Updated path to php catalog

Utveckling

Upgrade php version in XAMPP

I needed to upgrade the bundled php-version 6.5.12 to the latest 6.5.14 due to some security vulnerabilities. This is how I upgraded php in XAMPP to the latest version.

  • Start by downloading the latest php version. Are you using XAMPP select the Thread Safe zip version
  • Unzip the files to a new folder with name php_VERSION under the XAMPP-folder. Example C:\xampp\php_5.6.14
  • Stop the Apache service from the XAMPP control panel

    XAMPP Control Panel

    XAMPP Control Panel

  • Backup the file C:\xampp\apache\conf\extra\httpd-xampp.conf
  • Open the file C:\xampp\apache\conf\extra\httpd-xampp.conf in Administrator mode and replace all the paths to the old php folder to the new path example: C:/xampp/php_5.6.14/. You can also open the file, do the updates, save it to your desktop and manually copy/paste it to the original destination to overwrite the original file in case you forgot to edit it using Administrator user account.

    Updated path to php catalog

    Updated path to php catalog

  • Start the Apache service from the XAMPP control panel
  • Now when you browse to the phpinfo.php file it should report that XAMPP is using the new php version. You can also place a phpinfo.php file containing in the XAMPP root catalog and browse to your site/phpinfo.php

Nessus reports the following vulnerabilities in php version 5.6.12:

– Multiple use-after-free memory errors exist related to the unserialize() function, which a remote attacker can exploit to execute arbitrary code. (CVE-2015-6834)
– A use-after-free memory error exists related to the php_var_unserialize() function. A remote attacker, using a crafted serialize string, can exploit this to execute arbitrary code. (CVE-2015-6835)
– A type confusion error exists related to the serialize_function_call() function due to improper validation of the headers field, which a remote attacker can exploit to have unspecified impact. (CVE-2015-6836)
– An flaw exists in the XSLTProcessor class due to improper validation of input from the libxslt library, which a remote attacker can exploit to have an unspecified impact. (CVE-2015-6837, CVE-2015-6838)
– A flaw exists in the php_zip_extract_file() function in file php_zip.c due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this to create arbitrary directories outside of the restricted path. (OSVDB 127122)
– A NULL pointer dereference flaw exists in the spl_autoload() function in file php_spl.c due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a PHP application to crash. (OSVDB 127124)
– A flaw exists in the parse_ini_file() and parse_ini_string() functions due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a PHP application to crash. (OSVDB 127125)
– A flaw exists in the CLI SAPI Web Server due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this to access arbitrary files outside of the restricted path. (OSVDB 127126)

By  -      


Kommentera

E-postadressen publiceras inte. Obligatoriska fält är märkta *