Author Topic: Need to upgrade CWPPHP from 7.2.30 to at least 7.2.31  (Read 1634 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Need to upgrade CWPPHP from 7.2.30 to at least 7.2.31
« on: July 15, 2020, 01:09:16 PM »
I ran a security scanner on the CWP service, and it noticed a DoS vulnerability in the CWPPHP

According to its self-reported version number, the version of PHP running on the remote web server is 7.2.x
prior to 7.2.31, 7.3.x prior to 7.3.18 or 7.4.x prior to 7.4.6. It is, therefore, affected by a denial of service (DoS)
vulnerability in its HTTP file upload component due to a failure to clean up temporary files created during the file
upload process. An unauthenticated, remote attacker can exploit this issue, by repeatedly submitting uploads
with long file or field names, to exhaust disk space and cause a DoS condition.

Solution
Upgrade to PHP version of CWPPHP in Yum to 7.2.31, 7.3.18, 7.4.6 or later.

Risk Factor
Medium

CVSS v3.0 Base Score
5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVSS v3.0 Temporal Score
4.6 (CVSS:3.0/E:U/RL:O/RC:C)

CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Temporal Score
3.7 (CVSS2#E:U/RL:OF/RC:C)

STIG Severity
15
I

References
CVE CVE-2019-11048
XREF IAVA:2020-A-0221
« Last Edit: July 15, 2020, 01:57:28 PM by MyBuddyBen »
Trying to help people :)
Chords and Lyrics

Offline
**
Re: Need to upgrade CWPPHP from 7.2.30 to at least 7.2.31
« Reply #1 on: September 25, 2020, 07:15:35 PM »
I see your post is from July. Hopefully you found it in CWP.

Using the PHP Selector, Up to 7.2.33 is available.

Offline
*
Re: Need to upgrade CWPPHP from 7.2.30 to at least 7.2.31
« Reply #2 on: February 21, 2021, 01:19:43 PM »
Starburst that are only the PHP for hosted PHP, the PHP version CWPSRV use are old
check your self via
yum info cwpphp

PS. this are also the old PHP version used for build-in phpmysqladmin and WebMail (RoundCube), again just check.
« Last Edit: February 21, 2021, 01:22:43 PM by NFT »