PHP Vulnerability on Cacti 0.8.7i

[cusson90]

Hi All,

Our Cacti server got BPA Scan report : The PHP installation on the remote web server contains a flaw that could allow a remote attacker to pass command-line arguments as part of a query string to the PHP-CGI program. This could be abused to execute arbitrary code. Update PHP or ensure that all available security patches for the product/ application utilizing PHP are installed. See CVE-2012-1823, CVE-2012-2311, CVE-2012-2336 and CVE-2012-2335 for further details.

Need advise to solve this matter, we should upgrade the PHP version or upgrade the Cacti version instead.
May I know as well if we need to upgrade the PHP version, any recommendation for the version that compatible with Cacti 0.8.7i ?

Regards, Lenna

[BSOD2600]

Cacti 0.8.8c is the current release, which has many security vulnerabilities fixed since your old 0.8.7i version. you should upgrade.
Upgrading php, web server, and mysql are also a good idea.

[cusson90]

If let's say we want to upgrade the PHP first, any recommendation which version of PHP should we install ?

Cacti 0.8.8c is the current release, which has many security vulnerabilities fixed since your old 0.8.7i version. you should upgrade.
Upgrading php, web server, and mysql are also a good idea.

[cigamit]

I would always recommend the latest PHP, but I am trying to remember if 0.8.7i (released 3 years ago?) required a few fixes for functions that were depreciated in the later versions. Did you install PHP via a repo, or are you doing it from source. You didn't really mentioned what OS you are installing it on. For instance, Centos 6 defaults to PHP 5.3.3 and has back ported security patches until 2020.