | grep -i argon
        [PASSWORD_ARGON2I] => argon2i
        [PASSWORD_ARGON2ID] => argon2id
        [PASSWORD_ARGON2_DEFAULT_MEMORY_COST] => 65536
        [PASSWORD_ARGON2_DEFAULT_TIME_COST] => 4
        [PASSWORD_ARGON2_DEFAULT_THREADS] => 1
        [PASSWORD_ARGON2_PROVIDER] => standard
        [SODIUM_CRYPTO_PWHASH_ALG_ARGON2I13] => 1
        [SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13] => 2
        [SODIUM_CRYPTO_PWHASH_STRPREFIX] => $argon2id$
    

    Code (Text):
    php --ri sodium
    sodium
    sodium support => enabled
    libsodium headers version => 1.0.18
    libsodium library version => 1.0.18
    

    PHP-FPM Upgrade Issues




    If you have issues with PHP-FPM upgrades via Centmin Mod centmin.sh menu option 5, check your PHP upgrade logs for details https://community.centminmod.com/threads/how-to-troubleshoot-php-installs-upgrades.17857/
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,340
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    2:00 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    PHP Security Vulnerability Details



    CVE-2024-3096 (CVSS: 4.8)
    This vulnerability is related to password hashing and verification. It allows an attacker to potentially bypass password authentication on a system using password_hash. Here's how it works:
    • When a user creates a password on a system, it's hashed using the password_hash function. This function generates a secure string that represents the password.
    • When the user logs in, the entered password is hashed again and compared with the stored hash. If they match, the login is successful.
    CVE-2024-3096 lies in the password_verify function, which might incorrectly return true due to how it handles passwords containing a null byte (character). An attacker could exploit this by crafting a username with a specially crafted password containing a null byte. If the system uses the vulnerable password_verify function, it might grant access even if the password doesn't match the stored hash. This can lead to account takeover (ATO).

    To verify if your PHP version is patched, create a php-pass.php saved to Centmin Mod or web server web root that is configured to serve PHP files i.e. /usr/local/nginx/html/php-pass.php

    In php-pass.php save this code
    PHP:
    <?php
    error_reporting
    (E_ALL);
    ini_set('display_errors'1);

    $pw "\x00\x30";

    try {
        
    $hash password_hash($pwPASSWORD_DEFAULT);
    } catch (
    ValueError $e) {
        echo 
    "Password hash creation failed on line " $e->getLine() . ": " $e->getMessage() . "\n";
        exit(
    1);
    }

    assert(password_verify('wrong'$hash) === false);
    assert(password_verify(''$hash) === false);
    assert(password_verify($pw$hash) === true);
    assert(password_verify(strrev($pw), $hash) === false);
    PHP 5.6 - 7.4+ test expected patch fixed result should return an error for Bcrypt password must not contain null character

    Code (Text):
    cd /usr/local/nginx/html/
    php php-pass.php
    PHP Warning:  password_hash(): Bcrypt password must not contain null character in php-pass.php on line 6


    PHP 8.3 test expected patch fixed result should return an error for Bcrypt password must not contain null character

    Code (Text):
    cd /usr/local/nginx/html/
    php php-pass.php
    Password hash creation failed on line 6: Bcrypt password must not contain null character


    In an unpatched PHP version running php-pass.php will return empty result = you're vulnerable to CVE-2024-3096

    CVE-2024-2756 (CVSS: Medium)
    This vulnerability stems from an incomplete fix for a previous vulnerability (CVE-2022-31629) related to cookies. It allows a partial bypass of the cookie security measures.

    Cookies are essential for various web functionalities like session management. They are data packets stored on the user's machine by the server.

    Here's a simplified explanation of the issue:
    • Cookies can be flagged with the __Host- and __Secure- attributes to enhance security. These attributes restrict how cookies can be used, mitigating certain attacks.
    • CVE-2022-31629 had to do with these attributes not being implemented correctly. A patch was released to fix that vulnerability.
    • However, CVE-2024-2756 indicates that the fix for CVE-2022-31629 was incomplete, potentially allowing attackers to bypass some of the cookie security measures again.
    The severity of CVE-2024-2756 is rated as medium, so it's essential to address it promptly.

    To verify for this proper patch against CVE-2024-2756, create a php-poc.php saved to Centmin Mod or web server web root that is configured to serve PHP files i.e. /usr/local/nginx/html/php-poc.php

    PHP:
    <?php
    // php-poc.php

    // Test the vulnerability
    $vulnerableOutput '{"__Host-x":"y"}';
    $patchedOutput '[]';

    // Get the test cookie from $_COOKIE superglobal
    $testOutput json_encode($_COOKIE);

    // Check the output
    if ($testOutput === $vulnerableOutput) {
        echo 
    "PHP version is not patched for CVE-2024-2756\n";
        echo 
    "Vulnerability test output: " $testOutput "\n";
    } elseif (
    $testOutput === $patchedOutput) {
        echo 
    "PHP version is patched for CVE-2024-2756\n";
        echo 
    "Patched test output: " $testOutput "\n";
    } else {
        echo 
    "Unexpected test output: " $testOutput "\n";
    }
    ?>
    Then run the curl command

    Code (Text):
    curl -b '_[Host-x=y' localhost/php-poc.php


    On Centmin Mod locahost will call Centmin Mod Nginx main hostname nginx vhost at web root /usr/local/nginx/html. So curl request to localhost/php-poc.php is calling /usr/local/nginx/html/php-poc.php saved file.

    patched fixed CVE-2024-2756 should return []

    Code (Text):
    curl -b '_[Host-x=y' localhost/php-poc.php
    PHP version is patched for CVE-2024-2756
    Patched test output: []


    on unpatched CVE-2024-2756 vulnerable PHP version it would return {"__Host-x":"y"}

    Code (Text):
    curl -b '_[Host-x=y' localhost/php-poc.php
    PHP version is not patched for CVE-2024-2756
    Vulnerability test output: {"__Host-x":"y"}


    This indicates that the cookie starting with _[Host- is treated as a __Host- cookie by the PHP application.
     
Thread Status:
Not open for further replies.