[Openvas-discuss] PHP vulnerabilities

Juan José Pavlik Salles jjpavlik at gmail.com
Mon Aug 13 00:35:44 CEST 2012

Hi, i'm having some problems with php in my openvas reports. The thing is
that for instance, Ubuntu LTS systems, doesn't change its php version
during its hole life, so openvas reports me a lot of vulnerabilities
related to the php version. But most of the vulnerabilites has been fixed
by the ubuntu team, so they're false positives after all.

I've run openvas to this two VMs:

1-A vm with Ubuntu 8.04 LTS without any update, running PHP 5.2.4-2ubuntu5.
2-A vm with Ubuntu 8.04 LTS totally updated, running PHP 5.2.4-2ubuntu5.25.

Both tests reported exactly the same PHP warnings. I've checked all the
CVEs involved in these warnings and all of them has been patched in the
latest php version (5.2.4-2ubuntu5.25). I've tried nexpose too and it has
the same behaviour, i also tried nessus and it really dissapointed me...
nessus didn't show any php warning at all.

I'd like to reduce this false positives. I assume this happens because
openvas is just checking for the php version (5.2.4), and it's not using
the rest of the information (2ubuntu.5.25). I also imagine, that every
distribution has its own way for naming its updates, so it can't be easy to
support all of them.

Is there any way we could make this tests more specific? I mean, if i had
certain information for instance  "Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5
with Suhosin...." i could search somewhere (maybe in the ubuntu CVE
tracker? or a local db) wich of the vulnerabilites found in the PHP 5.2.4
version weren't patched in this particular version 5.2.4-2ubuntu5, and
report that.

I don't know if i was clear enough, but i did my best :D.

Pavlik Juan José
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20120812/5a2fc2f8/attachment.html>

More information about the Openvas-discuss mailing list