PHP Vulnerabilities Announced 387
Simone Klassen writes "The Hardened-PHP Project has announced several serious and according to them, easy-to-exploit vulnerabilities within PHP. A flaw within the function unserialize() is rated as very critical for millions of PHP servers, because it is exposed to remote attackers through lots of very popular webapplications. The list includes forum software like phpBB2, WBB2, Invision Board and vBulletin. It is time to upgrade now."
Arrrrgh (Score:1, Informative)
Secunia advisory (Score:3, Informative)
Question/Comment (Score:4, Informative)
"Note: Due to a problem with earlier versions of Zend Optimizer, its users are urged to upgrade to the latest version."
I can't seem to find any information on what this problem may be. No release notes or anything. Any clues?
Comment:
PHP.net's download scheme is worse than Sourceforge's if you can believe that. Therefore, here are some unPHP.net-ized URLs:
US2 [php.net]
Belgium [php.net]
Finland2 [php.net]
You'll find you can actually right-click and save these and they won't prompt you for a filename "mirror" or something useless like the rest of PHP's download links.
Re:Arrrrgh (Score:2, Informative)
Here: http://www.entropy.ch/software/macosx/php/ [entropy.ch] , are usually uptodate and easy installers for PHP on OS X; he's at 4.3.9 still but I trust the newer one will be up soon. :-)
They're really fire&forget installers, great for people like me
Re:OMG (Score:4, Informative)
Hurrah for Nightly MySQL dumps.
FreeBSD port already updated (Score:1, Informative)
#
PORTNAME= php4
PORTVERSION= 4.3.10
Upgraded to 4.3.10... (Score:2, Informative)
Re:It's always a mixed bag. (Score:3, Informative)
Like 90% or so of the modules included with the basic PHP distribution are just wrappers around standard libraries, no code is duplicated nor functionality reinvented. The wrapper is there to make the libraries easy to use.
The 2 libraries you mention happen to be bundled with the distribution for convenience, but you are free to use external versions supplied by your OS installation or perhaps yourself.
/greger
Re:It's always a mixed bag. (Score:3, Informative)
http://www.infoworld.com/article/04/11/19/47FEt
18. Underestimating PHP
IT managers who look only as far as J2EE and
Discussion of PHP scalability reached a high-water mark in June, when the popular social-networking site Friendster finally beat nagging performance woes by migrating from J2EE to PHP. In a comment attached to a Weblog post about Friendster's switch to PHP, Rasmus Lerdorf, inventor of PHP, explained the architectural secret of PHP's capability of scaling: "Scalability is gained by using a shared-nothing architecture where you can scale horizontally infinitely."
The stateless "shared-nothing" architecture of PHP means that each request is handled independently of all others, and simple horizontal scaling means adding more boxes. Any bottlenecks are limited to scaling a back-end database. Languages such as PHP might not be the right solution for everyone, but pre-emptively pushing scripting languages aside when there are proven scalability successes is a mistake.
Re:Hypocrisy of slashot (Score:2, Informative)
warning! 5.0.1 - 5.0.3 "breaks" EMPTY() function (Score:3, Informative)
Watch out when upgrading!
This code prints 'empty' with 5.0.1, but 'not empty' with 5.0.3.
You must check all your code for the use of empty() with a string!
I wish PHP would warn everyone about this sort of thing.
Here is the man page...nothing said about it: http://www.php.net/empty [php.net]
Re:Hypocrisy of slashot (Score:2, Informative)
Not just for script kiddies this time (Score:5, Informative)
This exploit has been known about in select hacker groups since late October. The first script for the kiddies was released last weekend (December 11 - 12) and it most certainly originated in Brazil. The group responsible for the initial wave of terror call themselves "H4ck3rsBr", and most of the defacements were done by none other than the infamous "S8ldier". No doubt he wrote a proof of concept for phpBB right away, seeing as how he's always first to the scene with new phpBB exploits involving PHP.
If you're running forum software that sits on top of PHP, upgrade PHP before it's too late. These guys took out a friend's Linux server because he caught them right in the middle of defacing his clients' websites (just index.html's). They had a rootkit installed and made sure to cause as much damage as possible before being booted off. After backing up the filesystem, re-booting the machine failed, as the partition table was toast and most of the important data sectors had been trashed as well.
I'm glad that the PHP team decided to fix this, but I'm also hopeful that the phpBB, vBulletin, etc. teams will start validating their input a little more carefully.