Skip to content

Instantly share code, notes, and snippets.

@morganestes

morganestes/heartbleed-version-check.php

Last active January 23, 2020 03:32
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save morganestes/10426027 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save morganestes/10426027 to your computer and use it in GitHub Desktop.
Download ZIP
Check for Heartbleed vulnerable versions of OpenSSL
Raw
heartbleed-version-check.php
<?php
// Version number for 1.0.1g from http://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff;f=crypto/opensslv.h;h=ebe718072333c048a91bdb1f4a295ff84691ba09;hp=aeb40f5e6cd82eb560e4d13b9f4466f01f8d4365;hb=b2d951e4232d2f90168f9a3dd0b7df9ecf2d81a8;hpb=c5993d10a8f28d4448c6161c3a4ca91b68eea78c
if( defined( 'OPENSSL_VERSION_NUMBER' ) && OPENSSL_VERSION_NUMBER < '0x1000107fL' ) {
echo OPENSSL_VERSION_TEXT . ' is out of date and vulnerable to The Heartbleed Bug.' . PHP_EOL;
echo 'Update to version 1.0.1g as soon as possible.';
}
@heyjohnlim
Copy link

heyjohnlim commented Jan 23, 2020

This code is wrong because

  1. Heartbleed only occurs in OpenSSL 1.0.1 and not in earlier version (e.g. 1.0.0)
  2. THe VERSION NUMBER is a number not a string.

First cut fix:

if( defined( 'OPENSSL_VERSION_NUMBER' ) && 0x10000FFF < OPENSSL_VERSION_NUMBER && OPENSSL_VERSION_NUMBER < 0x1000107f ) {

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment