Message from my ISP, regarding old ZEND version

[kaieivindm]

So last night I got an email from my ISP, telling me that I have an old version of ZEND installed.
In other words, they say I have an unsecured version, and "must" update.

Newest version is; 2.4.9 and currently I have version 1.11.1 installed.

Is it just to upgrade ZEND on my webhotel? Or is there some kind of limit to version I can use?
Anyone else done the same upgrade? That can give me some tips on how to do this in a best possible way?

 

[Robust]

I'm a little confused, your ISP doesn't really care if anything is outdated and never ring you about that. I'm pretty sure you got a phishing email.

Since you posted this in XenForo, do you mean Zend Framework? I don't think your ISP would email you saying "You are using outdated Zend with XenForo!! Please update here: Microsoft.com.not.a.virus.click.me.ru/Zend/we/got/him"

 

[kaieivindm]

I'm a little confused, your ISP doesn't really care if anything is outdated and never ring you about that. I'm pretty sure you got a phishing email.

Since you posted this in XenForo, do you mean Zend Framework? I don't think your ISP would email you saying "You are using outdated Zend with XenForo!! Please update here: Microsoft.com.not.a.virus.click.me.ru/Zend/we/got/him"

Actually, my ISP scan all webhotels for outdated software. Quite common in fact.
They basically just warn/inform users to update, so the risk of experience unwanted situations is limited.
Also, I have already checked the mail source, its legit

And yes, I am referring to the Zend framework.

I can choose to upgrade Zend via cPanel, but I need to know what version I can upgrade to.

 

[Paul B]

If you are referring to replacing the Zend files and folders in the /library directory of your XF installation, that's not a good idea.

XF has been developed using a specific version and it can't be guaranteed to work if you replace the files.

 

[kaieivindm]

If you are referring to replacing the Zend files and folders in the /library directory of your XF installation, that's not a good idea.

XF has been developed using a specific version and it can't be guaranteed to work if you replace the files.

Thanks @Brogan

So basically ignore /and tell my host that I can't upgrade. And need to stay on 1.11.1 version of the Framework. Else risking my forum not to work properly.

 

[Paul B]

Yes.

 

[Robust]

I still don't think it's legitimate. You can't tell a Zend version like that. An ISP wouldn't really be bothering to detect the versioning of a website framework of a website you're accessing.

 

[kaieivindm]

I still don't think it's legitimate. You can't tell a Zend version like that. An ISP wouldn't really be bothering to detect the versioning of a website framework of a website you're accessing.

Sorry, my bad, not ISP, webhost is probably more correct

 

[WSWD]

Thanks @Brogan

So basically ignore /and tell my host that I can't upgrade.

Good luck with that! Zend has had a considerable amount of security fixes since your version, including SQL injection attacks that could potentially grant users elevated privileges on the server. Your webhost is likely not going to allow you to put hundreds of other users on the same server at risk. They'll likely just terminate you.

 

[kaieivindm]

Good luck with that! Zend has had a considerable amount of security fixes since your version, including SQL injection attacks that could potentially grant users elevated privileges on the server. Your webhost is likely not going to allow you to put hundreds of other users on the same server at risk. They'll likely just terminate you.

And this is what they also are stating in the mail...
Which is kind of frustrating, if I can't even upgrade the Zend framework, without borking my Xenforo installation.

 

[Chris D]

None of the security patches applied since our version of Zend Framework are relevant or have been mitigated by us in other ways.

Zend Framework is massive and XF only uses a relatively tiny part of it

There are no known issues in the parts of the Zend Framework used by XF therefore there is nothing you or your hosts should be concerned about.

 

[kaieivindm]

None of the security patches applied since our version of Zend Framework are relevant or have been mitigated by us in other ways.

Zend Framework is massive and XF only uses a relatively tiny part of it

There are no known issues in the parts of the Zend Framework used by XF therefore there is nothing you or your hosts should be concerned about.

I'll tell them this, hopefully they don't do anything, but I think they do it this way to "Protect" their users, because often they dont know much them self (the users).
Which makes sense in a lot of ways!

Thanks @Chris D

 

[ForestForTrees]

I'm sympathetic to @kaieivindm's situation. @WSWD makes the correct point that it is a host's prerogative to take this sort of action. While I'm interested in going into details that are doubtlessly complex, there is too much insecure software out there. I can't imagine anything being done about this until version 2.

XF has been tremendously secure software for me so far - not that I claim to be an expert, but I've never had a hiccup. That and I have great faith in the development team.

 

[Snog]

I think they may be talking about the Zend Engine for PHP, not Zend Framework.

 

[Chris D]

I think they may be talking about the Zend Engine for PHP, not Zend Framework.

I initially thought the same, but:

Newest version is; 2.4.9 and currently I have version 1.11.1 installed.

We do indeed include version 1.11.1 of Zend Framework currently and IIRC Zend Engine 1 would be PHP 4.x so that wouldn't fit

 

[Robust]

Well, as far as putting other users at risk goes, I'd go away from a web host that uses that excuse to stop you using software. If they even claim potential to affect other users by a script you're already running, I'd suspect your installation is at risk and the web host is using a poor setup of isolated environments for all of their customers... So yeah, I'd run from that host if that's their reasoning. The only other reasoning would be a general courtesy message, in which case you politely refuse and say Zend Framework is implemented in parts by XenForo, which incidentally has less security problems than IPB... lol. Tell them to suspend their IPB4 users first.

 

[kaieivindm]

Well, as far as putting other users at risk goes, I'd go away from a web host that uses that excuse to stop you using software. If they even claim potential to affect other users by a script you're already running, I'd suspect your installation is at risk and the web host is using a poor setup of isolated environments for all of their customers... So yeah, I'd run from that host if that's their reasoning. The only other reasoning would be a general courtesy message, in which case you politely refuse and say Zend Framework is implemented in parts by XenForo, which incidentally has less security problems than IPB... lol. Tell them to suspend their IPB4 users first.

I'll make contact with them tomorrow, and see how they reply. But I think you have a point here, and as long as they get good reasons, they are not that difficult.
They are an amazing webhotel provider, and really good at this. But being typical naive Norwegian, this stuff is normal and "necessary" for them to push out to their customers

@Chris D yeah they knew what versions I've had on the forum/and also gave the location to the files. So they are actively scanning all hotels for potential risks I assume.

 

[Ernest L. Defoe]

@kaieivindm When you contact your host link them to this thread where one of the developers of the software gave an answer regarding this and hopefully they'll leave you alone.

 

[SneakyDave]

Every decent shared host I've ever used routinely runs scans of installed software on customer accounts and notifies their customers if they see something awry. They probably wouldn't shut a site down due to an outdated Zend library, but I've seen them do it for old WordPress and vulnerable vBulletin versions.

 

[WSWD]

...and the web host is using a poor setup of isolated environments for all of their customers...

It's pretty difficult to isolate users in a shared environment, especially with the control panel options available for shared hosting. Secondly, vulnerabilities are vulnerabilities. If you can gain root access to a server due to exploits, for example, isolating the clients from one another is not going to make a bit of difference.

@kaieivindm If your host is insistent on fixing this, and you are happy with them, you might see if they offer VPS. It is likely to be more expensive than the shared hosting, but will isolate you from the other clients and from the node itself. They really shouldn't care as much about vulnerabilities on a VPS, as worst case scenario, someone will generally only be able to gain access to your VPS and not the node itself.