Author Topic: PHP security (Read 9364 times)

skiwi · « **on:** June 19, 2024, 09:10:57 am »

Recent PHP security issues (CVE-2024-4577) mean we need to urgently update to PHP 8.3.8.
Is anyone running PCS on this version of PHP and is it working OK?

(and its a nuisance that XAMPP releases seen to be running so far behind)

skiwi · « **Reply #1 on:** June 19, 2024, 09:55:33 am »

Doing a little more research (WebEA Quick Start Guide | Enterprise Architect User Guide (sparxsystems.com))
WebEA Installation and Configuration | Enterprise Architect User Guide (sparxsystems.com) XAMPP is suggested.

However XAMPP themselves state "XAMPP is not meant for production use but only for developers in a development environment"

In the readme.txt it states

Quote

A matter of security (A MUST READ!)

As mentioned before, XAMPP is not meant for production use but only for developers in a development environment. The way XAMPP is configured is to be open as possible and allowing the developer anything he/she wants. For development environments this is great but in a production environment it could be fatal. Here a list of missing security
in XAMPP:

- The MySQL administrator (root) has no password.
- The MySQL daemon is accessible via network.
- phpMyAdmin is accessible via network.
- Examples are accessible via network.

Eve · « **Reply #2 on:** June 19, 2024, 04:03:21 pm »

Quote

Download, install and configure your web server for PHP, according to your requirements.

(emphasis mine)

XAMPP makes installation and configuration easier. We provide instructions for using it because not everyone knows how to do that for themselves.

If XAMPP doesn't suit your requirements. Don't use it.

PS. WebEA only requires ~~the minimum XAMPP installation~~, Apache and PHP; it does not require MySQL, FileZilla Mercury, Tomcat or any of the other optional components, so if you have no need for these components Sparx Systems would recommend to not install them.

skiwi · « **Reply #3 on:** June 20, 2024, 07:45:18 am »

Thanks Eve,
could I possibly suggest then that the SparxSystems advice on the website should be clearer about this - specifically XAMPP is (according to the vendor) insecure.
Also that XAMPP NOT to be used in production, and possibly change the advice to simply specify apache server and PHP.

Modesto Vega · « **Reply #4 on:** June 20, 2024, 06:59:49 pm »

This is a serious matter than Sparx Systems should not gloss over with the usual "according to your requirements talk", no criticism intended.

The vulnerability affects the PHP CGI module, please PHP CGI module. According to https://nvd.nist.gov/vuln/detail/CVE-2024-4577

Quote

"when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc."

From memory and I could be wrong, the fastcgi.impersonate setting may play a role on getting PHP to integrate with AD.

Eve · « **Reply #5 on:** June 21, 2024, 09:27:11 am »

Quote from: Modesto Vega on June 20, 2024, 06:59:49 pm

This is a serious matter than Sparx Systems should not gloss over with the usual "according to your requirements talk", no criticism intended.

I'm not saying it's not serious, although I don't typically deal directly with WebEA or PHP for any other reason. Which basically means I don't know the details.

I have seen multiple incoming issues with people reporting that they can't use XAMPP within their organizations, and that's the answer that's given. XAMPP is not required, it's used to provide a simple baseline for examples.

Based on your quote though, you the end user, could install WebEA in Apache on Linux or IIS for Windows.

Use this as an opportunity to review your own security environment.

Modesto Vega · « **Reply #6 on:** June 21, 2024, 06:19:42 pm »

Quote from: Eve on June 21, 2024, 09:27:11 am

[SNIP]

Based on your quote though, you the end user, could install WebEA in Apache on Linux or IIS for Windows.

Use this as an opportunity to review your own security environment.

Sparx Systems provides virtually no documentation on how to install and configure WebEA on a Windows Server OS running IIS, including how to configure WebEA, without using XAMPP. This is, in my opinion, an issue.

skiwi · « **Reply #7 on:** June 24, 2024, 08:09:19 am »

Quote from: Modesto Vega on June 21, 2024, 06:19:42 pm

Sparx Systems provides virtually no documentation on how to install and configure WebEA on a Windows Server OS running IIS, including how to configure WebEA, without using XAMPP. This is, in my opinion, an issue.

Agreed, I made the mistake of pointing our ITMS partner at the SparxSystems Pro Cloud server installation documentation in the belief that it was intended and suitable for 'Production Use'.

Sparx Systems Forum

News: