Avatar of gman
gman
 asked on

How to upgrade PHP on windows?

Hi I need to update my version of PHP. Its running on a windows box. Anyone any experience in doing so?

Security scan shows this


According to its banner, the version of PHP 5.4.x installed on the remote host is a version prior to 5.4.30. It is, therefore, affected by the following vulnerabilities :

- Boundary checking errors exist related to the Fileinfo extension, Composite Document Format (CDF) handling and the functions 'cdf_read_short_sector', 'cdf_check_stream_offset', 'cdf_count_chain', and 'cdf_read_property_info'. (CVE-2014-0207, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487)

- A pascal string size handling error exists related to the Fileinfo extension and the function 'mconvert'.
(CVE-2014-3478)

- A type-confusion error exists related to the Standard PHP Library (SPL) extension and the function 'unserialize'. (CVE-2014-3515)

- An error exists related to configuration scripts and temporary file handling that could allow insecure file usage. (CVE-2014-3981)

- A heap-based buffer overflow error exists related to the function 'dns_get_record' that could allow execution of arbitrary code. (CVE-2014-4049)

- A type-confusion error exists related to the function 'php_print_info' that could allow disclosure of sensitive information. (CVE-2014-4721)

- An error exists related to unserialization and 'SplFileObject' handling that could allow denial of service attacks. (Bug #67072)

- A double free error exists related to the Intl extension and the method 'Locale::parseLocale' having unspecified impact. (Bug #67349)

- A buffer overflow error exists related to the Intl extension and the functions 'locale_get_display_name' and 'uloc_getDisplayName' having unspecified impact.
(Bug #67397)

Note that Nessus has not attempted to exploit these issues, but has instead relied only on the application's self-reported version number.
Solution

Upgrade to PHP version 5.4.30 or later.

  Version source    : Server: Apache/2.2.25 (Win32) PHP/5.4.20
  Installed version : 5.4.20
  Fixed version     : 5.4.30
VulnerabilitiesSecurityWeb Components

Avatar of undefined
Last Comment
Dave Baldwin

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Dave Howe

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
gman

ASKER
Thanks Dave, Do I need to retain any of the original files in the new binary? the ini file for example
SOLUTION
Dave Baldwin

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
gman

ASKER
This isn't a box I'm 100% familiar with so apologies for the silly question, what would be the easiest way to find these extensions? (assuming any exist)
Dave Baldwin

PHP extensions always exist and they are included with the Windows binaries.  Except for some third party extensions like the Microsoft SQLSRV driver for SQL Server which you download from the Microsoft web site.  They are normally in the 'ext' subdirectory under the PHP subdirectory.  I always put my PHP in C:\PHP but some others don't.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Dave Baldwin

One of the main reasons for 'php.ini' is to tell which extensions to enable.  The ones that are enabled are loaded when PHP is launched and the rest are not.
Dave Howe

@gman: normally, the zipfile addresses that by not having a php.ini - it has a couple of samples, but doesn't give either of them the "active" name.

@Dave: I usually copy the existing installation and then install over the top, knowing I can restore it back by just copying the copies back to the original location. that saves having to tell everything that already uses php where to find the new copy.  Another alternative is to use a versioning system (such as tortoisegit) to version the directory - that lets you keep track of updates (not just this one, but any changes to the php ini, new modules etc) and gives you finer control over the content.
Dave Baldwin

What I do is essentially the same except I'm changing only directory names.  I usually copy the 'php.ini' file from the previous version to the new one.  When I'm done the 'new' one has the directory name of the old one and none of my other programs knows the difference.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.