Bogus PHP security message on Admin Control Panel Topic is solved

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
JJazz
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Jan 22, 2018 3:43 am

Bogus PHP security message on Admin Control Panel

Post by JJazz » Mon Sep 03, 2018 5:19 am

Joomla! 3.8.12 Stable is reporting a new, bogus security message on the admin panel today.

Warning
Your PHP version, 7.0.30-0ubuntu0.16.04.1, is only receiving security fixes at this time from the PHP project. This means your PHP version will soon no longer be supported. We recommend planning to upgrade to a newer PHP version before it reaches end of support on 2018-09-03. Joomla will be faster and more secure if you upgrade to a newer PHP version (PHP 7.x is recommended).


This is nonsense.

1. Joomla itself states that this PHP version is acceptable on its Technical Requirements page,
https://downloads.joomla.org/technical-requirements
PHP[1] 5.6 or 7.0 + 5.3.10

2. PHP states that 7.0 is supported until December.
https://secure.php.net/supported-versions.php

If Joomla wants users to take security advice seriously, it needs to do better to not issue false alerts. There are likely many users running on Ubuntu 16.04.

Thank you.

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 24727
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Bogus PHP security message on Admin Control Panel

Post by Per Yngve Berg » Mon Sep 03, 2018 5:41 am

7.0.31 was released a month ago.

Code: Select all

sudo apt-get update
sudo apt-get upgrade
Will update the server to the latest version of 7.0.x and ubuntu 16.04.5. Your server is outdated.

You should start planning for an upgrade to php 7.2

SharkyKZ
Joomla! Ace
Joomla! Ace
Posts: 1118
Joined: Fri Jul 05, 2013 10:35 am
Location: Unknown

Re: Bogus PHP security message on Admin Control Panel

Post by SharkyKZ » Mon Sep 03, 2018 6:14 am

Thanks for the report. The warning is meant to be displayed 3 months before security updates end but the date displayed is incorrect.

SharkyKZ
Joomla! Ace
Joomla! Ace
Posts: 1118
Joined: Fri Jul 05, 2013 10:35 am
Location: Unknown

Re: Bogus PHP security message on Admin Control Panel

Post by SharkyKZ » Mon Sep 03, 2018 6:22 am


Fatwiisel
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Mon Sep 03, 2018 2:13 pm

Re: Bogus PHP security message on Admin Control Panel

Post by Fatwiisel » Mon Sep 03, 2018 2:23 pm

Got the same Warning, when on to ask my hosting company to upgrade from php 7.0 to 7.2 and got an error page. They're looking into the problem. I did deactivate most 3rd party extensions but still getting the error. How does one find out which extension is php 7.2 compatible other than looking each one up?

User avatar
JAVesey
Joomla! Ace
Joomla! Ace
Posts: 1750
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Bogus PHP security message on Admin Control Panel

Post by JAVesey » Mon Sep 03, 2018 3:36 pm

It's not a bogus warning (poor thread title); it is a genuine warning. PHP 7.0.x will stop receiving updates in December 2018.
John V
Cardiff, Wales, UK
Website: https://www.llanmon.org.uk (Joomla 3.8.12)

User avatar
sozzled
Joomla! Champion
Joomla! Champion
Posts: 5501
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Bogus PHP security message on Admin Control Panel

Post by sozzled » Mon Sep 03, 2018 5:11 pm

https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11715
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Bogus PHP security message on Admin Control Panel

Post by brian » Mon Sep 03, 2018 5:12 pm

@javesey if you look at the message you will see it says today not december :)
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

JJazz
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Jan 22, 2018 3:43 am

Re: Bogus PHP security message on Admin Control Panel

Post by JJazz » Mon Sep 03, 2018 7:44 pm

SharkyKZ wrote:
Mon Sep 03, 2018 6:14 am
Thanks for the report. The warning is meant to be displayed 3 months before security updates end but the date displayed is incorrect.
SharkyKZ, thank you for responding promptly and effectively.

JJazz
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Jan 22, 2018 3:43 am

Re: Bogus PHP security message on Admin Control Panel

Post by JJazz » Mon Sep 03, 2018 9:06 pm

Per Yngve Berg wrote:
Mon Sep 03, 2018 5:41 am

Code: Select all

sudo apt-get update
sudo apt-get upgrade
Will update the server to the latest version of 7.0.x and ubuntu 16.04.5. Your server is outdated.
You're wrong.

Code: Select all

# cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.5 LTS"

 dpkg -l php-fpm
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                    Version                  Architecture             Description
+++-=======================================-========================-========================-===================================================================================
ii  php-fpm                                 1:7.0+35ubuntu6.1        all                      server-side, HTML-embedded scripting language (FPM-CGI binary) (default)

# apt update && apt upgrade
...
All packages are up to date.
...
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

CptBlisterButt
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Thu Sep 15, 2011 2:50 am

Re: Bogus PHP security message on Admin Control Panel

Post by CptBlisterButt » Wed Sep 05, 2018 12:50 am

JAVesey wrote:
Mon Sep 03, 2018 3:36 pm
It's not a bogus warning (poor thread title); it is a genuine warning. PHP 7.0.x will stop receiving updates in December 2018.
Here is my warning message:

Code: Select all

Warning
Your PHP version, 7.0.30-0+deb9u1, is only receiving security fixes at this time from the PHP project. This means your PHP version will soon no longer be supported. We recommend planning to upgrade to a newer PHP version before it reaches end of support on 2018-09-03. Joomla will be faster and more secure if you upgrade to a newer PHP version (PHP 7.x is recommended). Please contact your host for upgrade instructions.
What it means is that I run PHP 7.x and it is recommended to upgrade to PHP 7.x :D

User avatar
JAVesey
Joomla! Ace
Joomla! Ace
Posts: 1750
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Bogus PHP security message on Admin Control Panel

Post by JAVesey » Sun Sep 09, 2018 1:38 pm

CptBlisterButt wrote:
Wed Sep 05, 2018 12:50 am
What it means is that I run PHP 7.x and it is recommended to upgrade to PHP 7.x :D
You know what it really means ;)
John V
Cardiff, Wales, UK
Website: https://www.llanmon.org.uk (Joomla 3.8.12)

jkull
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Fri Sep 07, 2018 5:30 pm

Re: Bogus PHP security message on Admin Control Panel

Post by jkull » Mon Sep 10, 2018 4:30 pm

I have done both
sudo apt-get update
sudo apt-get upgrade

also did the release upgrade to bring the server to 18.04.01

php -v shows:

Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.9-1+ubuntu16.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies

still get error in admin console. I host the server locally - we use Joomla for our company Intranet. I looked at the back end directory structure and it looks like I have both a php 7.0 folder and 7.2 folder.

Tried
sudo a2dismod php7.0
sudo a2enmod php7.2
systemctl restart apache2
This broke the site so I switched back to 7.0

Most articles I have found say "ask you hosting company to use 7.2 or use cpanel to use 7.2. Not an option for me - I am the host.

How do I force joomla to use 7.2?

Thanks!

User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3564
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: Bogus PHP security message on Admin Control Panel

Post by abernyte » Mon Sep 10, 2018 5:52 pm

This broke the site so I switched back to 7.0
What broke? Joomla 3.8.12 is perfectly compatible with PHP 7.2. Do you have a third party extension that isn't?
It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so. Twain

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 24727
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Bogus PHP security message on Admin Control Panel

Post by Per Yngve Berg » Mon Sep 10, 2018 6:00 pm

Run the FPA when on Php 7.2. That will tell if some modules are missing.


Post Reply

Return to “Security in Joomla! 3.x”