Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

PHP Vulnerabilities Announced

michael posted more than 9 years ago | from the rated-o-for-overtime dept.

PHP 387

Simone Klassen writes "The Hardened-PHP Project has announced several serious and according to them, easy-to-exploit vulnerabilities within PHP. A flaw within the function unserialize() is rated as very critical for millions of PHP servers, because it is exposed to remote attackers through lots of very popular webapplications. The list includes forum software like phpBB2, WBB2, Invision Board and vBulletin. It is time to upgrade now."

cancel ×

387 comments

Sorry! There are no comments related to the filter you selected.

So sad ... (-1, Flamebait)

YankeeInExile (577704) | more than 9 years ago | (#11117156)

As a Perl bigot, let me be the first to say neener, neener, neener. Of course, I realize that pack()/unpack() could be just as likely to contain this fault, so there but for the grace of God go I ...

Curiously, my feelings about PHP are about the same as my feelings about Linux -- it isn't that I think it's awful -- I just hate its fanboys.

Hammer Revolution! (1)

hammer revolution (836067) | more than 9 years ago | (#11117177)

--;

The hammer revolution has begun.

--;

Re:So sad ... (1)

chipster (661352) | more than 9 years ago | (#11117683)

You should be proud that F/OSS is amazing in the fact that is gives folks choice and alternatives to otherwise proprietary and/or costly solutions.

You hate the "fanboys" - I abhor the bigots whom fail to recognize and acknowledge the freedom of choice in the F/OSS "world". Try to embrace that freedom - it's good for the soul.

PHP 4 (0)

s1283134 (660354) | more than 9 years ago | (#11117158)

I liked PHP 4 way better. 5 is too much like Java. If I wanted java I would use java.

Re:PHP 4 (0, Troll)

e-voc (841278) | more than 9 years ago | (#11117281)

you _can_ still use php as always, otherwise use java instead

regards
e-voc

Arrrrgh (1, Informative)

daveschroeder (516195) | more than 9 years ago | (#11117161)

And of course, Mac OS X and Mac OS X Server 10.3.7 contain php 4.3.2...

Re:Arrrrgh (0)

Anonymous Coward | more than 9 years ago | (#11117244)

ever heard of that little procedure we like to call 'upgrading'?

Re:Arrrrgh (0)

Anonymous Coward | more than 9 years ago | (#11117308)

He should have elaborated.

"Upgrading" is fine.

Except when upgrading OS components is likely to break things when official OS and/or security updates come out.

Mac OS X Server's claim to fame as a server OS is that someone who's not some huge Linux/BSD/UNIX geek can run a nice UNIX-based server. And Apple has done a very good job of keeping up with security updates for OSS components. But unfortunately, you still have to wait on Apple. No, you don't *have* to, but if you don't want to risk breaking shit every time there is an "official" Apple Security Update or OS update, you can't just go around replacing the standard OS components (like apache, samba, php, etc.)

Re:Arrrrgh (2, Informative)

Nomikos (30684) | more than 9 years ago | (#11117301)

And of course, Mac OS X and Mac OS X Server 10.3.7 contain php 4.3.2...

Here: http://www.entropy.ch/software/macosx/php/ [entropy.ch] , are usually uptodate and easy installers for PHP on OS X; he's at 4.3.9 still but I trust the newer one will be up soon.
They're really fire&forget installers, great for people like me :-)

Re:Arrrrgh (1)

sirReal.83. (671912) | more than 9 years ago | (#11117366)

You mean your vendor doesn't provide security updates? Yes, that's a real question.

Re:Arrrrgh (1)

daveschroeder (516195) | more than 9 years ago | (#11117434)

No, they do, and plenty:

http://docs.info.apple.com/article.html?artnum=617 98 [apple.com]

But the problem is, while Apple is very responsive to security issues, you kind of have to wait on them for any updates to components that are part of the stock/standard OS. If you go around installing and updating things yourself OVER the OS-installed components, it could break the real updates when they arrive from Apple. The only alternative is to install the updated version in an alternate location, and then revert to Apple's version when it's updated.

This, of course, defeats the whole purpose of using something like Mac OS X Server as a server, since it's supposed to release you from doing all of that crap. Of course, Apple will likely provide an update soon, but it's still irritating to have a known open, unpatched vulnerability on a production system, even if it's only theoretical, and even only for a couple of days.

Re:Arrrrgh (1)

Walrus99 (543380) | more than 9 years ago | (#11117320)

PHP is available on OS X, but only if you activate it and then use it for web stuff. Perl is more fun and arrays are too wishy washy in PHP anyway.

Re:Arrrrgh (0)

Anonymous Coward | more than 9 years ago | (#11117636)

What do you mean by wishy washy? I use PHP regularly and I have no idea what you're on about.

How is this flamebait? (1)

chipster (661352) | more than 9 years ago | (#11117599)

The poster of this parent comment is simply frustrated that Mac OS X is affected by this vuln (which I didn't know was affected until I read his comment).

Hypocrisy of slashot (1, Insightful)

ad0gg (594412) | more than 9 years ago | (#11117601)

If this was an asp.net exploit people would be saying XP, or Server2003 was insecure. Even though IIS isn't installed by default.

No comment? (3, Funny)

jardin (778043) | more than 9 years ago | (#11117162)

They must be all busy upgrading :)

Re:No comment? (5, Funny)

stevesliva (648202) | more than 9 years ago | (#11117520)

No, all the sysadmins are on holiday vacation. Come on folks, announcing security vulnerabilities on a Friday in December? That's just plain mean.

Re:No comment? (0)

Anonymous Coward | more than 9 years ago | (#11117677)

Using PHP and then expecting to go on vacation during the holidays? That's just plain dumb.

-Don

This proves once an for all (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11117164)

That Perl is superiour.

Re:This proves once an for all (1)

datadriven (699893) | more than 9 years ago | (#11117650)

Does perl come with spell checking?

Re:This proves once an for all (2, Funny)

fitten (521191) | more than 9 years ago | (#11117706)

# in a perfect world this would increse my karma
$karma++;


No... that would be "in a Perlfect world..."

Kewl (3, Funny)

mordors9 (665662) | more than 9 years ago | (#11117188)

I can't wait for someone to release a script that I can use to show what a leet haxor I am.

Re:Kewl (0, Funny)

Anonymous Coward | more than 9 years ago | (#11117545)

They already have, you've just got to figure out how to exploit it using the announcement.

I've said it before, and I'll say it again (2, Funny)

Neil Blender (555885) | more than 9 years ago | (#11117193)

PHP: 10 million newbies can't be wrong.

Re:I've said it before, and I'll say it again (1)

RangerRick98 (817838) | more than 9 years ago | (#11117255)

I assume you dislike PHP. What would you recommend instead?

Re:I've said it before, and I'll say it again (5, Funny)

Anonymous Coward | more than 9 years ago | (#11117325)

I assume you dislike PHP. What would you recommend instead?

A language that is a little more practical for extracting and reporting.

NB

Re:I've said it before, and I'll say it again (2, Insightful)

mrm677 (456727) | more than 9 years ago | (#11117329)

What would you recommend instead?

Java/J2EE/JSP

You can mess up security policies and implementations with Java, but it is much harder to shoot yourself in the foot. The JVM may have bugs, but because it is used for all Java applications, it is likely well-debugged and secure

Language features eliminate security problems. For example, the Java JVM does something incredibly advanced: bounds checking!

Re:I've said it before, and I'll say it again (1)

rjrjr (28310) | more than 9 years ago | (#11117495)

And the tools, oh the tools. Mmmm...Eclipse yummy.

Re:I've said it before, and I'll say it again (1)

Gaima (174551) | more than 9 years ago | (#11117638)

but it is much harder to shoot yourself in the foot.

Yup, because it is a *LOT* harder to install, and administer. It's all scary black magic, and down right confusing.

Give me apache and PHP any day, with the hardened patches, and mod_suphp.

p.s. I know squat about what it's like to program in, I'm just a poor admin who's had the misfortune to have to administer tomcat.

Re:I've said it before, and I'll say it again (2, Interesting)

dfj225 (587560) | more than 9 years ago | (#11117722)

Yes, servers that work on J2EE specifications are a pain to eliminate, but I live on the other side of the wall compared to you. I don't administer the J2EE server but write apps for it. I think Java is a very secure, professional replacement for PHP. I have written web apps in both and I think Java is the better solution for large projects or an web server used by an office or company. I would still probably use PHP if I need to code something for a personal website, just because it would probably be quick and dirty and I don't need all of the framework that J2EE provides. One of my favorite things of Java is the error handling. Exceptions, IMHO, make web development much easier. Also, Java seems very secure to me. I don't have to worry about my variables being overwritten by http requests or anything like that. The creators of Java also say that the JVM has been proven, mathematically, to be secure. You can take that for what it is worth. PHP is good but I wouldn't want to write anything large in it. But then again, I have not read up on the latest developments with the language, so I am probably a little outdated.

Re:I've said it before, and I'll say it again (0)

Anonymous Coward | more than 9 years ago | (#11117336)

Ruby (on Rails) [rubyonrails.org] .

Re:I've said it before, and I'll say it again (2, Funny)

flatface (611167) | more than 9 years ago | (#11117400)

mod_bf [sourceforge.net]

Re:I've said it before, and I'll say it again (0)

Anonymous Coward | more than 9 years ago | (#11117501)

RXML [roxen.com]

Re:I've said it before, and I'll say it again (3, Funny)

snoyberg (787126) | more than 9 years ago | (#11117299)

You're absolutely correct! I'll go convert all my scripts to ASP and avoid all of PHP's security holes by running on Microsoft software.

Re:I've said it before, and I'll say it again (2, Insightful)

mios (715734) | more than 9 years ago | (#11117307)

Perhaps you've been asleep when every other software package releases updates/bug-fixes/security patched.

Apache: 85% of the internet can't be wrong.

Please sir, dismount yourself from that high horse you are riding on.

Re:I've said it before, and I'll say it again (1)

kz45 (175825) | more than 9 years ago | (#11117449)

Perhaps you've been asleep when every other software package releases updates/bug-fixes/security patched.

Apache: 85% of the internet can't be wrong.

Please sir, dismount yourself from that high horse you are riding on.


this doesn' mean anything. Otherwise, this would also be true:

Internet Explorer: 95% of the internet can't be wrong.

Re:I've said it before, and I'll say it again (1)

Dehumanizer (31435) | more than 9 years ago | (#11117502)

Less than 90% now... :)

Re:I've said it before, and I'll say it again (2, Funny)

cosinezero (833532) | more than 9 years ago | (#11117319)

But scripting languages are what applications are made of! Right?

Re:I've said it before, and I'll say it again (2, Insightful)

Anonymous Luddite (808273) | more than 9 years ago | (#11117494)


But scripting languages are what applications are made of! Right?

I don't think it matters what you use. (compiled or script) There will be an exploit/flaw.

You can shuck all of your PHP and write mts components in VB or even compile your server side stuff as ANSI C, but nothing is going to be perfect.

IMHO what matters s how fast vulnerbility information is published after found and how quickly it is fixed.

I bow to you... (0)

Anonymous Coward | more than 9 years ago | (#11117510)

...oh sir elitist.

Gimme a break :-/

Third-party modules? (5, Interesting)

flatface (611167) | more than 9 years ago | (#11117196)

I read about this [secunia.com] yesterday and couldn't find out if mod_security [modsecurity.org] and suPHP [suphp.org] are vulnerable to these attacks. With mod_security blocking buffer overflows, "bad" characters, etc. and mod_suphp forcing PHP to run as the user, I don't think that it gives people who run these modules (that) much to worry about.

Re:Third-party modules? (0)

Anonymous Coward | more than 9 years ago | (#11117420)

...these modules (that) much to worry about.

Using parentheses to show emphasis, now (that's) interesting. ;)

Re:Third-party modules? (1)

flatface (611167) | more than 9 years ago | (#11117452)

It's not to show emphasis. It makes the word optional, because I don't know for sure if these modules prevent such attacks.

Re:Third-party modules? (0)

Anonymous Coward | more than 9 years ago | (#11117505)

They dont

Re:Third-party modules? (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11117526)

(you must be an idiot to use parenthesis that way)

Re:Third-party modules? (2, Insightful)

new-black-hand (197043) | more than 9 years ago | (#11117654)

mod_suphp might prevent you from attaining root, but more often than not root is not required. If you manage to upload files, insert some SQL, read files as the user PHP is running as (eg. nobody) then you have access to the whole web application (user accounts, credit card databases, everything). Getting root is very often not required. That is why these web apps must be as tight (security and access wise) as operating systems themselves. Developers (esp. PHP and ASP developers) are often very slack in this regard.

Upgrade. (4, Insightful)

Anonymous Coward | more than 9 years ago | (#11117207)

I think it's about time someone came up with an easier way to upgrade php.
It's so god damned time-consuming to rebuild the entire thing over and over again, especially because you keep having to rebuild all the additional modules (mysql support, gd support, mcrypt support, pdf, the list goes on).

Re:Upgrade. (1)

DrSkwid (118965) | more than 9 years ago | (#11117417)

yeah, nightmare

% cat /www/bin/php_install

#!/usr/local/bin/rc

# run this after cvsup

echo 'got root ?'

cd /usr/ports/lang/php4
make

cd /usr/ports/lang/php4/work/php-* || exec echo php dir not found ./configure \
--with-apxs \
--disable-cgi \
--enable-mbstring \
--with-openssl \
--with-pcre-regex \
--with-pgsql

make && make install

Re:Upgrade. (1)

SCHecklerX (229973) | more than 9 years ago | (#11117533)

If it causes such a hassle, and has so many security problems, why still use it? Mod_perl with embedded perl seems like a good option.

Re:Upgrade. (1)

DigitalRaptor (815681) | more than 9 years ago | (#11117623)

No thanks. I'd rather have a headache once per quarter when I have to upgrade then daily as I use it.

I started out doing web applications in perl and switched to PHP then PHP / Smarty now and love it.

Re:Upgrade. (0)

Anonymous Coward | more than 9 years ago | (#11117668)

What's hard about "apt-get install libapache2-mod-php4"?

double standards (4, Insightful)

Anonymous Coward | more than 9 years ago | (#11117225)

I love how you guys take this all seriously when there is an error in OSS software but when there is 1 little error in ASP.net you call it inherently insecure and a piece of garbage.

Re:double standards (1)

_the_bascule (740525) | more than 9 years ago | (#11117298)

You must be new here.

Re:double standards (0)

Anonymous Coward | more than 9 years ago | (#11117378)

Good point: ASP.NET is an insecure piece of garbage

Re:double standards (0)

Anonymous Coward | more than 9 years ago | (#11117394)

No, PHP is a piece of garbage too.

Re:double standards (0)

Anonymous Coward | more than 9 years ago | (#11117440)

Quantity.

When was the last time there was a severe bug in PHP? Okay. ASP or ASP.net? Aha -- a wiener is you.

Furthermore, since PHP is portable, we can run it on operating systems like this one [openbsd.org] which have built-in overflow protection. Windows doesn't have, and never will have, the same thing (NX is not the same).

Re:double standards (1)

ocularDeathRay (760450) | more than 9 years ago | (#11117478)

thats because this is something we can DO SOMETHING ABOUT. we can't fix that other software.

Re:double standards (0)

Anonymous Coward | more than 9 years ago | (#11117550)

Well, why didn't you do something about before, since you had all those eyeballs on the code? You know, checking and re-checking for security problems...

Re:double standards (4, Insightful)

Qzukk (229616) | more than 9 years ago | (#11117618)

Wow gee, how did you think these got found? By the Hardened PHP project bashing their head against the table until ideas popped out? Try "it was found because their eyes were on the code". Something the PHP developers missed that someone else found. Gotta wonder how much stuff Microsoft missed in their code.

PHP is a piece of garbage, too! (-1, Flamebait)

SimHacker (180785) | more than 9 years ago | (#11117514)

PHP is most certainly a piece of garbage. That doesn't mean ASP is any good, just that PHP is no better. Which is pretty bad!

-Don

Meh (1)

paranode (671698) | more than 9 years ago | (#11117622)

While this is true for some, on the whole the major difference is the time between the bug was discovered and when it was patched. MS does tend to take their sweet time.

Re:double standards (0)

Anonymous Coward | more than 9 years ago | (#11117671)

Your point being....?

OMG (1)

FiReaNGeL (312636) | more than 9 years ago | (#11117228)

Almost every forum / message board out there utilize these scripts... I think a lot of backup-reloading (for those who have them) will take place if a script kiddie toolbox exploiting these vulnerabilites hit the scene...

Forum defacing excepted, is there anything else someone could do using these vulnerabilities?

Re:OMG (1)

flatface (611167) | more than 9 years ago | (#11117267)

And that's why they decided not to release any POCs. I know it's just a matter of time, though. Guess it's a good thing for them (forum owners, etc), but a bad thing for me because I don't know if my machine is vulnerable yet.

Re:OMG (3, Informative)

vluther (5638) | more than 9 years ago | (#11117395)

Forum defacing is for the script kiddies, I've seen variations of the unserialized exploit used, to upload files into paths writeable by the apache user, and reading files accessible by the apache user, you can do mysqldumps, upload zombie scripts etc, one of my clients was made part of a zombie network as the user nobody, and redirect scripts were added to many posts, as the posts are stored in the db, and the kid found the mysql user/pass to access the forum.

Hurrah for Nightly MySQL dumps.

Anyone have a patch/update for Ensim Pro 3.5 (1)

cybrthng (22291) | more than 9 years ago | (#11117237)

I have a few legacy servers just around for my use and i don't want to pay for the upgrade and downtime..

anyone know of any ensim pro updates or packages someone has continued to build for this setup?

(or possibly redhat 7.3 updates..??)

thanks!

Re:Anyone have a patch/update for Ensim Pro 3.5 (1)

flatface (611167) | more than 9 years ago | (#11117377)

Ensim? Dear God. I worked with that piece of shit for about 2 days before I gave up and converted it to a Gentoo system (remotely, was no easy task).

Want to upgrade? Try downloading php, compile it as an apache module, and instead of "make install", replace the files individually. Ensim does a lot of weird stuff.

Re:Anyone have a patch/update for Ensim Pro 3.5 (1)

vluther (5638) | more than 9 years ago | (#11117529)

Try looking at http://www.fedoralegacy.org

They will more than likely have patches for PHP/Apache.

It's always a mixed bag. (0)

the talented rmg (812831) | more than 9 years ago | (#11117243)

PHP is a great language for web applications as many here can attest. While it's true there's some vulnerabilities, there's always going to be a few. The good thing about the open approach is that we know about it and there will be patches in short order.

For my part, I am very interested in the hardened PHP product. As a purveyor of pornographic materials, such hardened security is a must. Given the way hackers constantly try to hack my authentication servers and post passwords on their "warez" sites, security is critical.

The fact is, some information doesn't want to be free. My information wants to be paid for. I hope the hardened PHP project keeps hackers out of my servers for years to come.

Re:It's always a mixed bag. (0)

Anonymous Coward | more than 9 years ago | (#11117286)

This account smells like a new troller, keep an eye out.

Re:It's always a mixed bag. (1, Interesting)

realdpk (116490) | more than 9 years ago | (#11117337)

If PHP wants to get serious about security, it needs to stop writing its own libraries for things already available elsewhere, such as GD or MySQL or any number of other programs. It's always going to be difficult to keep the internal and external libraries in sync, better to just use external.

Basically, if the developers spent less time reinventing every wheel in existence (look at the documentation page some time, the index of the "libraries" is astounding) they might have more time to close holes like this.

Re:It's always a mixed bag. (0)

cosinezero (833532) | more than 9 years ago | (#11117376)

It's not a great language for a serious web application. It's a great language for a barely-working bulletin board app. Just think... Enterprise PHP? Scary.

Re:It's always a mixed bag. (1)

rambot (466616) | more than 9 years ago | (#11117697)

Please define a "serious web application". Have you ever written one? Have you ever written one in PHP and J2EE. Do you have a frame of reference for you statements??

what??? (0)

Anonymous Coward | more than 9 years ago | (#11117462)

You think your intellectual property should remain under your control?? That's heresy on Slashdot. Turn in your badge, please.

Of course... (5, Insightful)

Nos. (179609) | more than 9 years ago | (#11117246)

Most of these vulnerabilites come down to checking user input. If you are properly checking user input against a set of known good values and rejecting any input that is not a match, your chances of being vulnerable decrease dramatically.
Yes, I'm a big fan of php, but like any language out there, there are vulnerabilites. PHP had a bigger problem with register_globals being defaulted to on. Not to make light of these vulnerabilities, but if you are checking user input (assuming you're not using a downloaded package) you should be pretty safe.

Simple solution (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11117254)

Use Perl and not php. Php is only for newbies anyway.

Forums (1)

bugg_tb (581786) | more than 9 years ago | (#11117272)

PHPBB will affect a lot of websites it appear forums.gentoo.org has gone offline, upgrading early perhaps??

Question/Comment (3, Informative)

realdpk (116490) | more than 9 years ago | (#11117293)

Question:

"Note: Due to a problem with earlier versions of Zend Optimizer, its users are urged to upgrade to the latest version."

I can't seem to find any information on what this problem may be. No release notes or anything. Any clues?

Comment:

PHP.net's download scheme is worse than Sourceforge's if you can believe that. Therefore, here are some unPHP.net-ized URLs:

US2 [php.net]
Belgium [php.net]
Finland2 [php.net]

You'll find you can actually right-click and save these and they won't prompt you for a filename "mirror" or something useless like the rest of PHP's download links.

fp 6o4t (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11117332)

in eternity...Romeo superior to slow, my 8esignation Only way to go: lost its earlier recent article put very distracting to APPEARED...SAYING

Can't compile 5.0.3 (1)

DarkHelmet (120004) | more than 9 years ago | (#11117335)

I've currently tried installing a version of PHP 5.0.3 over the current version of 5.0.2, but it ends failing on make:

http://bugs.php.net/bug.php?id=31104 [php.net]

Has anyone else run into this problem? If so, please vote on this so that it's fixed for 5.0.4 ;)

Re:Can't compile 5.0.3 (1, Insightful)

Anonymous Coward | more than 9 years ago | (#11117472)

You're missing some development headers. What linux distribution are you on? You can do something similar to this (I'm on mandrake 10.1 OE):

urpmi libgcrypt11 libgcrypt11-devel libcryptopp5-devel libcryptopp5-static-devel

I was wondering (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#11117359)

I was wondering why the Gentoo forums were down, guess they got right to upgrading

Open source vulnerabilities (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11117360)

What the fuck is up with reporting all these open source vulnerabilities? I thought this site was about how great open source is and to generate bad press for M$. Slashdot could at least put these stories in their own section so I won't have to read them.

Posting as AC to not lose any karma due to all apparent M$-lovers around here.

Re:Open source vulnerabilities (0)

Anonymous Coward | more than 9 years ago | (#11117432)

Because it would be even worse if nobody patches their systems and hundreds of PHP-based open source sites are defaced.

This is proof the system works. Hardened PHP is an open source project and accomplished their goal of making PHP more secure.

Re:Open source vulnerabilities (1)

sirReal.83. (671912) | more than 9 years ago | (#11117439)

Vendors usually hear about them with enough time to prepare an update for any relevant products. For example, if you're running RHEL and are a self-respecting sysadmin, you applied this fix last week.

You might be right though: a sec-advisory section might be a good idea.

Why isn't hardened-PHP merged with PHP? (5, Interesting)

DarkHelmet (120004) | more than 9 years ago | (#11117380)

I know this is just a thought, but why aren't the changes within Hardened-PHP within the actual version of PHP that's on the site.

Their implementation of memory checking seems to be sane and valid for all installs. So why are most of us running vanilla like this?

Just a thought.

Re:Why isn't hardened-PHP merged with PHP? (0)

Anonymous Coward | more than 9 years ago | (#11117551)

If something doesn't work like it's supposed to you probably can't go complaining to the PHP maintainers.

FreeBSD port already updated (1, Informative)

Anonymous Coward | more than 9 years ago | (#11117463)

# $FreeBSD: ports/lang/php4/Makefile,v 1.81 2004/12/16 11:37:23 ale Exp $
#

PORTNAME= php4
PORTVERSION= 4.3.10

re: freeBSD port already updated (1)

ed.han (444783) | more than 9 years ago | (#11117591)

o, come now: as a host of ACs are always happy to claim, *BSD is dying, so obviously, that doesn't do anybody any good... [/sarcasm]

ed

Upgraded to 4.3.10... (2, Informative)

Bravid98 (171307) | more than 9 years ago | (#11117493)

And it seems to have compatibility issues. It ended up breaking custom code of mine, as well as Invision Power Board. This was compiled from scratch. Hopefully they'll quickly release a .11.

Solution... (1, Interesting)

sleighb0y (141660) | more than 9 years ago | (#11117534)

Write your own code.

PHP is great, but as with anything you install, you have to place a certain level of trust in it. And since web apps are always on to the public you really better trust them. Esp. if you are a n00b, and are installing these apps without knowledge of programming.

I don't like using a pre-packaged PHP app in a public or semi-public location. Then the code is there for all to study and prepare for an exploit.

I prefer to write all my own apps. I might use code examples and classes as a base, but input is filtered and checked. And nobody else knows the code.

Re:Solution... (1)

B3ryllium (571199) | more than 9 years ago | (#11117657)

The term for this is "Security through Obscurity". It's like moving SSH (or worse, telnet) to port 23456, only somewhat more indepth (like writing your own telnetd).

Sure, it works, but only until it becomes popular and, thus, no longer obscure.

Re:Solution... (0)

Anonymous Coward | more than 9 years ago | (#11117701)

there above comment deserves the "DUMBASS" award.

go back to highschool.. thats obvious where you cam e from.

Why are these things always announced on Friday? (2, Funny)

kd3bj (733314) | more than 9 years ago | (#11117570)

Why can't it be Monday? I mean, do the people that make these announcements think we _like_ working weekends?

fix it fix it! (0)

Anonymous Coward | more than 9 years ago | (#11117585)

fix it fix it fix it!

Check your inputs!!!! But not an impressive record (4, Insightful)

dwheeler (321049) | more than 9 years ago | (#11117637)

Thankfully, most of these problems are easily countered by what you always have to do anyway: you MUST check and severely limit what you allow as input. Letting users provide arbitrary-length data that's then used in realpath is a bug in the first place!

The unserialize() bug issue is rather serious, though.

It's true that all systems have vulnerabilities, but that does not mean that all systems are equally secure. What you want is a track record that shows good things. Frankly, I'm not all that impressed with PHP's track record so far. The good news is that the PHP developers have been willing to change critical pieces (like turning off globals) to deal with security issues, and it looks like at least some of them are taking security more seriously. But I'd really like to see evidence of serious steps to not just provide a niftier OO model, but provide a programming language where programs are more likely to actually withstand attack. PHP has a lot going for it, but an implementation that can't handle harsh attacks is simply not appropriate for today's network.

I'd like to see Hardened-PHP, or something like it, merged into the mainline PHP. Why is it that only some users will get a PHP that tries to defend against attacks? Does this mean that other PHP users never get attacked? Does this mean that PHP programmers have stopped making common mistakes? Nonsense. There's no reason that there has to be a separate project to modify PHP to be secure against attack; that should be part and parcel of PHP itself. The performance impact is tiny, and much less important than keeping control over your own machine. Why should anyone be impressed at the speed of a system that's about to be controlled by an attacker?

One of the best ways to get a secure setup is to find out what product has the better security track record with evidence of a secure design (modular parts, etc.), and switch to one of them. That's true whether it's OSS or proprietary; OSS is no guarantee of security, it simply makes some kinds of worldwide review possible. Using Internet Explorer or Outlook? Switch to Firefox and Thunderbird [dwheeler.com] . Using Sendmail? Switch to Postfix. That doesn't guarantee perfection, but you're generally better off in the long run. I think you could make a very good case for switching from PHP to Perl or Python or Java. If the PHP folks want to keep their large user base, they need to get on the stick.

If (2, Funny)

Alioth (221270) | more than 9 years ago | (#11117662)

If PGP stands for Pretty Good Privacy, does PHP stand for Pretty Hopeless Privacy?

it never ends ;) (0)

Anonymous Coward | more than 9 years ago | (#11117712)

Man you know you skip one day of reading security focus emails, return after a nice long lunch, and see everythings gone to hell.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>