Author Topic: Need to upgrade CWPPHP from 7.2.30 to at least 7.2.31  (Read 7028 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Need to upgrade CWPPHP from 7.2.30 to at least 7.2.31
« on: July 15, 2020, 01:09:16 PM »
I ran a security scanner on the CWP service, and it noticed a DoS vulnerability in the CWPPHP

According to its self-reported version number, the version of PHP running on the remote web server is 7.2.x
prior to 7.2.31, 7.3.x prior to 7.3.18 or 7.4.x prior to 7.4.6. It is, therefore, affected by a denial of service (DoS)
vulnerability in its HTTP file upload component due to a failure to clean up temporary files created during the file
upload process. An unauthenticated, remote attacker can exploit this issue, by repeatedly submitting uploads
with long file or field names, to exhaust disk space and cause a DoS condition.

Solution
Upgrade to PHP version of CWPPHP in Yum to 7.2.31, 7.3.18, 7.4.6 or later.

Risk Factor
Medium

CVSS v3.0 Base Score
5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVSS v3.0 Temporal Score
4.6 (CVSS:3.0/E:U/RL:O/RC:C)

CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Temporal Score
3.7 (CVSS2#E:U/RL:OF/RC:C)

STIG Severity
15
I

References
CVE CVE-2019-11048
XREF IAVA:2020-A-0221
« Last Edit: July 15, 2020, 01:57:28 PM by MyBuddyBen »
Trying to help people :)
Chords and Lyrics

Offline
*****
Re: Need to upgrade CWPPHP from 7.2.30 to at least 7.2.31
« Reply #1 on: September 25, 2020, 07:15:35 PM »
I see your post is from July. Hopefully you found it in CWP.

Using the PHP Selector, Up to 7.2.33 is available.

Offline
*
Re: Need to upgrade CWPPHP from 7.2.30 to at least 7.2.31
« Reply #2 on: February 21, 2021, 01:19:43 PM »
Starburst that are only the PHP for hosted PHP, the PHP version CWPSRV use are old
check your self via
yum info cwpphp

PS. this are also the old PHP version used for build-in phpmysqladmin and WebMail (RoundCube), again just check.
« Last Edit: February 21, 2021, 01:22:43 PM by NFT »

Offline
*
Re: Need to upgrade CWPPHP from 7.2.30 to at least 7.2.31
« Reply #3 on: December 26, 2023, 01:57:00 PM »
It's now 3(!) years later and CWP is still using PHP 7.2.30:
Detected CVEs for PHP 7.2.30 with CVSS above 7.0.

Is there any way to update the php version used by CWP control panel? I can only update the PHP version used by web sites.
Or is there a way to only make CWP control panel accessible via VPN?

Offline
****
Re: Need to upgrade CWPPHP from 7.2.30 to at least 7.2.31
« Reply #4 on: December 26, 2023, 07:40:20 PM »
It's now 3(!) years later and CWP is still using PHP 7.2.30:
Detected CVEs for PHP 7.2.30 with CVSS above 7.0.

Is there any way to update the php version used by CWP control panel? I can only update the PHP version used by web sites.
Or is there a way to only make CWP control panel accessible via VPN?

This question was answered.   CWP uses IonCube encoder.  For them to update beyond 7.2 currently, they will have to But a newer version of the encoder.  I don't think that's going to happen anytime soon, unless IonCube pulls their heads out of their rear ends and come back to reality.  They litterally charge $200 for EVERY version of PHP (8.0, 8.1, 8.2)  The cost just can't be justified with PHP coming out almost quarterly at this rate.
Google Hangouts:  rcschaff82@gmail.com

Offline
*
Re: Need to upgrade CWPPHP from 7.2.30 to at least 7.2.31
« Reply #5 on: December 27, 2023, 02:14:30 PM »
Is that really true? According to their web site, their PHP Encoder 13 is working with PHP 4, 5, 7 and 8 up to 8.2:
https://www.ioncube.com/php_encoder.php

Anyway, another option would be putting a HTTP password on the page, so the vulnerable PHP wouldn't be exposed to the entire world. But I cannot find the directory of the panel to do this...

Offline
*****
Re: Need to upgrade CWPPHP from 7.2.30 to at least 7.2.31
« Reply #6 on: December 27, 2023, 05:31:20 PM »
Yes, really true. Supported versions are paid in license fee per version.

You could look at snuffalupagus for PHP v 7.2 if it really concerns you. Other security measures include change CWP admin ports. Tune your firewall, block country codes, etc.

Offline
*****
Re: Need to upgrade CWPPHP from 7.2.30 to at least 7.2.31
« Reply #7 on: December 29, 2023, 02:30:12 AM »
I wouldn't mind helping @Sandeep to get the ionCube 13 Encoder.

Seems like without it CWP 9 is at a standstill.

Other option would be to go Un Encoded, and make it Open Source.

Offline
****
Re: Need to upgrade CWPPHP from 7.2.30 to at least 7.2.31
« Reply #8 on: December 29, 2023, 02:36:44 AM »
I own 12.0.2 which could do PHP8, but never received a response when I applied to help on the project.
Google Hangouts:  rcschaff82@gmail.com