Control Web Panel

WebPanel => PHP => Topic started by: MyBuddyBen on July 15, 2020, 01:09:16 PM

Title: Need to upgrade CWPPHP from 7.2.30 to at least 7.2.31
Post by: MyBuddyBen on July 15, 2020, 01:09:16 PM
I ran a security scanner on the CWP service, and it noticed a DoS vulnerability in the CWPPHP

According to its self-reported version number, the version of PHP running on the remote web server is 7.2.x
prior to 7.2.31, 7.3.x prior to 7.3.18 or 7.4.x prior to 7.4.6. It is, therefore, affected by a denial of service (DoS)
vulnerability in its HTTP file upload component due to a failure to clean up temporary files created during the file
upload process. An unauthenticated, remote attacker can exploit this issue, by repeatedly submitting uploads
with long file or field names, to exhaust disk space and cause a DoS condition.

Solution
Upgrade to PHP version of CWPPHP in Yum to 7.2.31, 7.3.18, 7.4.6 or later.

Risk Factor
Medium

CVSS v3.0 Base Score
5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVSS v3.0 Temporal Score
4.6 (CVSS:3.0/E:U/RL:O/RC:C)

CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Temporal Score
3.7 (CVSS2#E:U/RL:OF/RC:C)

STIG Severity
15
I

References
CVE CVE-2019-11048
XREF IAVA:2020-A-0221
Title: Re: Need to upgrade CWPPHP from 7.2.30 to at least 7.2.31
Post by: Starburst on September 25, 2020, 07:15:35 PM
I see your post is from July. Hopefully you found it in CWP.

Using the PHP Selector, Up to 7.2.33 is available.
Title: Re: Need to upgrade CWPPHP from 7.2.30 to at least 7.2.31
Post by: NFT on February 21, 2021, 01:19:43 PM
Starburst that are only the PHP for hosted PHP, the PHP version CWPSRV use are old
check your self via
yum info cwpphp

PS. this are also the old PHP version used for build-in phpmysqladmin and WebMail (RoundCube), again just check.