March To Be Month of PHP Bugs 292
PHP writes "Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). During an interview with SecurityFocus he announced the upcoming Month of PHP bugs initiative in March." Quoting: "We will disclose different types of bugs, mainly buffer overflows or double free (/destruction) vulnerabilities, some only local, but some remotely triggerable... Additionally there are some trivial bypass vulnerabilities in PHP's own protection features... As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical. Additionally a few of the reported bugs have been known for years among the PHP developers and will most probably never be fixed. In total we have more than 31 bugs to disclose, and therefore there will be days when more than one vulnerability will be disclosed."
great... (Score:5, Informative)
Install modsecurity (Score:5, Informative)
Whilst it probably won't solve a lot of the problems with php and security it does help protect the server especially when you don't have control over what your users are uploading to their web space.
Re:even if... (Score:5, Informative)
Comment removed (Score:3, Informative)
Re:Your site is likely already compromised. (Score:1, Informative)
Still, there are precautions to take when running a common PHP-based app. First off, use Xen. Set any filesystem to read only (through Xen) that you can get away with. When installing PHP, only install the modules the script actually uses. Second, install mod_security and enable every possible protection. Third, install Suhosin (hardened php, Debian Etch has it packaged). Fourth, edit the php.ini file and enable safe mode and disable every possible feature you can get away with. Fifth, for the DB create multiple accounts. Use the permissions properly. Set it so that the user the script has only can update the specific tables it has to, deny it from everything else.
Still, it will only be a matter of time before it's compromised but at least those steps help. Make sure to make regular database and file backups from the Dom0 so it will be easier to restore the site.
PHP really needs to enforce proper security. In 5.x it's OO is actually pretty nice and I like doing development with it, but I've dropped it for Java due to constant security issues.
Re:great... (Score:3, Informative)
The fact is that the bugs have really been there the whole time, and just because we didn't know about it doesn't mean that some nefarious person didn't know about it.
Now, script kiddies might not know about the vulnrabilities until they are made public, but they are called script kiddies because they use scripts- usually written by someone who has an inkling of what they are doing.
Re:We audited PHP for some of our projects. (Score:2, Informative)
There are a handful [cakephp.org] of decent [xisc.com] PHP frameworks [symfony-project.com] out there, with others coming along [zend.com], which you can take and compare with Django, but please don't bash the language because you don't like its semantics, you have something personal with it or you didn't take the time to choose a decent framework.
Regarding the database interfacing support, I beg to differ, I believe PHP has been supporting a large number of databases for a longer while than most of the other web scripting languages out there today.
Look on the open/bright side. (Score:3, Informative)
Also, he's given the developers a week or two of warning before March. If there's anything *that* serious in there, actually known to the developers, the fix could conceivably be ready by the time the bug is announced.
I run PHP sites, and I'd rather see the bugs public and being patched, than known only to the developers (we hope).
Re:Your site is likely already compromised. (Score:1, Informative)
However, you'll probably run into a situation where the customer demands a certain poorly written php app. In those cases you have to go through the extra effort and deal with the inevitable compromise.
PHP is a nice language, but it needs to enforce proper security. If that security breaks apps, tough shit. Fix the broken apps.
Re:So, PHP means ? (Score:2, Informative)
Please don't let us see the return of \'magic quotes\'
A Couple Easy Precautions (Score:3, Informative)
Here are a few simple precautions for PHP configuration:
Re:Take PHP outside web pages altogether. (Score:2, Informative)
From the PDO docs page: (Score:3, Informative)
The default behavior in case of database problems is to display the host, username and password in the browser? Good grief.
Re:Why was register_globals there in the first pla (Score:2, Informative)
If there isn't a problem with register_globals, then why are they finally taking it out of the language? Of course the real questions are: why did it take so long to remove from the language, and why was it ever there in the first place? That is even more evidence of extremely bad judgement on the part of the PHP designers, that they mad such a bad mistake in the first place, and took so long to admit they made a mistake and correct it. They still try to blame it on "bad developers", but that's the only kind of developers they have left any more, because anyone with any sense or choice in the matter has moved on to better languages like Python and Ruby.
Doing a google search for register_globals site:www.us-cert.gov shows 112 references to security vulnerabilities having to do with register_globals. Is that enough evidence that register_globals is a bad idea?
The register_globals flag should not even be an option, backwards compatibility be damned. When you have security holes like "Unsafe termination of parse_str() may result in the register_globals directive turned back on [hardened-php.net], you're screwed even when you turn it off, because PHP turns it back on internally, then wets its pants before turning it back off, so it leaves it on for the rest of the lifetime of the web server.
That terrible bug was found AND FIXED by Stefan Esser (the person who this thread is about, in case you didn't bother to read the article), yet some piss-water-carrying PHP fan-boys are still attacking him as a "traitor".
Here is another article he wrote about PHP security problems having to do with register_globals and a lot of other stupid flaws that should have never existed in the first place: Zend_Hash_Del_Key_Or_Index Vulnerability [hardened-php.net]. If you don't like it when people blame the Zend Corporation for so many of the problems in PHP, then maybe you should ask Zend to stop putting their company name into all those functions that are the root cause of so many security problems.
-Don