1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Message from my ISP, regarding old ZEND version

Discussion in 'Server Configuration and Hosting' started by kaieivindm, Jan 21, 2016.

  1. kaieivindm

    kaieivindm Active Member

    So last night I got an email from my ISP, telling me that I have an old version of ZEND installed.
    In other words, they say I have an unsecured version, and "must" update.

    Newest version is; 2.4.9 and currently I have version 1.11.1 installed.

    Is it just to upgrade ZEND on my webhotel? Or is there some kind of limit to version I can use?
    Anyone else done the same upgrade? That can give me some tips on how to do this in a best possible way?
    ForestForTrees likes this.
  2. Robust

    Robust Well-Known Member

    I'm a little confused, your ISP doesn't really care if anything is outdated and never ring you about that. I'm pretty sure you got a phishing email.

    Since you posted this in XenForo, do you mean Zend Framework? I don't think your ISP would email you saying "You are using outdated Zend with XenForo!! Please update here: Microsoft.com.not.a.virus.click.me.ru/Zend/we/got/him"
  3. kaieivindm

    kaieivindm Active Member

    Actually, my ISP scan all webhotels for outdated software. Quite common in fact.
    They basically just warn/inform users to update, so the risk of experience unwanted situations is limited.
    Also, I have already checked the mail source, its legit :)

    And yes, I am referring to the Zend framework.

    I can choose to upgrade Zend via cPanel, but I need to know what version I can upgrade to.
  4. Brogan

    Brogan XenForo Moderator Staff Member

    If you are referring to replacing the Zend files and folders in the /library directory of your XF installation, that's not a good idea.

    XF has been developed using a specific version and it can't be guaranteed to work if you replace the files.
  5. kaieivindm

    kaieivindm Active Member

    Thanks @Brogan

    So basically ignore /and tell my host that I can't upgrade. And need to stay on 1.11.1 version of the Framework. Else risking my forum not to work properly.
  6. Brogan

    Brogan XenForo Moderator Staff Member

    kaieivindm likes this.
  7. Robust

    Robust Well-Known Member

    I still don't think it's legitimate. You can't tell a Zend version like that. An ISP wouldn't really be bothering to detect the versioning of a website framework of a website you're accessing.
  8. kaieivindm

    kaieivindm Active Member

    Sorry, my bad, not ISP, webhost is probably more correct :)
  9. WSWD

    WSWD Well-Known Member

    Good luck with that! Zend has had a considerable amount of security fixes since your version, including SQL injection attacks that could potentially grant users elevated privileges on the server. Your webhost is likely not going to allow you to put hundreds of other users on the same server at risk. They'll likely just terminate you.
  10. kaieivindm

    kaieivindm Active Member

    And this is what they also are stating in the mail...
    Which is kind of frustrating, if I can't even upgrade the Zend framework, without borking my Xenforo installation.
  11. Chris D

    Chris D XenForo Developer Staff Member

    None of the security patches applied since our version of Zend Framework are relevant or have been mitigated by us in other ways.

    Zend Framework is massive and XF only uses a relatively tiny part of it

    There are no known issues in the parts of the Zend Framework used by XF therefore there is nothing you or your hosts should be concerned about.
    Last edited: Jan 21, 2016
    Robust, Jake B. and Daniel Hood like this.
  12. kaieivindm

    kaieivindm Active Member

    I'll tell them this, hopefully they don't do anything, but I think they do it this way to "Protect" their users, because often they dont know much them self (the users).
    Which makes sense in a lot of ways!

    Thanks @Chris D
  13. ForestForTrees

    ForestForTrees Well-Known Member

    I'm sympathetic to @kaieivindm's situation. @WSWD makes the correct point that it is a host's prerogative to take this sort of action. While I'm interested in going into details that are doubtlessly complex, there is too much insecure software out there. I can't imagine anything being done about this until version 2.

    XF has been tremendously secure software for me so far - not that I claim to be an expert, but I've never had a hiccup. That and I have great faith in the development team.
  14. Snog

    Snog Well-Known Member

    I think they may be talking about the Zend Engine for PHP, not Zend Framework.
  15. Chris D

    Chris D XenForo Developer Staff Member

    I initially thought the same, but:
    We do indeed include version 1.11.1 of Zend Framework currently and IIRC Zend Engine 1 would be PHP 4.x so that wouldn't fit :)
    Robust and Snog like this.
  16. Robust

    Robust Well-Known Member

    Well, as far as putting other users at risk goes, I'd go away from a web host that uses that excuse to stop you using software. If they even claim potential to affect other users by a script you're already running, I'd suspect your installation is at risk and the web host is using a poor setup of isolated environments for all of their customers... So yeah, I'd run from that host if that's their reasoning. The only other reasoning would be a general courtesy message, in which case you politely refuse and say Zend Framework is implemented in parts by XenForo, which incidentally has less security problems than IPB... lol. Tell them to suspend their IPB4 users first.
  17. kaieivindm

    kaieivindm Active Member

    I'll make contact with them tomorrow, and see how they reply. But I think you have a point here, and as long as they get good reasons, they are not that difficult.
    They are an amazing webhotel provider, and really good at this. But being typical naive Norwegian, this stuff is normal and "necessary" for them to push out to their customers :)

    @Chris D yeah they knew what versions I've had on the forum/and also gave the location to the files. So they are actively scanning all hotels for potential risks I assume.
  18. Ernest L. Defoe

    Ernest L. Defoe Well-Known Member

    @kaieivindm When you contact your host link them to this thread where one of the developers of the software gave an answer regarding this and hopefully they'll leave you alone.
    kaieivindm likes this.
  19. SneakyDave

    SneakyDave Well-Known Member

    Every decent shared host I've ever used routinely runs scans of installed software on customer accounts and notifies their customers if they see something awry. They probably wouldn't shut a site down due to an outdated Zend library, but I've seen them do it for old WordPress and vulnerable vBulletin versions.
    Last edited: Jan 22, 2016
  20. WSWD

    WSWD Well-Known Member

    It's pretty difficult to isolate users in a shared environment, especially with the control panel options available for shared hosting. Secondly, vulnerabilities are vulnerabilities. If you can gain root access to a server due to exploits, for example, isolating the clients from one another is not going to make a bit of difference.

    @kaieivindm If your host is insistent on fixing this, and you are happy with them, you might see if they offer VPS. It is likely to be more expensive than the shared hosting, but will isolate you from the other clients and from the node itself. They really shouldn't care as much about vulnerabilities on a VPS, as worst case scenario, someone will generally only be able to gain access to your VPS and not the node itself.

Share This Page