Solved

How to upgrade PHP on windows?

Posted on 2014-11-21
8
5,181 Views
Last Modified: 2014-11-23
Hi I need to update my version of PHP. Its running on a windows box. Anyone any experience in doing so?

Security scan shows this


According to its banner, the version of PHP 5.4.x installed on the remote host is a version prior to 5.4.30. It is, therefore, affected by the following vulnerabilities :

- Boundary checking errors exist related to the Fileinfo extension, Composite Document Format (CDF) handling and the functions 'cdf_read_short_sector', 'cdf_check_stream_offset', 'cdf_count_chain', and 'cdf_read_property_info'. (CVE-2014-0207, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487)

- A pascal string size handling error exists related to the Fileinfo extension and the function 'mconvert'.
(CVE-2014-3478)

- A type-confusion error exists related to the Standard PHP Library (SPL) extension and the function 'unserialize'. (CVE-2014-3515)

- An error exists related to configuration scripts and temporary file handling that could allow insecure file usage. (CVE-2014-3981)

- A heap-based buffer overflow error exists related to the function 'dns_get_record' that could allow execution of arbitrary code. (CVE-2014-4049)

- A type-confusion error exists related to the function 'php_print_info' that could allow disclosure of sensitive information. (CVE-2014-4721)

- An error exists related to unserialization and 'SplFileObject' handling that could allow denial of service attacks. (Bug #67072)

- A double free error exists related to the Intl extension and the method 'Locale::parseLocale' having unspecified impact. (Bug #67349)

- A buffer overflow error exists related to the Intl extension and the functions 'locale_get_display_name' and 'uloc_getDisplayName' having unspecified impact.
(Bug #67397)

Note that Nessus has not attempted to exploit these issues, but has instead relied only on the application's self-reported version number.
Solution

Upgrade to PHP version 5.4.30 or later.

  Version source    : Server: Apache/2.2.25 (Win32) PHP/5.4.20
  Installed version : 5.4.20
  Fixed version     : 5.4.30
0
Comment
Question by:gman
  • 4
  • 2
  • 2
8 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 250 total points
ID: 40457871
Download page is http://windows.php.net/download/

you will probably want 5.4.35 (5.5 or later could mean code changes on your server, staying within 5.4 is therefore the safest route), and should use the thread safe version.

Take a safe copy of the folder containing the php binaries, then replace them with the zipfile from the url above. If you don't already have the VC9 runtimes, you can find them here (and should install those before replacing the php binaries)
0
 

Author Comment

by:gman
ID: 40457920
Thanks Dave, Do I need to retain any of the original files in the new binary? the ini file for example
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 250 total points
ID: 40458312
I normally install new PHP versions in a separate directory so I preserve the old version at least long enough to get the new one tested and working.  If both versions are PHP 5.4.xx then you can copy the old 'php.ini' to the new one.  Often with just that change, changing the name of the directories can be enough to have the new version up and running.  You may have to copy any added extensions from the old one to the new one.
0
 

Author Comment

by:gman
ID: 40458368
This isn't a box I'm 100% familiar with so apologies for the silly question, what would be the easiest way to find these extensions? (assuming any exist)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40458504
PHP extensions always exist and they are included with the Windows binaries.  Except for some third party extensions like the Microsoft SQLSRV driver for SQL Server which you download from the Microsoft web site.  They are normally in the 'ext' subdirectory under the PHP subdirectory.  I always put my PHP in C:\PHP but some others don't.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40458507
One of the main reasons for 'php.ini' is to tell which extensions to enable.  The ones that are enabled are loaded when PHP is launched and the rest are not.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40459047
@gman: normally, the zipfile addresses that by not having a php.ini - it has a couple of samples, but doesn't give either of them the "active" name.

@Dave: I usually copy the existing installation and then install over the top, knowing I can restore it back by just copying the copies back to the original location. that saves having to tell everything that already uses php where to find the new copy.  Another alternative is to use a versioning system (such as tortoisegit) to version the directory - that lets you keep track of updates (not just this one, but any changes to the php ini, new modules etc) and gives you finer control over the content.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40459088
What I do is essentially the same except I'm changing only directory names.  I usually copy the 'php.ini' file from the previous version to the new one.  When I'm done the 'new' one has the directory name of the old one and none of my other programs knows the difference.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now