Learn about Centmin Mod LEMP Stack today
Become a Member

PHP Security Reminder to keep PHP versions up to update!

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Dec 16, 2022.

  1. eva2000

    eva2000 Administrator Staff Member

    51,664
    11,937
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,427
    Local Time:
    6:12 PM
    Nginx 1.25.x
    MariaDB 10.x
    I'm using Cloudflare Enterprise plan's new Security Analytics and it provided me new insights into attacks on the Cloudflare domain. One such attack reminded me that you need to keep your PHP versions up to date. The latest full supported PHP versions are PHP 8.1.x and higher with security only support for PHP 8.0.x and PHP 7.4 and below are now EOL. See https://community.centminmod.com/threads/php-7-4-end-of-life-november-2022.23498/.

    The new Cloudflare Security Analytics better showed an attack with an unusual user agent named after the specific PHP-FPM vulnerability it was testing for = CVE-2019-11043. Luckily, Centmin Mod 129.01beta01, 124.00stable and 130.00beta01 all have backported PHP-FPM security fixes for CVE-2019-11043.

    This attack was mitigated by my custom Cloudflare Firewall rule utilising Cloudflare Enterprise Bot Management with Block action, hence 403 response code.

    cf-firewall-user-agent-cve-2019-11043-01.png

    The Cloudflare Security Analytics also provided a better displayed overview of the attack and response.

    cf-security-analytics-cve-attack-00.png

    Security Analytics HTTP requests explicitly mitigated for this attack

    cf-security-analytics-cve-attack-02b.png

    Example of one of the attack request events logged which was mitigated = 403 forbidden despite the WAF Attack score being high 83 (good) due to custom Cloudflare Firewall rule I have in place for such attacks which looked at Bot Management Scores which were much lower towards the automated classed bot requests = 6.

    cf-security-analytics-cve-attack-03.png


    Cloudflare Enterprise Security Analytics + Bot Management is cool https://developers.cloudflare.com/waf/security-analytics/ :D
     
  2. Jon Snow

    Jon Snow Active Member

    737
    150
    43
    Jun 30, 2017
    Ratings:
    +215
    Local Time:
    5:12 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    Are firewalls good enough to block all attacks like these?
     
  3. eva2000

    eva2000 Administrator Staff Member

    51,664
    11,937
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,427
    Local Time:
    6:12 PM
    Nginx 1.25.x
    MariaDB 10.x
    Cloudflare Firewall is a tool so it also depends on user input via creating relevant Firewall rules telling it what us legit traffic and what isn't. Combined with Cloudflare WAF on Cloudflare paid plans which are Cloudflare's preset rules, you get better protection than without.

    However my example above is for my custom Cloudflare Firewall rule utilising Cloudflare Enterprise Bot Management with Block action. Custom Cloudflare Firewalls you create will overrides default Cloudflare WAF rules for triggering events and counts on Cloudflare Analytics though so my custom Firewall could probably be covered my a Cloudflare WAF rule that already exists - not all Cloudflare WAF preset rules are enabled by default too so need to browse through them to decide which WAF rules apply to your web application or Web site and enable them.