PHP Vulnerabilities Announced

Simone Klassen writes "The Hardened-PHP Project has announced several serious and according to them, easy-to-exploit vulnerabilities within PHP. A flaw within the function unserialize() is rated as very critical for millions of PHP servers, because it is exposed to remote attackers through lots of very popular webapplications. The list includes forum software like phpBB2, WBB2, Invision Board and vBulletin. It is time to upgrade now."

Third-party modules?

[flatface]

I read about this yesterday and couldn't find out if mod_security and suPHP are vulnerable to these attacks. With mod_security blocking buffer overflows, "bad" characters, etc. and mod_suphp forcing PHP to run as the user, I don't think that it gives people who run these modules (that) much to worry about.

Re:Third-party modules?

[archen]

or you could spend a whopping 5 seconds writing a regular expression to verify the id. I've seen my share of stuff that's vulerable to SQL injection, and it's pretty sad really. What in the hell ever happened to error checking? I really don't like PHP, but at times I think that the majority of the problems I have with it are the masses of sloppy lazy coders who preach how wonderfully easy it is. That may be so, but you still need to freaking THINK your solutions through. -_-

Re:It's always a mixed bag.

[realdpk]

If PHP wants to get serious about security, it needs to stop writing its own libraries for things already available elsewhere, such as GD or MySQL or any number of other programs. It's always going to be difficult to keep the internal and external libraries in sync, better to just use external.

Basically, if the developers spent less time reinventing every wheel in existence (look at the documentation page some time, the index of the "libraries" is astounding) they might have more time to close holes like this.

Why isn't hardened-PHP merged with PHP?

[DarkHelmet]

I know this is just a thought, but why aren't the changes within Hardened-PHP within the actual version of PHP that's on the site.

Their implementation of memory checking seems to be sane and valid for all installs. So why are most of us running vanilla like this?

Just a thought.

Solution...

[sleighb0y]

Write your own code.

PHP is great, but as with anything you install, you have to place a certain level of trust in it. And since web apps are always on to the public you really better trust them. Esp. if you are a n00b, and are installing these apps without knowledge of programming.

I don't like using a pre-packaged PHP app in a public or semi-public location. Then the code is there for all to study and prepare for an exploit.

I prefer to write all my own apps. I might use code examples and classes as a base, but input is filtered and checked. And nobody else knows the code.

Re:I've said it before, and I'll say it again

[dfj225]

Yes, servers that work on J2EE specifications are a pain to eliminate, but I live on the other side of the wall compared to you. I don't administer the J2EE server but write apps for it. I think Java is a very secure, professional replacement for PHP. I have written web apps in both and I think Java is the better solution for large projects or an web server used by an office or company. I would still probably use PHP if I need to code something for a personal website, just because it would probably be quick and dirty and I don't need all of the framework that J2EE provides. One of my favorite things of Java is the error handling. Exceptions, IMHO, make web development much easier. Also, Java seems very secure to me. I don't have to worry about my variables being overwritten by http requests or anything like that. The creators of Java also say that the JVM has been proven, mathematically, to be secure. You can take that for what it is worth. PHP is good but I wouldn't want to write anything large in it. But then again, I have not read up on the latest developments with the language, so I am probably a little outdated.

Re:No comment?

[destiney]

They were announced before today, just read the dates.

You're probably not subscribed to any security mailing lists.

the TRUTH about php arrays Re:Arrrrgh

[samjam]

php arrays are not wishy washy, they are powerful.
In PHP there is no difference between a hash and a numerical array, its the same thing.

try this:

$a[5]="five";
$a[0]="zero";
foreach($a as $k=>$v) echo "$k=$v
\n";

and you'll get:
5=five
0=zero

I like em, a php array is like an ORDERED perl hash, and you may be interested to know that PHP style arrays are regularly requested for perl.

Sam

Re:I've said it before, and I'll say it again

[sydneyfong]

I've done programming in PHP and in Java.

PHP is straightforward and easy, and most distributions have their own packages for it. Whereas with Java, the initial set up is overwhelming for beginners.

I learnt PHP years ago by myself, and it wasn't really that hard. Yet a few months ago when I was finally required to learn Java, the complexity of the Java frameworks (Hibernate, Spring, etc) tortured me for days before I actually knew what was going on. And it doesn't help when all the frameworks gives such a "bulky" feeling.

The learning curve of Java is definitely much higher than PHP.

Of course, I do agree that Java is much better suited for large scale web programming than PHP. It's much easier to do things cleanly in Java, and although PHP's loose typing is great for a simple 1 page script, I'd rather have the strict typing of Java when it comes to large scale projects.

Serious

Just to let you guys know, I have had two of my phpBB forums hacked (within hours of eachother) from this exploit. This is a very serious issue.