Slashdot Mirror
PHP Vulnerabilities Announced
Simone Klassen writes "The Hardened-PHP Project has announced several serious and according to them, easy-to-exploit vulnerabilities within PHP. A flaw within the function unserialize() is rated as very critical for millions of PHP servers, because it is exposed to remote attackers through lots of very popular webapplications. The list includes forum software like phpBB2, WBB2, Invision Board and vBulletin. It is time to upgrade now."
They must be all busy upgrading :)
I can't wait for someone to release a script that I can use to show what a leet haxor I am.
I read about this yesterday and couldn't find out if mod_security and suPHP are vulnerable to these attacks. With mod_security blocking buffer overflows, "bad" characters, etc. and mod_suphp forcing PHP to run as the user, I don't think that it gives people who run these modules (that) much to worry about.
I think it's about time someone came up with an easier way to upgrade php.
It's so god damned time-consuming to rebuild the entire thing over and over again, especially because you keep having to rebuild all the additional modules (mysql support, gd support, mcrypt support, pdf, the list goes on).
I love how you guys take this all seriously when there is an error in OSS software but when there is 1 little error in ASP.net you call it inherently insecure and a piece of garbage.
Most of these vulnerabilites come down to checking user input. If you are properly checking user input against a set of known good values and rejecting any input that is not a match, your chances of being vulnerable decrease dramatically.
Yes, I'm a big fan of php, but like any language out there, there are vulnerabilites. PHP had a bigger problem with register_globals being defaulted to on. Not to make light of these vulnerabilities, but if you are checking user input (assuming you're not using a downloaded package) you should be pretty safe.
http://secunia.com/advisories/13481/
Question:
"Note: Due to a problem with earlier versions of Zend Optimizer, its users are urged to upgrade to the latest version."
I can't seem to find any information on what this problem may be. No release notes or anything. Any clues?
Comment:
PHP.net's download scheme is worse than Sourceforge's if you can believe that. Therefore, here are some unPHP.net-ized URLs:
US2
Belgium
Finland2
You'll find you can actually right-click and save these and they won't prompt you for a filename "mirror" or something useless like the rest of PHP's download links.
You're absolutely correct! I'll go convert all my scripts to ASP and avoid all of PHP's security holes by running on Microsoft software.
Thank God for evolution.
I assume you dislike PHP. What would you recommend instead?
A language that is a little more practical for extracting and reporting.
NB
Their implementation of memory checking seems to be sane and valid for all installs. So why are most of us running vanilla like this?
Just a thought.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Forum defacing is for the script kiddies, I've seen variations of the unserialized exploit used, to upload files into paths writeable by the apache user, and reading files accessible by the apache user, you can do mysqldumps, upload zombie scripts etc, one of my clients was made part of a zombie network as the user nobody, and redirect scripts were added to many posts, as the posts are stored in the db, and the kid found the mysql user/pass to access the forum.
Hurrah for Nightly MySQL dumps.
The unserialize() bug issue is rather serious, though.
It's true that all systems have vulnerabilities, but that does not mean that all systems are equally secure. What you want is a track record that shows good things. Frankly, I'm not all that impressed with PHP's track record so far. The good news is that the PHP developers have been willing to change critical pieces (like turning off globals) to deal with security issues, and it looks like at least some of them are taking security more seriously. But I'd really like to see evidence of serious steps to not just provide a niftier OO model, but provide a programming language where programs are more likely to actually withstand attack. PHP has a lot going for it, but an implementation that can't handle harsh attacks is simply not appropriate for today's network.
I'd like to see Hardened-PHP, or something like it, merged into the mainline PHP. Why is it that only some users will get a PHP that tries to defend against attacks? Does this mean that other PHP users never get attacked? Does this mean that PHP programmers have stopped making common mistakes? Nonsense. There's no reason that there has to be a separate project to modify PHP to be secure against attack; that should be part and parcel of PHP itself. The performance impact is tiny, and much less important than keeping control over your own machine. Why should anyone be impressed at the speed of a system that's about to be controlled by an attacker?
One of the best ways to get a secure setup is to find out what product has the better security track record with evidence of a secure design (modular parts, etc.), and switch to one of them. That's true whether it's OSS or proprietary; OSS is no guarantee of security, it simply makes some kinds of worldwide review possible. Using Internet Explorer or Outlook? Switch to Firefox and Thunderbird. Using Sendmail? Switch to Postfix. That doesn't guarantee perfection, but you're generally better off in the long run. I think you could make a very good case for switching from PHP to Perl or Python or Java. If the PHP folks want to keep their large user base, they need to get on the stick.
- David A. Wheeler (see my Secure Programming HOWTO)
"p.s. I know squat"
We have a winner!
Installing a JVM and an application server is about 99% less time consuming, and easier, than a comparable PHP installation.
Check Resin Quickstart
from "The Top 20 IT mistakes to avoid" published by Infoworld
o p2 0_5.html
.Net when developing scalable Web apps are making a mistake by not taking a second look at scripting languages -- particularly PHP. This scripting language has been around for a decade now, and millions of Yahoo pages are served by PHP each day.
http://www.infoworld.com/article/04/11/19/47FEt
18. Underestimating PHP
IT managers who look only as far as J2EE and
Discussion of PHP scalability reached a high-water mark in June, when the popular social-networking site Friendster finally beat nagging performance woes by migrating from J2EE to PHP. In a comment attached to a Weblog post about Friendster's switch to PHP, Rasmus Lerdorf, inventor of PHP, explained the architectural secret of PHP's capability of scaling: "Scalability is gained by using a shared-nothing architecture where you can scale horizontally infinitely."
The stateless "shared-nothing" architecture of PHP means that each request is handled independently of all others, and simple horizontal scaling means adding more boxes. Any bottlenecks are limited to scaling a back-end database. Languages such as PHP might not be the right solution for everyone, but pre-emptively pushing scripting languages aside when there are proven scalability successes is a mistake.
The prof I had for my DB class largely hates MySQL with a passion and is an Oracle partisan, but he looked one of the students in the eye and told them to basically shut up when they complained about MySQL versus Oracle. He told the whiner that they should be glad that it worked at all and that they have no right to expect any quality for something they didn't pay for. For some it was a profound statement: MySQL kinda works for you, well guess what, you haven't spent any money on it so who are you to bitch at the guys who work on it... they owe you nothing.
Products from Zend can be expected to perform very well, but not something that is free for public use. The fact that PHP is so high quality, open and free, gives it some leeway that Microsoft's ASP.NET implementation doesn't deserve. People don't have to spend several thousand dollars to setup an environment capable of hosting PHP because it's free, and all of the tools needed to run it are free.
None of this of course negates the fact that security holes in PHP are just as serious in practice as those in ASP.NET and need to be fixed ASAP. The difference is how we should perceive free software bugs versus commercial software bugs. When we actually buy a license for a commercial product, we should be able to expect something reasonably akin to top notch quality. Microsoft is getting better in that regard, but the level of quality they have delivered in the past is abysmal compared to what a commercial entity should be delivering.
By all reasonable expectations, a company like Microsoft should be delivering extremely secure products. They pay very large sums of money to hire some of the brightest minds, and they charge accordingly. Therefore the public has a right to expect extremely comprehensive testing, including OpenBSD-style line-by-line code audits for things like buffer overflows. Does it not surprise anyone that a small project like OpenBSD can find the time and manpower to do that on such a large code base for the manpower present, but Microsoft, a company with probably at least ten times the manpower for just the Windows team cannot?
Click here or a puppy gets stomped!
I would disagree.
I've programmed in PHP for 5 years and have successfully used it to feed my family the entire time.
I haven't had any problem with security vulnerabilities since day 1 (I write all of my own software rather than using any particular package).
It has scaled easily to meet my needs, including an e-commerce site that does $3,000,000+ a year in orders. Granted that is small potatoes for some, but that is irrelevant.
What is relevant is that PHP is fast and easy to develop in, easy to debug, and easy to deploy. It does what I need it to do, and it does so successfully.
In my mind it is well designed for it's intended purpose.
There is no sense picking apart a screw driver and saying what a bad hammer it is. It isn't a hammer. It wasn't designed to be a hammer. It will never be a hammer.
For my purposes PHP is well designed and is the best tool for the job I've found. I've looked into many other tools, but hands down the winner for my needs is PHP. Trust me, if there were another tool that offered the same power AND ease AND was more profitable for me to use overall, I'd be using it. If it exists, I haven't found it. This isn't a religous pursuit for me. I don't care what the "best" programming language is. I'm here to feed my family and PHP serves that purpose well.
Lose Weight and Feel Great with Isagenix
php arrays are not wishy washy, they are powerful.
In PHP there is no difference between a hash and a numerical array, its the same thing.
try this:
$a[5]="five";
$a[0]="zero";
foreach($a as $k=>$v) echo "$k=$v
\n";
and you'll get:
5=five
0=zero
I like em, a php array is like an ORDERED perl hash, and you may be interested to know that PHP style arrays are regularly requested for perl.
Sam
blog.sam.liddicott.com
Watch out when upgrading!
This code prints 'empty' with 5.0.1, but 'not empty' with 5.0.3.
You must check all your code for the use of empty() with a string!
I wish PHP would warn everyone about this sort of thing.
Here is the man page...nothing said about it: http://www.php.net/empty
I've done programming in PHP and in Java.
PHP is straightforward and easy, and most distributions have their own packages for it. Whereas with Java, the initial set up is overwhelming for beginners.
I learnt PHP years ago by myself, and it wasn't really that hard. Yet a few months ago when I was finally required to learn Java, the complexity of the Java frameworks (Hibernate, Spring, etc) tortured me for days before I actually knew what was going on. And it doesn't help when all the frameworks gives such a "bulky" feeling.
The learning curve of Java is definitely much higher than PHP.
Of course, I do agree that Java is much better suited for large scale web programming than PHP. It's much easier to do things cleanly in Java, and although PHP's loose typing is great for a simple 1 page script, I'd rather have the strict typing of Java when it comes to large scale projects.
Don't quote me on this.
I don't have an account, so chances are no one will ever read this. However, if you are reading this, then I thank you.
This exploit has been known about in select hacker groups since late October. The first script for the kiddies was released last weekend (December 11 - 12) and it most certainly originated in Brazil. The group responsible for the initial wave of terror call themselves "H4ck3rsBr", and most of the defacements were done by none other than the infamous "S8ldier". No doubt he wrote a proof of concept for phpBB right away, seeing as how he's always first to the scene with new phpBB exploits involving PHP.
If you're running forum software that sits on top of PHP, upgrade PHP before it's too late. These guys took out a friend's Linux server because he caught them right in the middle of defacing his clients' websites (just index.html's). They had a rootkit installed and made sure to cause as much damage as possible before being booted off. After backing up the filesystem, re-booting the machine failed, as the partition table was toast and most of the important data sectors had been trashed as well.
I'm glad that the PHP team decided to fix this, but I'm also hopeful that the phpBB, vBulletin, etc. teams will start validating their input a little more carefully.