PHP, third party libraries, and CVEs

4lROmJ6H8JF · July 5, 2021, 6:03pm

Please enjoy my harrowing tale:

I ran a scan and it popped up suggesting nghttp2.dll that is packaged with Windows PHP is vulnerable to CVE-2020-11080.

Alright, no problem, I’ll just update PHP. Ah, no, the latest one is still using nghttp2 1.40.

Okay, let’s see if PHP has addressed this themselves by building their own version. Hm, can’t find the source anywhere. When you go to PHP: internals:windows:stepbystepbuild_sdk_2 it directs you to GitHub - microsoft/php-sdk-binary-tools: Tool kit for building PHP under Windows which appears to have no releases for the past two years. If you download the latest release, you get version 1.32. That can’t be right.

Let’s see the old documentation here: https://wiki.php.net/internals/windows/stepbystepbuild

Alright if I follow this rabbit hole I get here: https://windows.php.net/downloads/php-sdk/deps/vs16/x64/ which again has version 1.40. So the old documentation leads me to the newer dll? Cool.

Okay so this is frustrating. Where did PHP get this dll from? If I go to nghttp2 directly and get the 1.40 source and build it, my dll is different from the PHP version.

So where is PHP’s source for this dll? Is it vulnerable to the CVE? How do I know? Why hasn’t PHP upgraded it?

ErnieAlex · July 5, 2021, 6:29pm

Do you have a reason to use Windows-PHP? It is seldom used by professionals in my humble opinion.
Most use the more standard Apache version. For local testing, just install Wamp which includes Apache, MySQL, PHP and other libraries already to go. And, it is all contained inside one folder so it is easy to back up. Windows, meaning Microsoft, tracks everything, so I dislike using it.

CVE is basically a Denile-Of-Service attack. Here is Microsoft’s page on it and a list of fixes and updates. You might want to see if these fix it. Good luck!
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1108

4lROmJ6H8JF · July 6, 2021, 12:44am

We’re about a decade too late to reverse that decision. And the CVE is CVE-2020-11080 CVE - CVE-2020-11080

I just don’t know how to determine if PHP is vulnerable.

ErnieAlex · July 6, 2021, 2:23am

Well, did you READ the page I posted OR the last one you posted? Both say that you need to be using nghttp2 v1.41.0… If you are using one version less that 1.41.0 then you are vulnerable. Locate where your nghttp2 is setting, right-click on it and check it’s properties. See which version it is. Update it to at least 1.41.0…

Also, you can check the others in the list of 98 items on the Microsoft page and make sure those are up to date.

4lROmJ6H8JF · July 6, 2021, 3:04am

No, your link is to the wrong CVE. And yes I know the CVE is against 1.40, but that’s the one that PHP delivers with PHP Windows. That is how I got here. I am trying to figure out if PHP modified their version to fix it, if they don’t think they are vulnerable to it, or if they simply don’t know about it.

ErnieAlex · July 6, 2021, 3:21am

Well, Windows PHP is not created by PHP. It is created by Microsoft. And, they are discontinuing their PHP. So, this is a bit of a mute discussion. But, you can update the nghttp2 version yourself if needed.

4lROmJ6H8JF · July 6, 2021, 3:48am

Microsoft isn’t building PHP anymore. But PHP for Windows is not going anywhere.

ErnieAlex · July 6, 2021, 3:49am

PHP for Windows using Apache is NOT Windows-PHP…

4lROmJ6H8JF · July 6, 2021, 3:53am

You can still install PHP 8.0 on IIS despite Microsoft dropping support for it. Nothing has changed.

ErnieAlex · July 6, 2021, 4:07am

You keep saying nonsense. PHP installed on anything is NOT Windows-PHP. They are two different things. One based on Apache and Zend and the other Microsoft. I am not arguing with you. It is still PHP, but, you were talking about nghttp2.dll. We covered that.

****** EDIT *****
nghttp2.dll is NOT on any of my four PHP systems and it is NOT a Microsoft product.
It is found at: https://nghttp2.org/ And, you can update your old versions there.
Since this was fixed three or more versions ago, it should not be an issue. Just update your
version to at least 1.41 and you should be all set. Again, sorry, if you were not clear that you
are discussing something no longer a problem. And, sorry if I offended you. It was not meant that way!

4lROmJ6H8JF · July 6, 2021, 4:50am

You called [the thing that requires nghttp2.dll] “Windows PHP”.
I was referring to Windows PHP as the thing you download at window.php.net.
Microsoft said they were going to stop providing the builds for it after 7.4.
If you go to windows.php.net, you can download 8.0.8, which is beyond Microsoft’s support AND contains nghttp2.dll.

I don’t know where your confusion is. It exists. It requires nghttp2.dll. It is not going away.

ErnieAlex · July 6, 2021, 5:05am

This is my last comment on this. Microsoft is not making any more builds of it. Therefore, it will go away at some point. Nobody uses PHP 3 anymore. PHP 8 will go away, too. If you have a problem with nghttp2, make sure it is at ;east version 1.41 and you are safe. Good night.

4lROmJ6H8JF · July 11, 2021, 5:07pm

Just for anybody who ends up here via Google: Ernie is just plain wrong. PHP for Windows is NOT going away. It already has 8 builds beyond Microsoft’s support.

ErnieAlex · July 12, 2021, 6:28pm

Well, as it is open-source, it will continue as long as someone makes builds.
But, not supported by Microsoft. So, who knows who is making the builds.