Comments (9)
enygma
commented on August 16, 2024
As in "you're using PHP X and we know about these 5 issues patched since then" kind of thing?
from iniscan.
xsist10
commented on August 16, 2024
That's the idea. There is now version switching in the code and the idea of
ini scanning is to secure the current environment based on its
configuration. And your version is part of that configuration.
On 07 Dec 2013 12:06 AM, "Chris Cornutt" [email protected] wrote:
As in "you're using PHP X and we know about these 5 issues patched since
then" kind of thing?—
Reply to this email directly or view it on GitHubhttps://github.com//issues/59#issuecomment-30033687
.
from iniscan.
xsist10
commented on August 16, 2024
Here's a gist concept: https://gist.github.com/xsist10/7878272
from iniscan.
enygma
commented on August 16, 2024
Hmm, I wonder if this would be better as a "vulnerability check" kind of command rather than just the regular scan command especially since not all of the CVEs are related directly to ini settings.
I do wonder if this might be stretching things a bit too far though...
from iniscan.
xsist10
commented on August 16, 2024
Tthere aren't any tools out there to inform you of your PHP version vulnerabilities (beyond running something like sudo apt-get upgrade php5 in Ubuntu/Debian). Since a lot of production environments tend to stick to stable versions and update infrequently, the versions can get out of date quite quickly.
I agree with having a separate command for it.
from iniscan.
enygma
commented on August 16, 2024
I'm on the fence about this - it almost seems like it could be a separate tool rather than trying to get it into this one. Thoughts?
from iniscan.
xsist10
commented on August 16, 2024
Well what is the objective of the tool?
1. Ensure that your PHP environment is following best security practices.
Then it should be included. It could mean adding things like this as well:
- Process owner for web execution (not running script execution as root)
- PHP Extension versions and vulnerabilities
- Is Suhoshin installed?
2. Or ensure that your php.ini configuration ONLY is following best security practices.
Then probably not.
Just FYI, I've been looking around and I can't find a single non-OS/distro specific tool that will tell you if your PHP version is vulnerable. The only tools out there are software updaters for distros like Ubuntu/Debian/etc (which are not always accessable to the developer). I definitely see a need for a portable PHP tool that can fill this hole.
from iniscan.
enygma
commented on August 16, 2024
I think it's probably best to split it off so I start this one up:
https://github.com/psecio/versionscan
from iniscan.
enygma
commented on August 16, 2024
closing this off since the other project is up and going.
from iniscan.
Related Issues (20)
- Invalid argument supplied for foreach() by running iniscan show HOT 4
- incorrect results / false positives HOT 9
- soap.wsdl_cache_dir: False positive (directory name /tmp[...]) HOT 1
- JUnit XML output format for CI integration HOT 2
- Have an option for a non-dynamic HTML output filename / make html filename configurable
- imap_open
- Symfony console ^5.0 compatibility.
- Feature request - scan a folder where all .ini files are placed HOT 1
- Check version for session.hash_function
- PHP 7.4 compatibility: warning and error
- session.cookie_domain
- Add support for configuration dirs HOT 5
- The configuration file could not be found HOT 9
- security.limit_extensions ? HOT 4
- Add warning if soap.wsdl_cache_dir is not set for PHP <= 5.6.7 (or if it is set to /tmp at all)
- Show "Current value" column in the scan results table HOT 2
- Support for open_basedir containing more then one paths set HOT 4
- Domain expired HOT 4
- Problem installing on PHP 7 (ocramius/instantiator dependency) HOT 5
- dump of the running php deamon HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from iniscan.