CloudLinux - CloudLinux Blog - What’s inside HardenedPHP and why it matters for server security

What’s inside HardenedPHP and why it matters for server security

What’s inside HardenedPHP and why it matters for server security

It’s been more than a year since we started our HardenedPHP project. The idea came out of discussions with multiple hosters who expressed their worry about running outdated versions of PHP. While their servers were secured with CageFS, they were still worried that hackers could have a field day with all the sites running PHP 4.4 or 5.1.

Even though it might not affect other customers, hackers would use hacked accounts to send spam, attack other servers or infect sites with malware causing extra workload for the support team.

We decided to help. We spent nine months taking all known vulnerabilities and backporting it against old versions of PHP. Each backport comes with its own test. After that, all those versions of PHP were subjected to rigorous testing - including making sure that it doesn’t break the functionality of major software packages, such as WordPress and Joomla. The next step was letting it run on a few production systems of our customers. In total, we handled more than 100 CVEs and it took us more than a year to deliver the project.

Here are some of the critical security issues that were fixed (note that the CSSv2 score ranges from 0 to 10, with 10 being the highest):

CVE-ID Date CVSSv2 score Summary
CVE-2015-0235 2015-01-28 10 Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."
CVE-2009-3546 2009-10-19 9.3 The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information.
CVE-2008-3658 2008-08-14 7.5 Buffer overflow in the imageloadfont function in ext/gd/gd.c in PHP 4.4.x before 4.4.9 and PHP 5.2 before 5.2.6-r6 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
CVE-2008-5624 2008-12-17 7.5 PHP 5 before 5.2.7 does not properly initialize the page_uid and page_gid global variables for use by the SAPI php_getuid function, which allows context-dependent attackers to bypass safe_mode restrictions via variable settings that are intended to be restricted to root, as demonstrated by a setting of /etc for the error_log variable.
CVE-2008-5625 2008-12-17 7.5 PHP 5 before 5.2.7 does not enforce the error_log safe_mode restrictions when safe_mode is enabled through a php_admin_flag setting in httpd.conf, which allows context-dependent attackers to write to arbitrary files by placing a "php_value error_log" entry in a .htaccess file.
CVE-2008-5658 2008-12-17 7.5 Directory traversal vulnerability in the ZipArchive::extractTo function in PHP 5.2.6 and earlier allows context-dependent attackers to write arbitrary files via a ZIP file with a file whose name contains .. (dot dot) sequences.
CVE-2008-5844 2009-01-05 7.5 PHP 5.2.7 contains an incorrect change to the FILTER_UNSAFE_RAW functionality, and unintentionally disables magic_quotes_gpc regardless of the actual magic_quotes_gpc setting, which might make it easier for context-dependent attackers to conduct SQL injection attacks and unspecified other attacks.


There are 39 more vulnerabilities with the CVSSv2 score of 7.5 that we have patched, and more than a 100 vulnerabilities in total. Complete list of vulnerabilities can be downloaded here.

By fixing all the known vulnerabilities in older versions of PHP and continuing fixing them as new vulnerabilities get discovered, we are expecting to make it significantly harder for hackers to exploit PHP sites while reducing the need for shared site owners to rewrite their software to work with latest versions of PHP.

8 fabulous feature improvements in the works for C...
Ubuntu LTS 16.04 includes livepatch - now what?

By accepting you will be accessing a service provided by a third-party external to

EU e-Privacy Directive

We use cookies to ensure you get the best experience using our website and services. Read more about it in our Privacy Policy. Please agree to the use of cookies to proceed. Alternatively, you may disable cookies in your browser at any time.

You have declined cookies. This decision can be reversed.

You have allowed cookies to be placed on your computer. This decision can be reversed.