Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Month of PHP Bugs Has Begun

Zonk posted more than 7 years ago | from the quick-hide-the-furniture dept.

Security 165

An anonymous reader writes "The previously announced Month of PHP Bugs started three days ago, and already lists 8 security vulnerabilities in PHP and PHP related software. From the site: 'This initiative is an effort to improve the security of PHP. However we will not concentrate on problems in the PHP language that might result in insecure PHP applications, but on security vulnerabilities in the PHP core. During March 2007 old and new security vulnerabilities in the Zend Engine, the PHP core and the PHP extensions will be disclosed on a day by day basis. We will also point out necessary changes in the current vulnerability management process used by the PHP Security Response Team.'"

cancel ×

165 comments

Sorry! There are no comments related to the filter you selected.

Month of PHP Bugs Has Begun... (-1, Troll)

minginqunt (225413) | more than 7 years ago | (#18219104)

...And will NEVER END.

Muhahahahahahaha.

Ahem.

Re:Month of PHP Bugs Has Begun... (1)

namityadav (989838) | more than 7 years ago | (#18219186)

There are so many "Get me a portal, quick" / "I want to create a CMS that will make me rich" websites based on PHP based solutions that this exercise becomes obviously very important. It's surprising how many of such websites are severly insecure.

cocks (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18219108)

huge cocks slapping against your forehead

Re:cocks (0)

Anonymous Coward | more than 7 years ago | (#18221546)

That's Zonk's dream. He's probably whacking to the thought of that right now...

Defective by Design? (4, Interesting)

Ckwop (707653) | more than 7 years ago | (#18219132)

We see a lot of people use the phrase "defective by design" when talking about Vista and in that instance I'm pretty sure the use of the term is correct.

Having never used PHP but heard of its many security problems I'm wondering: Is PHP defective by design? If so, why so and how would Slashdot seek to fix it?

Simon

Re:Defective by Design? (2, Interesting)

SCHecklerX (229973) | more than 7 years ago | (#18219220)

Use perl instead :)

Not entirely joking. I use embedded perl for my own dynamic sites, and keep track of the lists, and can't recall any serious known flaws with that implementation.

The vulnerabilities that keep popping up (and the fact that I already know and am comfortable with perl, have CPAN, can develop quickly especially now that I have my own base modules set up, etc) are one reason that I never really looked into PHP.

Re:Defective by Design? (1)

eneville (745111) | more than 7 years ago | (#18219676)

Use perl instead :)

Not entirely joking. I use embedded perl for my own dynamic sites, and keep track of the lists, and can't recall any serious known flaws with that implementation.

The vulnerabilities that keep popping up (and the fact that I already know and am comfortable with perl, have CPAN, can develop quickly especially now that I have my own base modules set up, etc) are one reason that I never really looked into PHP.

the problem with perl is that i tend to use it for system administration purposes rather than making websites. php is just better for making sites as it is generally setup OOTB, almost a de facto for apache. the programmer should be aware of general problems, the magic_quotes implementation was designed to help programmers, but i think it introduced more code paths.

Re:Defective by Design? (5, Informative)

julesh (229690) | more than 7 years ago | (#18219228)

Is PHP defective by design?

It was. A lot of work has been done in the last couple of major versions to fix this, but still a lot of installations are crippled in the name of backward compatibility.

Most of what we're seeing here though is just run-of-the-mill sloppy coding. Create a lot of references to a variable and overflow its (16-bit) reference count? Please. That should never have happened.

Fortunately, it seems most of the bugs released so far don't affect the majority of installations. We have a number of 'executing arbitrary PHP code can let somebody own your web server' -- well, most of us don't let random people run arbitrary PHP code anyway. We have some 'deserialising arbitrary data can let somebody own your web server' issues too, but then there has been a long-standing warning that PHP's deserialise function isn't secure anyway, so that shouldn't affect anyone who's been paying attention. We have some issues with the Zend Platform, but I'm not sure how many people have that installed. So far, the only issue to affect me, is the phpinfo XSS vulnerability -- and that just meant I had to delete my phpinfo.php file that I kept in the root of each domain I host.

Re:Defective by Design? (3, Interesting)

Anonymous Coward | more than 7 years ago | (#18219264)

Uhmm, you are aware that all the phpBB forums out there use unserialize() on cookie data?

And phpBB is just one of many popular applications that do it...

Re:Defective by Design? (2, Insightful)

julesh (229690) | more than 7 years ago | (#18219280)

Uhmm, you are aware that all the phpBB forums out there use unserialize() on cookie data?

No, I wasn't. One more reason not to use phpBB, I guess.

Re:Defective by Design? (1)

Phantombrain (964010) | more than 7 years ago | (#18219490)

If you read the website, you would have seen that the unserialize bug was fixed in PHP 4.4.5

Re:Defective by Design? (1)

julesh (229690) | more than 7 years ago | (#18220666)

If you read the website, you would have seen that the unserialize bug was fixed in PHP 4.4.5

Doesn't mean calling unserialize on untrusted data is a good idea. Unserialized data may be of any class, and code may be automatically executed in it during the unserialization process. This means an attacker may be able to execute code you were not expecting to be executed, potentially leading to any of a number of exploit scenarios. Unserializing untrusted data in PHP (and many other dynamic languages) is a bad idea.

Re:Defective by Design? (1)

kestasjk (933987) | more than 7 years ago | (#18222658)

It was actually the cause of a security hole a while back. They unserialize your MD5 hash (which isn't salted by the way), and check whether it == the hash retrieved from the database.

But they do $inputHash == $hash, and you can use the serialized syntax to make $inputHash = true;, which means that it will == any non-zero-length string. Very annoying gotchas like this can make PHP a nightmare.

Re:Defective by Design? (0)

Anonymous Coward | more than 7 years ago | (#18219430)

And phpBB is just one of many poorly written applications that do it...

Welcome to a security problem everyone else had fixed 5 years ago, the only thing that should be stored in a cookie is a session id! WhatWG DOM storage is being created because of idiots (like those ASP.NET clowns) passing serialized data back and forth in cookies or hidden form fields.

Re:Defective by Design? (1, Informative)

Anonymous Coward | more than 7 years ago | (#18219314)

Is PHP defective by design?

It was.

It still is. Security is not a property of software, or even software design. It's a property of the development process, and it's something that the core PHP developers have failed to get time and time again.

It's true, they've fixed some glaring problems over the past couple of major versions. But they've done it because they've been nagged and shamed into doing so. They still don't have proper processes in place, they still don't get it, and I'm pretty sure they are going to use the fact that Stefan is the one behind this month of bugs as an excuse to call foul. Sure, they'll fix the bugs because now they have no other option (bear in mind some of these bugs have been known for a long time), but they'll totally avoid thinking about what caused these problems in the first place, and ultimately it will change nothing.

Re:Defective by Design? (4, Interesting)

julesh (229690) | more than 7 years ago | (#18219348)

I think PHP has got beyond the stupid-design-flaws-causing-security-issues stage. Now, as you correctly point out, the major issue is endemic insecure programming practices and a lack of attention to bug reports.

How I wish we could just junk the language and start again with something else; unfortunately, market pressures being what they are, I'm afraid we're stuck with it, at least for the time being.

Re:Defective by Design? (0)

Anonymous Coward | more than 7 years ago | (#18219524)

the major issue is [...] and a lack of attention to bug reports.

I don't think that's fair. I've anonymously reported a handful of bugs over the past couple of years and most were fixed within 24 hours. Here's one I recall from last year [php.net] (yes I admit that particular one is not really a core bug). I'll criticize PHP until I'm blue in the face but my experience with bug fixing has been an overall positive experience.

Re:Defective by Design? (0)

Anonymous Coward | more than 7 years ago | (#18220370)

Last time this story cropped up on Slashdot, somebody pointed out a bug report where an unprivileged user could segfault the server due to a flaw in the MySQL extension shipped with PHP - the bug was closed as "user error". I've personally reported a (non-security-related) bug that has been treated in a similar way. Another bug I've reported was met with "well I'll think about fixing it if I get around to it". I've seen plenty of things of this nature.

Re:Defective by Design? (1)

hutchike (837402) | more than 7 years ago | (#18219580)

...or you could target PHP at the Java JVM and benefit from the security built into Java?

Re:Defective by Design? (4, Insightful)

Dan Ost (415913) | more than 7 years ago | (#18220070)

Actually, lots of people have abandoned PHP for Python and Ruby.

It may never completely go away, but there are alternatives to using it.

Re:Defective by Design? (2, Informative)

julesh (229690) | more than 7 years ago | (#18220728)

Actually, lots of people have abandoned PHP for Python and Ruby.

It may never completely go away, but there are alternatives to using it.


Not really. Most of us in the off-the-shelf web package software development industry are constrained to develop in whatever's available on the servers our clients are likely to choose. An informal survey suggests that of 5 popular hosting providers in my local area, only 1 offers anything other than PHP or Perl/CGI in their basic level package. With this kind of support, we'd be crazy to develop our software in any other environment. Sure, if you're building a site for yourself to use with a hosting provider you can choose, and your budget isn't so tight you have to go with the cheapest available, you get a choice of environments. Most people aren't in that situation -- most people have to use packaged software, and the packaged software vendors are in the same situation I'm in that it is market suicide to use anything other than PHP (or, for a significant minority, ASP.NET).

Re:Defective by Design? (1)

jZnat (793348) | more than 7 years ago | (#18222256)

Just wait for Debian Etch; that should help update a lot of hosts into using modern languages (including modern versions of PHP).

Re:Defective by Design? (0)

Anonymous Coward | more than 7 years ago | (#18220768)

I happen to think that Python and Ruby (fine scripting languages that they are) make poor replacements for PHP. Haxe [haxe.org] or Pike [ida.liu.se] are better but not as widely available.

From a hosting perspective, I'd like everyone to target parrot [parrotcode.org] and we can have done with it.

Re:Defective by Design? (1)

jadavis (473492) | more than 7 years ago | (#18220964)

I think PHP has got beyond the stupid-design-flaws-causing-security-issues stage.

A major problem for PHP is still it's configureware mentality. No other programming language has a configure file. PHP started with it because it's also a web framework; which is somewhat understandable. However, they then proceeded to abuse the configuration file for all sorts of semantic behaviors, and the end result is that it's very HARD to program securely and portably at the same time. Make a configuration change, and that could introduce a subtle security flaw.

magic quotes is probably the worst idea that PHP ever had.

Re:Defective by Design? (1)

cerberusss (660701) | more than 7 years ago | (#18222010)

How I wish we could just junk the language [PHP]
At least it's better than Perl.


*ducks*

Re:Defective by Design? (5, Informative)

aaronwormus (716976) | more than 7 years ago | (#18219964)

> I had to delete my phpinfo.php file that I kept in the root of each domain I host.

if you left an open phpinfo() on your server (giving potential attackers access to filepaths, module version numbers, configuration options, apache server configuration options), you have a lot more to worry about than a little XSS.

unfortunatly, you're not alone [google.com] .

Re:Defective by Design? (1)

cheater512 (783349) | more than 7 years ago | (#18220672)

Hey I use other people's phpinfo pages for debugging HTTP headers. :)

Its bloody helpful.

Re:Defective by Design? (0)

Anonymous Coward | more than 7 years ago | (#18220130)

So far, the only issue to affect me, is the phpinfo XSS vulnerability

You have something to prevent people from requesting /whatever.php?a[][](etc)=1&a=0 to trigger that recursive overflow crash?

Re:Defective by Design? (1)

julesh (229690) | more than 7 years ago | (#18220832)

You have something to prevent people from requesting /whatever.php?a[][](etc)=1&a=0 to trigger that recursive overflow crash?

Yes; I have set up my server to reject requests with GET/POST variables that have unrecognised names. The '[]' would trigger that rejection.

Re:Defective by Design? (0)

Anonymous Coward | more than 7 years ago | (#18221524)

Apache child segfaults on malformed POST data, I'm still thinking about that one. I think a mod_rewrite rule can work around any issues or perhaps PHP auto-globals JIT can be back-ported?

Re:Defective by Design? (0)

Anonymous Coward | more than 7 years ago | (#18221270)

>and that just meant I had to delete my phpinfo.php file that I kept in the root of each domain I host.

Please. That should never have happened.

I've never taken a university-level CompSci class in my life, and even I know you don't make filenames the same as revealing functions. Much less store them at root.

Do you have sudo.sh as well? Let's check...

Re:Defective by Design? (1)

tobiasly (524456) | more than 7 years ago | (#18222226)

and that just meant I had to delete my phpinfo.php file that I kept in the root of each domain I host.

Heh... guess I'm not the only idiot that does that. :) Even though I'm running 5.x and that bug doesn't affect me, I've known it was a stupid idea for a long time but laziness prevailed. You and the PHP bugs project have just given me the motivation to fix that!

The simplest fix (1, Interesting)

Anonymous Coward | more than 7 years ago | (#18219340)

One of the biggest problems with PHP is the die-hard adherance to backwards compatibility. Functions don't get deprecated, the API doesn't change, it gets overloaded with nearly-the-same but-not-quite methods so that somewhere, somebody doesn't complain about how their website "broke" with the latest release--never mind the fact that by using insecure functions, their sites are already broke.

Re:The simplest fix (1)

epine (68316) | more than 7 years ago | (#18219874)

One of the biggest problems with PHP is the die-hard adherance to backwards compatibility. Functions don't get deprecated, the API doesn't change, it gets overloaded with nearly-the-same but-not-quite methods so that somewhere, somebody doesn't complain about how their website "broke" with the latest release--never mind the fact that by using insecure functions, their sites are already broke.

It goes beyond that. When the new API variants are released, details the actual problem resolved are usually found deep in the discussion and not the primary document itself.

Does the main documentation for unserialize call any attention to the hazards associated with it?

http://ca3.php.net/manual/en/function.unserialize. php [php.net]

I have no particular grudge against PHP. I used it myself for small projects because the language is relatively easy to relearn on the fly. Perl demands too much head space to use it less than once a month. However, when you decided you really want to get a function right, you tear your hair out trying to get an exhaustive account from the online PHP documentation of the issues you need to concern yourself with.

The PHP project brought the month of bugs onto themselves. The simplest measure they could have taken was to make prominent in their online documentation the risks associated with each function PHP provides. I have no problem with caveat emptor. In fact, I've always shunned the languages that attempt to save me despite myself. The lack of prominent "beware of dog" signs in the online PHP documentation is what drives the security split within the PHP community: allowing one camp to remain lax, while the other camp becomes increasingly strident.

I regard this "month of bugs" as long belated complement to the online PHP documentation for concise information on the risk side of the equation.

Parent isn't flamebait (1)

blincoln (592401) | more than 7 years ago | (#18219476)

It's a legitimate question.

I just started using PHP a few months ago for a few utilities on one of my websites. There are a ton of things about the language that seem half-assed. In particular I'm thinking of:

- The entire mysql library, which I have to use right now because mysqli apparently isn't enabled by default in PHP 4 and my current host won't turn it on or upgrade to PHP 5. Why is the default behaviour to force the use of SQL injection-vulnerable code?
- There is no equivalent of a "contains" method for the string class, with strpos() being the recommended alternative. strpos() returns 0 if a string doesn't contain the specified substring... or it contains it at position 0. So to do a true "does this string contain some substring?" check requires using both strpos() *and* a separate check between the substring and a new substring made from the original string but chopped off at the length of the substring you're checking for.
- Dynamically-typed variables. Worst code/script idea evar. Yes, I realize PHP is not alone in this.

Basically to me it looks like the *ix version of VBScript. In its favour, it does use curly braces instead of MS' stupid "If something Then doSomeOtherThing End If" syntax.

Re:Parent isn't flamebait (4, Interesting)

Aladrin (926209) | more than 7 years ago | (#18219688)

So your webhost won't upgrade, and that's PHP's fault? PHP5 has been out a LONG time. Don't bother complaining about bugs in PHP4 simply because your website can't be bothered to upgrade. Find a decent webhost instead.

strpos() return FALSE when it can't find the 'needle'. http://us2.php.net/strpos [php.net] Use a proper test (===) and you'll have all you need in a single statement.

Some people really LIKE dynamically-typed variables. It's not a bug or a problem. It's a design choice.

Your flamebait at the end (vbscript) does nothing to enhance your argument. Leave it off next time.

perl rules (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18222186)

If it's still fucked-up by the time it gets to version 4, I wouldn't hold out much hope that 5 will be better.

Re:Parent isn't flamebait (0)

Anonymous Coward | more than 7 years ago | (#18219720)

> There is no equivalent of a "contains" method for the string class, with strpos() being the recommended alternative. strpos() returns 0 if a string doesn't contain the specified substring... or it contains it at position 0. So to do a true "does this string contain some substring?" check requires using both strpos() *and* a separate check between the substring and a new substring made from the original string but chopped off at the length of the substring you're checking for.

strpos? *and* a separate check? strstr [php.net] not good enough?
Returns false if string A does not contain string B, otherwise it is contained. What about preg_match?

Re:Parent isn't flamebait (0)

Anonymous Coward | more than 7 years ago | (#18219752)

strpos() returns 0 if a string doesn't contain the specified substring... or it contains it at position 0. So to do a true "does this string contain some substring?" check requires using both strpos() *and* a separate check between the substring and a new substring made from the original string but chopped off at the length of the substring you're checking for.

WTF are you smoking()? From the manual: [php.net]

If needle is not found, strpos() will return boolean FALSE.

Like this:

$result = strpos($haystack, $needle);
if ($result === false) die("$needle was not found\n");

Re:Parent isn't flamebait (1)

TheNinjaroach (878876) | more than 7 years ago | (#18219872)

There is no equivalent of a "contains" method for the string class, with strpos() being the recommended alternative. strpos() returns 0 if a string doesn't contain the specified substring... or it contains it at position 0. So to do a true "does this string contain some substring?" check requires using both strpos() *and* a separate check between the substring and a new substring made from the original string but chopped off at the length of the substring you're checking for.
Use === with your comparison. Yes, dynamically typed variables can be a pain but only if you don't understand how to use them. Look at the following example:

$inputstring = "This is my PHP script";
if(strpos($inputstring,"This") === false) echo "Not found in inputstring"; //This does NOT evaluate to true because 0 is NOT === false
if(strpos($inputstring,"This") == false) echo "Not found in inputstring"; //This WILL evaluate to true and echo happens because 0 == false

So your criticism of dynamically-typed variables is valid and is what confuses you when it comes to using strpos().

Re:Parent isn't flamebait (1)

cheater512 (783349) | more than 7 years ago | (#18220714)

Just because you havent learnt about how the type system works doesnt mean its crappy.

Re:Defective by Design? (1)

mbyte (65875) | more than 7 years ago | (#18219546)

That would imply that PHP was designed .. rather than something happened by accident ;)

Re:Defective by Design? (1)

cheater512 (783349) | more than 7 years ago | (#18220638)

PHP its self is very good. Its the sloppy coders who give it the bad name.

I've seen atrocious code where you can tell that just because the coder knows how to do a for loop in BASIC it means it can become the next Bill Gates.

Re:Defective by Design? (4, Funny)

arodland (127775) | more than 7 years ago | (#18220742)

Nope. Definitely defective by lack of design.

Re:Defective by Design? (1)

cortana (588495) | more than 7 years ago | (#18222158)

That implies that PHP was designed in the first place.

Month of bugs, will it change things for better? (3, Interesting)

chabotc (22496) | more than 7 years ago | (#18219152)

To be honest i'm glad that this month of bugs is happening, after all the previous news items about how the core php / zend team is refusing to colaberate with some ppl who are deeply concerned about php's security (and by this we do mean mistakes/faults in the php engine, not in bad php programming).

On the other hand, i bet a fair few of the released vunerabilities will be applicable for many websites that the company i work for hosts, and i know corperate policy doesn't include frequent updates to their envirioment, there's just to many sites, to many badly supported applications by/for customers, and just to damn many servers to work with easily, i can't imagine were the only such company with such problems... And it really makes me wonder if this will mean that many hundreds of our hosted websites will from now on be easily hackable by scriptkiddies

Should prove to be interesting times, and who knows maybe it will teach our admins to use yum/rpm's for their servers instead of compiling their own apache/php combinations :-)

Re:Month of bugs, will it change things for better (0)

Anonymous Coward | more than 7 years ago | (#18219512)

after all the previous news items about how the core php / zend team is refusing to colaberate with some ppl who are deeply concerned

DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL! DO NOT SAY PPL!

Lameness filter encountered. Post aborted!
Reason: Don't use so many caps. It's likeLameness filter encountered. Post aborted!
Lameness filter encountered.
Your comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted.
Reason: Don't use so many caps. It's like
Lameness filter encountered.
Your comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted.Lameness filter encountered. Post aborted!
Reason: Don't use so many caps. It's likeLameness filter en
Lameness filter encountered.
Your comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted.countered. Post aborted!
Reason: Don't
Lameness filter encountered.
Your comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted. use so many caps. It's li

Re:Month of bugs, will it change things for better (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18219632)

maybe it will teach our admins to use yum/rpm's for their servers instead of compiling their own apache/php combinations

Nobody in their right mind uses a package manager for Apache and PHP.

Just in case.. (3, Interesting)

loconet (415875) | more than 7 years ago | (#18219174)

To clarify, note that these bugs are related to the PHP core, not the language itself which may result in insecure applications. The statement that 8 security vulnerabilities in PHP and PHP related software is not referring to PHP software such as Wordpress. I mean seriously, I think I saw my dog hacking together a blog the other day using PHP. Everyone uses the language and not everyone has the background to know what they should and shouldn't be doing. In addition to its popularity, the language and its "libraries" make it easy for untrained coders to leave gapping holes in the code. Don't get me wrong, I love PHP (to an extend), I make a living out of it but any attempt at fixing "PHP related software" directly (ie: wordpress,phpbb,oscommerce,etc) would take more than a month.

Also version 4 predominates (1)

Mateo_LeFou (859634) | more than 7 years ago | (#18219420)

I've used PHP5 exclusively for over a year, for well-publicized reasons.

Re:Also version 4 predominates (0)

Anonymous Coward | more than 7 years ago | (#18220276)

PHP 5 broke my wikis :(

Re:Just in case.. (1)

FooMoeDee (1071002) | more than 7 years ago | (#18219424)

these bugs are related to the PHP core...I make a living out of it
You're the most qualified person currently available to hypothesize on an attack vector and a path to a full-fledged exploit. Will you share any thoughts?

Re:Just in case.. (1)

Toba82 (871257) | more than 7 years ago | (#18219570)

I cannot agree more. I use PHP extensively and to be honest, none of the PHP 'exploits' have ever effected any of my scripts. In one case where a GET variable contains a base64 encoded serialize()ed structure, I included sha1 and md5 hashes in the URL that have to match for input to be accepted... I did this a year ago, because I had a feeling that unserialize could be unsafe. Evidently, I was right.

In a shared-hosting situation, I can see why these would be a much bigger problem.

Re:Just in case.. (1)

ravenlock (693538) | more than 7 years ago | (#18220496)

Exactly how is that secure if you trust the client for both the content and the hash?

Bugs (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18219234)

Listed here [blogspot.com] .

Er... (0, Troll)

John Nowak (872479) | more than 7 years ago | (#18219256)

Just one month?

Re:Er... (1)

eneville (745111) | more than 7 years ago | (#18219470)

Just one month?
lets hope someone fixes mail()

Re:Er... (1)

jZnat (793348) | more than 7 years ago | (#18222296)

Way ahead of you [php.net] .

vulnerable (1)

IT 073571 (1069570) | more than 7 years ago | (#18219260)

Beware of the unexpected behavior of a program... it brings joy to hackers all around the world.

die PHP die (0)

Anonymous Coward | more than 7 years ago | (#18219356)

I expect many of us have some heavy patching to do this month. PHP devs refused to take the opportunity to break BC and fix the language/runtime with PHP5.

When will OpenJDK be usable serverside? I think I'd prefer to spend the month converting a bunch of PHP apps to Java instead of applying patches.

Re:die PHP die (1)

eneville (745111) | more than 7 years ago | (#18219576)

I expect many of us have some heavy patching to do this month. PHP devs refused to take the opportunity to break BC and fix the language/runtime with PHP5.

When will OpenJDK be usable serverside? I think I'd prefer to spend the month converting a bunch of PHP apps to Java instead of applying patches.
not everything will benefit from the conversion. some objects take much time to construct in java, and generally things will perform worse. there are some things that can benefit from being a bean though. loading a huge array, of perhaps loginids statically would perhaps save some database work. it's hard to say. but for most people i would estimage 6-12 months for the conversions.

Typical (3, Informative)

dysfunct (940221) | more than 7 years ago | (#18219672)

Stefan Esser has found some interesting yet not too surprising vulnerabilities in PHP. All those scenarios described in the various vulnerability reports are very typical for the development process of PHP and many similar ones have already been found and reported. The same goes for the fact that many of those are simply WONTFIX. A perfect example for the general attitude regarding a remote code execution vulnerability cited here [php-security.org] :

Because the PHP developers do not want to fix this anymore because it creates problems for companies providing closed source PHP extensions the only potential workaround is to manually change the size of the reference counter in your own PHP. However if you do so you have to recompile all your PHP extensions and cannot use closed source PHP extensions anymore.

I more and more get the feeling that the PHP developers themselves do not properly understand the vulnerabilities any more, which leads to improper and I even dare to say incompetent handling of reports and fixes (many of which simply get applied somewhere down the road without proper announcement or mentioning anywhere in the CHANGELOG) as well as seemingly ignorance regarding more complex vulns that are just as relevant as the glaringly obvious ones but simply not as mass-exploitable by script kiddies.

And *this* is the big problem that PHP is facing today regarding enterprise support. Maybe Jon Doe's blog installation is not as mass-exploitable by a script kiddie any more as it used to be some years ago, yet Big Company's CMS is still vulnerable to complex attacks by an experienced attacker who might use published attacks that security experts know about, yet end users do not.

Re:Typical (1)

Unknown Relic (544714) | more than 7 years ago | (#18220594)

First of all, the issue HAS been fixed in PHP5 and above. Secondly, this is NOT a remote code execution vulnerability. The only way it can be exploited is by already having the ability to make the server run arbitrary scripts.

Yes, in a shared host environment it potentially allows users to bypass safe mode and open basedir restrictions, however information on how to properly secure PHP for a shared environment has been around for a LONG Time. Not one person on the development team you go so far as to call incompetent would state that safe mode (which has been depreciated) and open basedir are sufficient for that purpose. On a properly configured server this exploit won't let a user do anything but access their own files. This fact coupled with the backwords compatibility break is why it's marked WONTFIX, not because of incompetence or misunderstanding.

Re:Typical (1)

dysfunct (940221) | more than 7 years ago | (#18220786)

First of all, the issue HAS been fixed in PHP5 and above.

Was there ever a proper back-port to PHP4 or proper announcement of this bug? I'm not exactly an expert on PHP internals but I imagine there might be possibilities to remedy this situation if desired.

Secondly, this is NOT a remote code execution vulnerability.

Yep, you kinda got me there. This might be very, very hard to exploit by using other attack vectors like improper input handling or decoding by PHP itself. Although one mustn't forget that this can be an interesting attack vector for an app-based vulnerability (ie remote file inclusion) if PHP is secured semi-properly since using it you *can* execute shell code, even if exec() etc. is normally disabled. I also think that there *might* be ways to trigger the exploitable behavior remotely in *some* PHP scripts.

This fact coupled with the backwords compatibility break is why it's marked WONTFIX, not because of incompetence or misunderstanding.

I think you misread this. I do not call somebody incompetent easily and unnecessarily. The context was "and I even dare to say incompetent handling of reports and fixes". This in my opinion holds true, as the PHP developers appear to have limited understanding of formal and proper incident handling and therefore limited competency on that subject matter.

Re:Typical (0)

Anonymous Coward | more than 7 years ago | (#18221158)

HAS been fixed in PHP5 and above.

Does PHP5 check to ensure that you haven't overflowed the reference counter? If not (and the bug report says "In PHP 5 this field is meanwhile 32 bit wide, because 16 bit can overflow too easily and PHP does not have an internal protection against overflows of the reference counter." which leads me to believe that it's still not fixed) then it's only "fixed in PHP5" until someone installs it on a 64-bit system with more than 64GB or so of addressable memory space available, in which case creating 2^32+1 references will still allow you to take over whichever user the webserver is running as.

Fixing this would mean including a check to prevent overflowing the counter no matter how many bits there were in it.

Re:Typical (1)

CTachyon (412849) | more than 7 years ago | (#18223156)

I believe serialize() [php.net] preserves references -- it certainly does in PHP5 -- and (as mentioned elsewhere [slashdot.org] in the discussion) several PHP applications unserialize() remote data (notably phpBB).

Now, since the bug is apparently PHP4 only (gigabytes worth of references notwithstanding), the Big Question is whether or not the PHP4 unserialize() restores references.

Re:Typical (0)

Anonymous Coward | more than 7 years ago | (#18220640)

I more and more get the feeling that the PHP developers themselves do not properly understand the vulnerabilities any more

I'm beginning to agree. In two cases, the problem is that the developers refuse to create "arbitrary" limits, and therefore the system succumbs to equally arbitrary limits. For instance, there's a solution here that would make everyone happy: fail to create a reference if it would overflow the reference counter, rather than try anyway and segfault. Yet for some reason the developers don't want to do that... despite the fact that it would simply be enforcing the limit that's already there. Increasing the number of references one can store before crashing the system doesn't fix anything.

Same with the limit on the nested array depth... yet there IS a limit, and because that limit is not enforced, the system can be crashed.

Don't beleive it (1)

attackiko (170417) | more than 7 years ago | (#18219722)

Yes, but how many sites get hacked because of PHP and not because of faulty applications?

Not many.

Re:Don't beleive it (0)

Anonymous Coward | more than 7 years ago | (#18219834)

Now you say that a vulnerability in PHP does not count because there are also vulnerabilities in PHP applications?

It is no wonder that people choose applications to break into servers, because those vulnerabilities can be exploited by every skript kiddie.

To say that PHP vulnerabilities are irrelevant because Skript Kiddies don't use them is plain stupid.

Re:Don't beleive it (1, Troll)

SimHacker (180785) | more than 7 years ago | (#18220200)

And how many PHP applications are NOT FAULTY?

Not many!

-Don

How about (0)

Anonymous Coward | more than 7 years ago | (#18219878)

A month of pointing out the ways PHP sucks ass? I predict roughly 97 million entries by the end of the first week.

Oh Nose! (4, Funny)

FedeLebron (977157) | more than 7 years ago | (#18219908)

"A deep recursion of PHP userland code will exhaust all available stack which leads to a sometimes remotely triggerable crash."

I've found a very similar bug in GLIBC!

int main(){
main();
}
This code will cause a segment violation!

Shock! Gasp! Horror!

Re:Oh Nose! (1)

daverabbitz (468967) | more than 7 years ago | (#18219928)

That does sound like a bug in Glibc, it should generate a stack fault.

Re:Oh Nose! (0)

Anonymous Coward | more than 7 years ago | (#18220056)

And now you hero trigger this bug remotely...

And when you managed that you can compare it to the PHP bug...

And btw... have you looked at python etc... They handle this kind of bug correctly by terminating the script instead of crashing.

Re:Oh Nose! (2, Informative)

julesh (229690) | more than 7 years ago | (#18220756)

You do realise the difference between PHP and GLIBC, don't you? PHP is designed to have a "safe mode", which (according to the documentation) is supposed to allow a system administrator to run arbitrary code in the knowledge that it can't do certain things -- one of these things should be crashing the web server.

Re:Oh Nose! (2, Informative)

iluvcapra (782887) | more than 7 years ago | (#18220868)

I've observed that a lot of complaints about modern PHP derive from the fact that it's a dynamic interpreted language, but that in many ways it behaves like a compiled, angry, shoot-yourself-in-the-foot language, like C.

PHP will segfault, just like C, if you recurse too far on the stack, but almost every other scripting language has a mechanism for catching a stack overflow as an exception and then letting the programmer handle it. PHP in this case just crashes; even C allows you to register a function to act if your program has a segmentation violation.

The long-complained-about static binding of class methods to their superclass, and not to child classes is in a similar vein. PHP does what C++ does: static methods execute in the scope of the class they're declared in, and not the class the method is called on. This is a requirement if your language is strict and compiled, like C++, but it's completely superfluous if you're running a dynamic language like PHP. It also makes a lot of tricks used by Ruby and Python developers to make slick frameworks basically impossible.

Re:Oh Nose! (0)

Anonymous Coward | more than 7 years ago | (#18221570)

As it's invalid in C for main to be called, that function should not compile.

In defence of PHP (0)

Anonymous Coward | more than 7 years ago | (#18219922)

I love PHP. It works, it's fast, it get results, it's everywhere, it has a straightforward syntax, it has a huge number of extensions enabling you to talk to just about anything, the online documentation is clear and present, it's free. You can write systems as simple or as complex as you like, you can write wholly procedurally or you can create classes and objects. That's why it's popular. No compiling, no fannying around with JVMs.

You use it, it works. You want to move your site/system to another platform? Just move it. Of course there are problems with things like verb-object, object-verb function naming, the object model is lacking, there are a plethora of similar functions, it can be a trial and error game to escape/unescape strings etc. But for the most part, for what most people want to do, these shortcomings are hardly insurmountable. Most people aren't using PHP to send rockets to Saturn or build massive projects where namespace size becomes an issue. Most people who use PHP have the intelligence to use it intelligently.

I've written some great, popular, scalable, applications in PHP4 and it was (and is) a pleasure. I cannot see why I should learn RoR, or Perl, when I have what works. Maybe somebody could explain why I should?

Re:In defence of PHP (0)

Anonymous Coward | more than 7 years ago | (#18220048)

If PHP is so horrible, what language should be used to quickie, db-driven sites?
Are Python and Rails really set up to do this OOTB? (That is an honest question.)

Re:In defence of PHP (0, Offtopic)

brezel (890656) | more than 7 years ago | (#18220400)

it's fast, it get results, it's everywhere, it has a straightforward syntax,

i did a lot of testing in my company that showed that creating large html forms from database content in php is 120% slower than in java.

it has a huge number of extensions enabling you to talk to just about anything,

ever tried to access an oracle db from php? not fun.

No compiling, no fannying around with JVMs.

yup, that's why it is slow as hell. also the total lack of type safety and freak operators like === make me want to avoid it. :)

Re:In defence of PHP (1)

creativeHavoc (1052138) | more than 7 years ago | (#18220942)

the freak operators like === are a response to the lack of type safety. Not having stict types can be really usefull, and if you code well, irrelevant to the security or performance of your application.

Re:In defence of PHP (1)

damacus (827187) | more than 7 years ago | (#18222308)

Accessing Oracle from PHP is child's play. What's the mystery? Besides, the comment was about the extensions and capabilities. PHP is great, though perl is better. I don't know of any other languages that are as flexible in that regard.

Next, 120% slower under [undisclosed] circumstances. Browser rendering, network setup, capabilities of server/client, will impact things.

Additional, and this also relates to your 3rd point, there are are wide variety of PHP accelerators [wikipedia.org] which give PHP quite a speed boost. From Wiki: Most work by caching the compiled bytecode form of PHP scripts to avoid the overhead on every page request of parsing and compiling source code that may never even get executed. For best performance, caching is to shared memory with direct execution from the shared memory and the minimum of memory copying at runtime. A PHP accelerator typically reduces server load and increases the speed of PHP code anywhere from 2-10 times[...]

And yeah, PHP's fast and loose flexibility creates the necessity for things like === however the requirement that one is more aware of how types are handled is easily outweighed by the flexibility it gives the developer and the ease of use.

Re:In defence of PHP (1)

Goaway (82658) | more than 7 years ago | (#18221404)

I cannot see why I should learn RoR, or Perl, when I have what works.

Because it is painfully obvious that you have no idea what you are doing, and thanks to PHP's lack of secuirty measures against inexperienced programmers, you are very likely creating tons of highly vulnerable programs.

Other languages tend to have much more secure APIs, letting you get away with not paying as much attention to security. Do yourself a favour and switch to one of them.

PHP taint what it should be (2, Insightful)

atherix (1071036) | more than 7 years ago | (#18219946)

We see a lot of people use the phrase "defective by design" when talking about Vista and in that instance I'm pretty sure the use of the term is correct. Having never used PHP but heard of its many security problems I'm wondering: Is PHP defective by design?

Maybe. PHP is a wonderful interpreted language that makes creating a web application easy. The biggest problem with PHP are the entry-level programmers who don't understand the beast that is web programming.

Many PHP programmers don't understand the number one rule of secure web programming: All user data is evil. Anything that comes from an HTTP request can not be trusted. Heck, I don't trust it even after it has been stored in a database table or the file system. I would love to see a Perl-ish taint mode built into PHP that tells the programmer "This data has come from an insecure source. Please don't eval() it or unserialize() it or write it to disk. Cheerio."

Re:PHP taint what it should be (3, Interesting)

Unknown Relic (544714) | more than 7 years ago | (#18220656)

Well then, you'll be happy to know that Wietse Venema from IBM Research put in a proposal for taint support in PHP a couple months ago. I'm not sure if anything has come of it as there was a fair amount of concern that it would turn into another "Safe Mode" debacle, but from what I remember his plan was to essentially start work on a proof of concept implementation early this year and then take it from there.

Re:PHP taint what it should be (0)

Anonymous Coward | more than 7 years ago | (#18221190)

The PHP developers lack the expertise to implement a taint mode anyway.

Re:PHP taint what it should be (0)

Anonymous Coward | more than 7 years ago | (#18222494)

Well, they do lick Zonk's taint every day...

Be Prepared? (2, Insightful)

Mikenotmike (956042) | more than 7 years ago | (#18219950)

Since properly coded PHP is still useful in many applications, what would be the best book to use as an up to date reference manual for the most secure method of coding with it?

Re:Be Prepared? (0, Troll)

SimHacker (180785) | more than 7 years ago | (#18220240)

The Python reference manual. [python.org]

Seriously: So what if "properly coded PHP" is still useful? It's not as useful or as easy to properly code as other languages, so why do you persist in using an inferior, defective language like PHP? Properly sealed lead and asbestos are "still useful" in constructing new houses, but you certainly should not use them! The fact that something's "still useful" does not negate the fact that it's still foolish to use it, if you have a better alternative.

-Don

Re:Be Prepared? (1)

Mikenotmike (956042) | more than 7 years ago | (#18220312)

Then what's your ajax/web2.0 recommendation, currently I'm reading a peral/cgi book and another perl database (mysql) book, but from what I understand PHP does the whole ajax thing in a more fluid manner, is this incorrect?

Re:Be Prepared? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18220872)

web2.0

Faggot.

Re:Be Prepared? (0)

Anonymous Coward | more than 7 years ago | (#18222250)

Because ... straight people don't ... use ECMAScript? WTF is wrong with you, bigot?

Re:Be Prepared? (2, Insightful)

brezel (890656) | more than 7 years ago | (#18221460)

but from what I understand PHP does the whole ajax thing in a more fluid manner, is this incorrect?
yes. php has nothing to do with javascript.

Re:Be Prepared? (1)

larry bagina (561269) | more than 7 years ago | (#18223310)

ajax is a combination of client side javascript and server side code (that returns xml, text, json data, etc). PHP can be used, but it doesn't have any magic advantage over cgi, perl, ruby, python, or any other language.

Why not use a lovely PHP FrameWork then? (1)

SpzToid (869795) | more than 7 years ago | (#18220464)

Why not use a lovely PHP FrameWork then? Like, um, say, Drupal [drupal.org] ?

- - - -

You can't be ahead of the curve, if you're stuck in a loop.

Next Month... (1)

bill_mcgonigle (4333) | more than 7 years ago | (#18220494)

Month of Shooting Fish in a Barrel

Seriously, when does the Month of Oracle Bugs make its return? Or did the Month of Bugs folks simply chicken out when Larry Elison showed up at their house with a samurai sword?

Re:Next Month... (1)

Cheapy (809643) | more than 7 years ago | (#18221374)

No, that's RMS who has a samurai sword:
http://www.xkcd.com/c225.html [xkcd.com]

Is there an alternative? (1)

harry666t (1062422) | more than 7 years ago | (#18221474)

We can use Ruby on Rails.

perl is very good at text processing as well.

Are there any PHP-to-C++ translators? If the bugs are sitting in the PHP interpreter itself, it might be safer to translate and compile the code.

"Only perl can parse Perl" - but maybe there are alternative PHP parsers/interpreters?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>