2014年10月20日月曜日

PHPバージョンの脆弱性をレポート表示「versionscan」

PHPバージョンの脆弱性をレポート表示「versionscan」 SitePointの記事に紹介されていたので、使ってみました。

コマンドの説明
$ ./bin/versionscan
PHP Version Security Scanner version 0.1

Usage:
  [options] command [arguments]

Options:
  --help           -h Display this help message.
  --quiet          -q Do not output any message.
  --verbose        -v|vv|vvv Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug
  --version        -V Display this application version.
  --ansi              Force ANSI output.
  --no-ansi           Disable ANSI output.
  --no-interaction -n Do not ask any interactive question.

Available commands:
  help   Displays help for a command
  list   Lists commands
  scan   Report back vulnerabilities for the current PHP version
/bin/versionscan scan」で、利用しているサーバーのPHPバージョンの脆弱性を表示
$ ./bin/versionscan scan
Executing against version: 5.5.9
+--------+---------------+------+------------------------------------------------------------------------------------------------------+
| Status | CVE ID        | Risk | Summary                                                                                              |
+--------+---------------+------+------------------------------------------------------------------------------------------------------+
| FAIL   | CVE-2014-3981 | 3.3  | acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to ov... |
| FAIL   | CVE-2014-3597 | 6.8  | Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 ... |
| FAIL   | CVE-2014-3587 | 4.3  | Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in... |
| FAIL   | CVE-2014-4670 | 4.6  | Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 a... |
| FAIL   | CVE-2014-4698 | 4.6  | Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 al... |
| FAIL   | CVE-2014-5120 | 6.4  | gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure t... |
| FAIL   | CVE-2014-4721 | 2.6  | The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 do... |
| FAIL   | CVE-2014-3515 | 7.5  | The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certa... |
| FAIL   | CVE-2014-3487 | 4.3  | The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP... |
| FAIL   | CVE-2014-0237 | 5.0  | The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and ... |
| FAIL   | CVE-2014-0207 | 4.3  | The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo componen... |
| FAIL   | CVE-2014-0238 | 5.0  | The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5... |
| FAIL   | CVE-2014-3478 | 5.0  | Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Filei... |
| FAIL   | CVE-2014-3480 | 4.3  | The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in P... |
| FAIL   | CVE-2014-3479 | 4.3  | The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo compon... |
| FAIL   | CVE-2014-0185 | 7.2  | sapi/fpm/fpm/fpm_unix.c in the FastCGI Process Manager (FPM) in PHP before 5.4.28 and 5.5.x befor... |
+--------+---------------+------+------------------------------------------------------------------------------------------------------+

Scan complete
--------------------
Total checks: 303
Failures: 16
「Failures: 16」は、多いですね(笑)。とにかく、どんなセキュリティーリスクが潜んでいるのか確認できますので、サーバー管理者なら、知っておいて損はないでしょう。



参考サイト
Quick Tip: Make Sure Your PHP Version is Safe with Versionscan(SitePoint)

0 件のコメント:

コメントを投稿