Slashdot Mirror

← Back to Stories (view on slashdot.org)

PHP Vulnerabilities Announced

Posted by michael on from the rated-o-for-overtime dept.

Simone Klassen writes "The Hardened-PHP Project has announced several serious and according to them, easy-to-exploit vulnerabilities within PHP. A flaw within the function unserialize() is rated as very critical for millions of PHP servers, because it is exposed to remote attackers through lots of very popular webapplications. The list includes forum software like phpBB2, WBB2, Invision Board and vBulletin. It is time to upgrade now."

51 of 387 comments (clear)

  1. No comment? by jardin · · Score: 3, Funny

    They must be all busy upgrading :)

    1. Re:No comment? by stevesliva · · Score: 5, Funny

      No, all the sysadmins are on holiday vacation. Come on folks, announcing security vulnerabilities on a Friday in December? That's just plain mean.

      --
      Who do you get to be an expert to tell you something's not obvious? The least insightful person you can find? -J Roberts
    2. Re:No comment? by destiney · · Score: 2, Interesting


      They were announced before today, just read the dates.

      You're probably not subscribed to any security mailing lists.

  2. Kewl by mordors9 · · Score: 3, Funny

    I can't wait for someone to release a script that I can use to show what a leet haxor I am.

  3. I've said it before, and I'll say it again by Neil+Blender · · Score: 2, Funny

    PHP: 10 million newbies can't be wrong.

    1. Re:I've said it before, and I'll say it again by snoyberg · · Score: 3, Funny

      You're absolutely correct! I'll go convert all my scripts to ASP and avoid all of PHP's security holes by running on Microsoft software.

      --
      Thank God for evolution.
    2. Re:I've said it before, and I'll say it again by mios · · Score: 2, Insightful

      Perhaps you've been asleep when every other software package releases updates/bug-fixes/security patched.

      Apache: 85% of the internet can't be wrong.

      Please sir, dismount yourself from that high horse you are riding on.

    3. Re:I've said it before, and I'll say it again by cosinezero · · Score: 2, Funny

      But scripting languages are what applications are made of! Right?

    4. Re:I've said it before, and I'll say it again by Anonymous Coward · · Score: 5, Funny

      I assume you dislike PHP. What would you recommend instead?

      A language that is a little more practical for extracting and reporting.

      NB

    5. Re:I've said it before, and I'll say it again by mrm677 · · Score: 2, Insightful

      What would you recommend instead?

      Java/J2EE/JSP

      You can mess up security policies and implementations with Java, but it is much harder to shoot yourself in the foot. The JVM may have bugs, but because it is used for all Java applications, it is likely well-debugged and secure

      Language features eliminate security problems. For example, the Java JVM does something incredibly advanced: bounds checking!

    6. Re:I've said it before, and I'll say it again by flatface · · Score: 2, Funny

      mod_bf

    7. Re:I've said it before, and I'll say it again by Anonymous+Luddite · · Score: 2, Insightful


      But scripting languages are what applications are made of! Right?

      I don't think it matters what you use. (compiled or script) There will be an exploit/flaw.

      You can shuck all of your PHP and write mts components in VB or even compile your server side stuff as ANSI C, but nothing is going to be perfect.

      IMHO what matters s how fast vulnerbility information is published after found and how quickly it is fixed.

      --
      http://request-header.info
    8. Re:I've said it before, and I'll say it again by dfj225 · · Score: 2, Interesting

      Yes, servers that work on J2EE specifications are a pain to eliminate, but I live on the other side of the wall compared to you. I don't administer the J2EE server but write apps for it. I think Java is a very secure, professional replacement for PHP. I have written web apps in both and I think Java is the better solution for large projects or an web server used by an office or company. I would still probably use PHP if I need to code something for a personal website, just because it would probably be quick and dirty and I don't need all of the framework that J2EE provides. One of my favorite things of Java is the error handling. Exceptions, IMHO, make web development much easier. Also, Java seems very secure to me. I don't have to worry about my variables being overwritten by http requests or anything like that. The creators of Java also say that the JVM has been proven, mathematically, to be secure. You can take that for what it is worth. PHP is good but I wouldn't want to write anything large in it. But then again, I have not read up on the latest developments with the language, so I am probably a little outdated.

      --
      SIGFAULT
    9. Re:I've said it before, and I'll say it again by Decaff · · Score: 2, Insightful

      Yup, because it is a *LOT* harder to install, and administer. It's all scary black magic, and down right confusing.

      Er. Download tomcat. gunzip and untar. place JAVA_HOME into catalina.sh. Set a manager account in the config file. Start it up. It's one of the easiest installs I have ever done.

      Installing, starting, and stopping individual web apps is all done with a simple web interface. It's one of the easiest systems to administrate I have used.

      Compare to PHP, where on some Linux distros the only way to get it working is to compile it yourself, along with specific versions of apache.

      Tomcat also has the advantage that its trivially simple to run everything as non-root, for security: You just untar it into a user account and start it there!

    10. Re:I've said it before, and I'll say it again by markv242 · · Score: 3, Insightful
      Your comment was sort of correct.

      "p.s. I know squat"

      We have a winner!

      Installing a JVM and an application server is about 99% less time consuming, and easier, than a comparable PHP installation.

      Check Resin Quickstart

    11. Re:I've said it before, and I'll say it again by spike2131 · · Score: 2, Insightful

      Yeah, then spend 6 hours wrestling with mod_jk so it will play nice behind Apache. Its either that or use Tomcat to serve your static files, which is silly, if you have any traffic.

      --
      SpyDock: Scientific Python in a Docker container
    12. Re:I've said it before, and I'll say it again by sydneyfong · · Score: 3, Interesting

      I've done programming in PHP and in Java.

      PHP is straightforward and easy, and most distributions have their own packages for it. Whereas with Java, the initial set up is overwhelming for beginners.

      I learnt PHP years ago by myself, and it wasn't really that hard. Yet a few months ago when I was finally required to learn Java, the complexity of the Java frameworks (Hibernate, Spring, etc) tortured me for days before I actually knew what was going on. And it doesn't help when all the frameworks gives such a "bulky" feeling.

      The learning curve of Java is definitely much higher than PHP.

      Of course, I do agree that Java is much better suited for large scale web programming than PHP. It's much easier to do things cleanly in Java, and although PHP's loose typing is great for a simple 1 page script, I'd rather have the strict typing of Java when it comes to large scale projects.

      --
      Don't quote me on this.
  4. Third-party modules? by flatface · · Score: 5, Interesting

    I read about this yesterday and couldn't find out if mod_security and suPHP are vulnerable to these attacks. With mod_security blocking buffer overflows, "bad" characters, etc. and mod_suphp forcing PHP to run as the user, I don't think that it gives people who run these modules (that) much to worry about.

    1. Re:Third-party modules? by new-black-hand · · Score: 2, Insightful

      mod_suphp might prevent you from attaining root, but more often than not root is not required. If you manage to upload files, insert some SQL, read files as the user PHP is running as (eg. nobody) then you have access to the whole web application (user accounts, credit card databases, everything). Getting root is very often not required. That is why these web apps must be as tight (security and access wise) as operating systems themselves. Developers (esp. PHP and ASP developers) are often very slack in this regard.

    2. Re:Third-party modules? by Tassach · · Score: 2, Insightful
      If you manage to upload files, insert some SQL, read files as the user PHP is running as (eg. nobody) then you have access to the whole web application (user accounts, credit card databases, everything)
      This is exactly why it's foolish to use a so-called "database" (*cough* mysql *cough*) which does not support stored procedures. Stored procedures are a vital means of defense against SQL injection attacks, and any RDBMS which is used as a back-end to a publicly-accessable application must use them to be safe.

      Stored procedures work kind of like SUID scripts for a database -- they let the database user execute code with the procedure owner's permissions. For example in an E-Commerce application, a user might legitimately need to get his own credit card number out of the database, but he has no business getting anyone else's database.

      Let's assume we have the CC table keyed by UserID, and the webapp provides the UserID when it wants to get that user's CC number. We'll assume the user has already logged in and the application knows the user's userid. The naieve approach taken by most programmers is to construct the SQL statement on the client-side using the (previously validated) UserID, and then submit this to the SQL Server using a webuser account:

      select CardHolderName, CCNumber, ExpDate from CCTable where UserID = '$UserID';
      User xj9-4t-7070, using the system as intended, would result in the intended SQL statement being submitted to the SQL Server:
      select CardHolderName, CCNumber, ExpDate from CCTable where UserID = 'xj9-4t-7070';
      However This kind of construct is flawed because it's vulnerable to SQL injection. If a hacker is able to put an arbitrary value into $UserId, he can run ANY sql statement the webuser has permission to execute. Let's say he manages to set $UserID to xj9-4t-7070';\nselect * from CCTable where UserID != ', now the SQL being submitted is
      select CardHolderName, CCNumber, ExpDate from CCTable where UserID = 'xj9-4t-7070';
      select * from CCTable where UserID != '';
      Because the webuser account must have select permission on CCTable to work for a legitimate user, it can run ANY arbitrary query on that table. Using stored procedures, the legitmate user would submit a query like:
      exec GetUserCCInfo 'xj9-4t-7070';
      And the attacker would submit
      exec GetUserCCInfo 'xj9-4t-7070';
      select * from CCInfo where UserID != '';
      Using the stored procedure, the webuser only needs to be granted execute permission on the GetUserCCInfo stored procedure, and would not have any permissions to access CCInfo table directly. Therefore, all the attacker would get is a "permission denied" message instead of a dump of all entire CCInfo table.

      We're still vulnerable to the attacker brute-forcing the CC numbers out one at a time, which is why we need to use a reasonably large random value for the UserID instead of something trivially guessed (like a monotonically increasing sequence of integers).

      --
      Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
    3. Re:Third-party modules? by FuzzyBad-Mofo · · Score: 2, Insightful

      What you described is definitely a good idea to prevent SQL injection, but it doesn't have to be done using stored procedures. You can do the same thing on the web server with a custom function or by using prepared statements (using the PEAR library, etc).

    4. Re:Third-party modules? by archen · · Score: 2, Interesting

      or you could spend a whopping 5 seconds writing a regular expression to verify the id. I've seen my share of stuff that's vulerable to SQL injection, and it's pretty sad really. What in the hell ever happened to error checking? I really don't like PHP, but at times I think that the majority of the problems I have with it are the masses of sloppy lazy coders who preach how wonderfully easy it is. That may be so, but you still need to freaking THINK your solutions through. -_-

  5. Upgrade. by Anonymous Coward · · Score: 4, Insightful

    I think it's about time someone came up with an easier way to upgrade php.
    It's so god damned time-consuming to rebuild the entire thing over and over again, especially because you keep having to rebuild all the additional modules (mysql support, gd support, mcrypt support, pdf, the list goes on).

  6. double standards by Anonymous Coward · · Score: 4, Insightful

    I love how you guys take this all seriously when there is an error in OSS software but when there is 1 little error in ASP.net you call it inherently insecure and a piece of garbage.

    1. Re:double standards by Qzukk · · Score: 4, Insightful

      Wow gee, how did you think these got found? By the Hardened PHP project bashing their head against the table until ideas popped out? Try "it was found because their eyes were on the code". Something the PHP developers missed that someone else found. Gotta wonder how much stuff Microsoft missed in their code.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    2. Re:double standards by ricotest · · Score: 5, Insightful

      You do realise it's a SUBSET of the slashdot population complaining about ASP being garbage, and a perhaps different SUBSET taking OSS software bugs without complaint. There are NO double standards if you stop looking at Slashdot as one person with one brain and a million voices.

  7. Of course... by Nos. · · Score: 5, Insightful

    Most of these vulnerabilites come down to checking user input. If you are properly checking user input against a set of known good values and rejecting any input that is not a match, your chances of being vulnerable decrease dramatically.
    Yes, I'm a big fan of php, but like any language out there, there are vulnerabilites. PHP had a bigger problem with register_globals being defaulted to on. Not to make light of these vulnerabilities, but if you are checking user input (assuming you're not using a downloaded package) you should be pretty safe.

  8. Secunia advisory by FuzzyBad-Mofo · · Score: 3, Informative

    http://secunia.com/advisories/13481/

  9. Question/Comment by realdpk · · Score: 3, Informative

    Question:

    "Note: Due to a problem with earlier versions of Zend Optimizer, its users are urged to upgrade to the latest version."

    I can't seem to find any information on what this problem may be. No release notes or anything. Any clues?

    Comment:

    PHP.net's download scheme is worse than Sourceforge's if you can believe that. Therefore, here are some unPHP.net-ized URLs:

    US2
    Belgium
    Finland2

    You'll find you can actually right-click and save these and they won't prompt you for a filename "mirror" or something useless like the rest of PHP's download links.

  10. Re:Arrrrgh by Nomikos · · Score: 2, Informative
    And of course, Mac OS X and Mac OS X Server 10.3.7 contain php 4.3.2...

    Here: http://www.entropy.ch/software/macosx/php/ , are usually uptodate and easy installers for PHP on OS X; he's at 4.3.9 still but I trust the newer one will be up soon.
    They're really fire&forget installers, great for people like me :-)

  11. Why isn't hardened-PHP merged with PHP? by DarkHelmet · · Score: 5, Interesting
    I know this is just a thought, but why aren't the changes within Hardened-PHP within the actual version of PHP that's on the site.

    Their implementation of memory checking seems to be sane and valid for all installs. So why are most of us running vanilla like this?

    Just a thought.

    --
    /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
  12. Re:OMG by vluther · · Score: 3, Informative

    Forum defacing is for the script kiddies, I've seen variations of the unserialized exploit used, to upload files into paths writeable by the apache user, and reading files accessible by the apache user, you can do mysqldumps, upload zombie scripts etc, one of my clients was made part of a zombie network as the user nobody, and redirect scripts were added to many posts, as the posts are stored in the db, and the kid found the mysql user/pass to access the forum.

    Hurrah for Nightly MySQL dumps.

  13. Upgraded to 4.3.10... by Bravid98 · · Score: 2, Informative

    And it seems to have compatibility issues. It ended up breaking custom code of mine, as well as Invision Power Board. This was compiled from scratch. Hopefully they'll quickly release a .11.

  14. Why are these things always announced on Friday? by kd3bj · · Score: 2, Funny

    Why can't it be Monday? I mean, do the people that make these announcements think we _like_ working weekends?

  15. Check your inputs!!!! But not an impressive record by dwheeler · · Score: 4, Insightful
    Thankfully, most of these problems are easily countered by what you always have to do anyway: you MUST check and severely limit what you allow as input. Letting users provide arbitrary-length data that's then used in realpath is a bug in the first place!

    The unserialize() bug issue is rather serious, though.

    It's true that all systems have vulnerabilities, but that does not mean that all systems are equally secure. What you want is a track record that shows good things. Frankly, I'm not all that impressed with PHP's track record so far. The good news is that the PHP developers have been willing to change critical pieces (like turning off globals) to deal with security issues, and it looks like at least some of them are taking security more seriously. But I'd really like to see evidence of serious steps to not just provide a niftier OO model, but provide a programming language where programs are more likely to actually withstand attack. PHP has a lot going for it, but an implementation that can't handle harsh attacks is simply not appropriate for today's network.

    I'd like to see Hardened-PHP, or something like it, merged into the mainline PHP. Why is it that only some users will get a PHP that tries to defend against attacks? Does this mean that other PHP users never get attacked? Does this mean that PHP programmers have stopped making common mistakes? Nonsense. There's no reason that there has to be a separate project to modify PHP to be secure against attack; that should be part and parcel of PHP itself. The performance impact is tiny, and much less important than keeping control over your own machine. Why should anyone be impressed at the speed of a system that's about to be controlled by an attacker?

    One of the best ways to get a secure setup is to find out what product has the better security track record with evidence of a secure design (modular parts, etc.), and switch to one of them. That's true whether it's OSS or proprietary; OSS is no guarantee of security, it simply makes some kinds of worldwide review possible. Using Internet Explorer or Outlook? Switch to Firefox and Thunderbird. Using Sendmail? Switch to Postfix. That doesn't guarantee perfection, but you're generally better off in the long run. I think you could make a very good case for switching from PHP to Perl or Python or Java. If the PHP folks want to keep their large user base, they need to get on the stick.

    --
    - David A. Wheeler (see my Secure Programming HOWTO)
  16. If by Alioth · · Score: 2, Funny

    If PGP stands for Pretty Good Privacy, does PHP stand for Pretty Hopeless Privacy?

    --
    Oolite: Elite-like game. For Mac, Linux and Windows
  17. Re:This proves once an for all by fitten · · Score: 2, Funny

    # in a perfect world this would increse my karma
    $karma++;

    No... that would be "in a Perlfect world..."

  18. Re:So sad ... by anocelot · · Score: 2, Insightful
    I'm sorry, but I have to insert a few Larry Wall quotes here:
    Regarding your post:
    There ain't nothin' in this world that's worth being a snot over.
    --Larry Wall in <1992Aug19.041614.6963@netlabs.com>

    Regarding the topic at hand:
    Let us be charitable, and call it a misleading feature :-)
    --Larry Wall in <2609@jato.Jpl.Nasa.Gov>

    And if you want to be funny:
    Just don't create a file called -rf. :-)
    --Larry Wall in <11393@jpl-devvax.JPL.NASA.GOV>
    ;)
    --
    This tagline brought to you by 1500 monkeys in just under 17 years.
  19. Re:It's always a mixed bag. by Greger47 · · Score: 2, Informative
    Err?

    Like 90% or so of the modules included with the basic PHP distribution are just wrappers around standard libraries, no code is duplicated nor functionality reinvented. The wrapper is there to make the libraries easy to use.

    The 2 libraries you mention happen to be bundled with the distribution for convenience, but you are free to use external versions supplied by your OS installation or perhaps yourself.

    /greger

  20. Re:Check your inputs!!!! But not an impressive rec by killjoe · · Score: 2, Insightful

    PHP needs taint.

    --
    evil is as evil does
  21. Re:It's always a mixed bag. by mr.dreadful · · Score: 3, Informative

    from "The Top 20 IT mistakes to avoid" published by Infoworld

    http://www.infoworld.com/article/04/11/19/47FEto p2 0_5.html

    18. Underestimating PHP

    IT managers who look only as far as J2EE and .Net when developing scalable Web apps are making a mistake by not taking a second look at scripting languages -- particularly PHP. This scripting language has been around for a decade now, and millions of Yahoo pages are served by PHP each day.

    Discussion of PHP scalability reached a high-water mark in June, when the popular social-networking site Friendster finally beat nagging performance woes by migrating from J2EE to PHP. In a comment attached to a Weblog post about Friendster's switch to PHP, Rasmus Lerdorf, inventor of PHP, explained the architectural secret of PHP's capability of scaling: "Scalability is gained by using a shared-nothing architecture where you can scale horizontally infinitely."

    The stateless "shared-nothing" architecture of PHP means that each request is handled independently of all others, and simple horizontal scaling means adding more boxes. Any bottlenecks are limited to scaling a back-end database. Languages such as PHP might not be the right solution for everyone, but pre-emptively pushing scripting languages aside when there are proven scalability successes is a mistake.

  22. It like what my DB prof said about Oracle v. MySQL by ShatteredDream · · Score: 5, Insightful

    The prof I had for my DB class largely hates MySQL with a passion and is an Oracle partisan, but he looked one of the students in the eye and told them to basically shut up when they complained about MySQL versus Oracle. He told the whiner that they should be glad that it worked at all and that they have no right to expect any quality for something they didn't pay for. For some it was a profound statement: MySQL kinda works for you, well guess what, you haven't spent any money on it so who are you to bitch at the guys who work on it... they owe you nothing.

    Products from Zend can be expected to perform very well, but not something that is free for public use. The fact that PHP is so high quality, open and free, gives it some leeway that Microsoft's ASP.NET implementation doesn't deserve. People don't have to spend several thousand dollars to setup an environment capable of hosting PHP because it's free, and all of the tools needed to run it are free.

    None of this of course negates the fact that security holes in PHP are just as serious in practice as those in ASP.NET and need to be fixed ASAP. The difference is how we should perceive free software bugs versus commercial software bugs. When we actually buy a license for a commercial product, we should be able to expect something reasonably akin to top notch quality. Microsoft is getting better in that regard, but the level of quality they have delivered in the past is abysmal compared to what a commercial entity should be delivering.

    By all reasonable expectations, a company like Microsoft should be delivering extremely secure products. They pay very large sums of money to hire some of the brightest minds, and they charge accordingly. Therefore the public has a right to expect extremely comprehensive testing, including OpenBSD-style line-by-line code audits for things like buffer overflows. Does it not surprise anyone that a small project like OpenBSD can find the time and manpower to do that on such a large code base for the manpower present, but Microsoft, a company with probably at least ten times the manpower for just the Windows team cannot?

    --
    Click here or a puppy gets stomped!
  23. Re:PHP is to Perl as Java is to C++ by DigitalRaptor · · Score: 4, Insightful

    I would disagree.

    I've programmed in PHP for 5 years and have successfully used it to feed my family the entire time.

    I haven't had any problem with security vulnerabilities since day 1 (I write all of my own software rather than using any particular package).

    It has scaled easily to meet my needs, including an e-commerce site that does $3,000,000+ a year in orders. Granted that is small potatoes for some, but that is irrelevant.

    What is relevant is that PHP is fast and easy to develop in, easy to debug, and easy to deploy. It does what I need it to do, and it does so successfully.

    In my mind it is well designed for it's intended purpose.

    There is no sense picking apart a screw driver and saying what a bad hammer it is. It isn't a hammer. It wasn't designed to be a hammer. It will never be a hammer.

    For my purposes PHP is well designed and is the best tool for the job I've found. I've looked into many other tools, but hands down the winner for my needs is PHP. Trust me, if there were another tool that offered the same power AND ease AND was more profitable for me to use overall, I'd be using it. If it exists, I haven't found it. This isn't a religous pursuit for me. I don't care what the "best" programming language is. I'm here to feed my family and PHP serves that purpose well.

    --
    Lose Weight and Feel Great with Isagenix
  24. About time by Billly+Gates · · Score: 2, Insightful

    These bugs and many many others have been known for a long time.

    Not to sound trollish but the FBI and computer security groups label PHP with more holes than ASP. No joke.

    Its nice to see the php team begin to take security seriously. Especially if they want lamp to ever replace Java or ASP on many corporate webservers and intranets.

    --
    http://saveie6.com/
  25. Re:Hypocrisy of slashot by GrindKore · · Score: 2, Informative

    Actually Windows 2003 Server does not have IIS, FTP, POP3, DNS and other services installed by default. After you setup IIS all ASP, ASP.NET, Front Page services are still disabled and administrator has to turn them on individual basis. So please next time you hand off a 'clue' leave one for yourself.

  26. the TRUTH about php arrays Re:Arrrrgh by samjam · · Score: 4, Interesting

    php arrays are not wishy washy, they are powerful.
    In PHP there is no difference between a hash and a numerical array, its the same thing.

    try this:

    $a[5]="five";
    $a[0]="zero";
    foreach($a as $k=>$v) echo "$k=$v
    \n";

    and you'll get:
    5=five
    0=zero

    I like em, a php array is like an ORDERED perl hash, and you may be interested to know that PHP style arrays are regularly requested for perl.

    Sam

    --
    blog.sam.liddicott.com
  27. warning! 5.0.1 - 5.0.3 "breaks" EMPTY() function by phpsucks · · Score: 3, Informative

    Watch out when upgrading!

    <?
    $a = 'foobar';
    print empty($a->nothere) ? 'empty' : 'not empty';
    ?>

    This code prints 'empty' with 5.0.1, but 'not empty' with 5.0.3.

    You must check all your code for the use of empty() with a string!

    I wish PHP would warn everyone about this sort of thing.

    Here is the man page...nothing said about it: http://www.php.net/empty

  28. Re:Hypocrisy of slashot by GrindKore · · Score: 2, Informative

    Windows 2003 Server Web Edition is low cost version of standard edition. It's marketed for web hosting and does not have active directory and media streaming capabilities, it's limited to maximum of 2-way SMP and 2Gb of ram. Follow the link below for comparison table. http://www.microsoft.com/windowsserver2003/evaluat ion/features/compareeditions.mspx

  29. Not just for script kiddies this time by Anonymous Coward · · Score: 5, Informative

    I don't have an account, so chances are no one will ever read this. However, if you are reading this, then I thank you.

    This exploit has been known about in select hacker groups since late October. The first script for the kiddies was released last weekend (December 11 - 12) and it most certainly originated in Brazil. The group responsible for the initial wave of terror call themselves "H4ck3rsBr", and most of the defacements were done by none other than the infamous "S8ldier". No doubt he wrote a proof of concept for phpBB right away, seeing as how he's always first to the scene with new phpBB exploits involving PHP.

    If you're running forum software that sits on top of PHP, upgrade PHP before it's too late. These guys took out a friend's Linux server because he caught them right in the middle of defacing his clients' websites (just index.html's). They had a rootkit installed and made sure to cause as much damage as possible before being booted off. After backing up the filesystem, re-booting the machine failed, as the partition table was toast and most of the important data sectors had been trashed as well.

    I'm glad that the PHP team decided to fix this, but I'm also hopeful that the phpBB, vBulletin, etc. teams will start validating their input a little more carefully.

  30. Serious by Anonymous Coward · · Score: 2, Interesting

    Just to let you guys know, I have had two of my phpBB forums hacked (within hours of eachother) from this exploit. This is a very serious issue.

  31. Re:PHP is to Perl as Java is to C++ by Bitsy+Boffin · · Score: 2

    PHP is a good web language, well, good enough in that it performs the job, I've been using PHP for a couple of years (before that, Coldfusion for a few years).

    But to say it's well designed is not in any way valid, PHP for the most part is a monolithic hacking togethor of things, lots of inconsistency (function names etc), little modularity (after compilation), many unexpected results (for example try working with recursive references sometime, one mistaken return by value and you end up with two identical copies of the object completely silently, very frustrating).

    Like many projects PHP started out small and gradually new things were hacked onto it. It's not well designed at all, heck, it's hardly designed period.

    But, it does work well enough to do it's job and for now that's OK. But for me it's place in the world is only secured while it's the most popular web language - I think that if mod_mono can get some traction then it might be in for a run for it's money.

    --
    NZ Electronics Enthusiasts: Check out my Trade Me Listings