PHP Version In Use Contains Known Vulnerabilities v5.6 php - ADMIN PORTAL ONLY.

#1
So I run a security scan on my website from intruder.io

it has come back with below error message:

The version of PHP in use contains a number of known security vulnerabilities which could be used to compromise the system or affect its availability. PHP is a scripting language usually used for web development.
For further detail on specific vulnerabilities affecting the installed version of software, please see the raw scanner output in the occurrences table below and refer to: http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/PHP-PHP.html

Detailed output below:

Protocol/port
TCP 7080

Version
5.6.36

Raw scanner output
6 checks contributed to this issue.
PHP 5.6.x < 5.6.37 exif_thumbnail_extract() DoS
CVSS Rating 7.5 (v3)
CVE-2018-14851 | CVE-2018-14883 | CVE-2018-15132
Version source : X-Powered-By: PHP/5.6.36
Installed version : 5.6.36
Fixed version : 5.6.37
PHP 5.6.x < 5.6.39 Multiple vulnerabilities
CVSS Rating 7.5 (v3)
CVE-2018-19518 | CVE-2018-19935 | CVE-2018-20783
Version source : X-Powered-By: PHP/5.6.36
Installed version : 5.6.36
Fixed version : 5.6.39
PHP 5.6.x < 5.6.40 Multiple vulnerabilities.
CVSS Rating 9.8 (v3)
CVE-2016-10166 | CVE-2019-6977 | CVE-2019-9020 | CVE-2019-9021 | CVE-2019-9023 | CVE-2019-9024See all affected CVEs (6)
Version source : X-Powered-By: PHP/5.6.36
Installed version : 5.6.36
Fixed version : 5.6.40
PHP < 7.1.33 / 7.2.x < 7.2.24 / 7.3.x < 7.3.11 Remote Code Execution Vulnerability.
CVSS Rating 9.8 (v3)
CVE-2019-11043
URL : https://DOMAIN.COM:7080/ (5.6.36 under X-Powered-By: PHP/5.6.36)
Installed version : 5.6.36
Fixed version : 7.1.33
PHP < 7.3.28 Email Header Injection
CVSS Rating 5.3 (v3)

URL : https://DOMAIN.COM:7080/ (5.6.36 under X-Powered-By: PHP/5.6.36)
Installed version : 5.6.36
Fixed version : 7.3.28
PHP < 7.3.24 Multiple Vulnerabilities
CVSS Rating 7.5 (v3)

URL : https://DOMAIN.COM:7080/ (5.6.36 under X-Powered-By: PHP/5.6.36)
Installed version : 5.6.36
Fixed version : 7.3.24

The PHP version complied in admin portal is 8.0.7. the main website is also using new version of php. so it looks like ONLY the admin portal at :7080 is using some super old extremely vulnerable version of PHP.. in effect putting whole server at risk.


Why is the admin portal also not using the same PHP as everything else.
How can I remove old 5.6 PHP
How can I force Admin console to use php 8.

This is installed on fresh ubuntu 20 LTS using the installer script from openlitespeed, no custom config.
 
Top