NYCPHP Meetup

NYPHP.org

[nycphp-talk] Re: Upcoming Month of PHP Bugs (michael)

Nate Abele nate at cakephp.org
Wed Feb 21 12:46:13 EST 2007


Despite the claims, I'm not so sure that most of these security  
issues couldn't be mitigated with a proper server configuration and a  
well-designed application.  While I'm sure there are vulnerabilities  
that exist in a *stock* installation of PHP (especially in older  
versions where things like register_globals and allow_url_fopen were  
enabled by default... wait... is allow_url_fopen *still* enabled by  
default??), there's a lot you can do to in terms of configuration to  
minimize your application's target profile.

Also, I seem to remember Chris Shiflett having some clarifying  
comments on Stefan and his Sohusin project, so perhaps he could weigh  
in here (hint, hint ;-).

> Message: 1
> Date: Tue, 20 Feb 2007 19:05:28 -0500
> From: michael <lists at genoverly.net>
> Subject: Re: [nycphp-talk] Upcoming Month of PHP Bugs
> To: NYPHP Talk <talk at lists.nyphp.org>
>
> On Tue, 20 Feb 2007 18:59:24 -0500
> csnyder <chsnyder at gmail.com> wrote:
>
>> So apparently we're in for a treat in March (as if daylight savings
>> time wasn't enough) as Stefan Esser will be publicizing a laundry  
>> list
>> of active vulnerabilities in PHP, one or more for each day of the
>> month.
>> http://www.securityfocus.com/columnists/432/
>>
>> Here's somebody who had been working with the core developers to try
>> to get these things fixed, but has been frustrated to the point of
>> resorting to a "Month of Bugs" style publicity stunt. If what he says
>> is true, about overflows and other bugs being ignored, that's a  
>> pretty
>> major breakdown in quality control.
>>
>> I don't know C, and I would have no idea what to look for in doing an
>> audit of PHP (the language) itself. But it seems (from Ilia's  
>> comments
>> anyway) that such an audit is long overdue.
>>
>> So now I have to wonder, do IBM and Yahoo deploy stock PHP binaries?
>> Or do they carry out their own internal audits to discover and patch
>> the sloppier parts of the codebase?
>>
>> -- 
>> Chris Snyder
>> http://chxo.com/
>
> Thanks for the heads up, Chris.
>
> It may be a good idea to have a look at his Suhosin patch.. before the
> March Madness.
>
> http://www.hardened-php.net/
>
> -- 
>
> michael




More information about the talk mailing list