[nyphp-talk] Re: Upcoming Month of PHP Bugs (michael)

Wed, 21 Feb 2007 09:47:43 -0800

Despite the claims, I'm not so sure that most of these security issues couldn't be mitigated with a proper server configuration and a well-designed application. While I'm sure there are vulnerabilities that exist in a *stock* installation of PHP (especially in older versions where things like register_globals and allow_url_fopen were enabled by default... wait... is allow_url_fopen *still* enabled by default??), there's a lot you can do to in terms of configuration to minimize your application's target profile.
Also, I seem to remember Chris Shiflett having some clarifying comments on Stefan and his Sohusin project, so perhaps he could weigh in here (hint, hint ;-). 


Message: 1
Date: Tue, 20 Feb 2007 19:05:28 -0500
From: michael <[EMAIL PROTECTED]>
Subject: Re: [nyphp-talk] Upcoming Month of PHP Bugs
To: NYPHP Talk <[email protected]>

On Tue, 20 Feb 2007 18:59:24 -0500
csnyder <[EMAIL PROTECTED]> wrote:


So apparently we're in for a treat in March (as if daylight savings

time wasn't enough) as Stefan Esser will be publicizing a laundry  
list

of active vulnerabilities in PHP, one or more for each day of the
month.
http://www.securityfocus.com/columnists/432/

Here's somebody who had been working with the core developers to try
to get these things fixed, but has been frustrated to the point of
resorting to a "Month of Bugs" style publicity stunt. If what he says

is true, about overflows and other bugs being ignored, that's a  
pretty

major breakdown in quality control.

I don't know C, and I would have no idea what to look for in doing an

audit of PHP (the language) itself. But it seems (from Ilia's  
comments

anyway) that such an audit is long overdue.

So now I have to wonder, do IBM and Yahoo deploy stock PHP binaries?
Or do they carry out their own internal audits to discover and patch
the sloppier parts of the codebase?

--
Chris Snyder
http://chxo.com/


Thanks for the heads up, Chris.

It may be a good idea to have a look at his Suhosin patch.. before the
March Madness.

http://www.hardened-php.net/

--

michael


_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php






















					Reply via email to