[Phpwm] Month of Bugs/ Suhosin

Greg Jones greg.jones at gmail.com
Tue Feb 27 19:08:41 GMT 2007

I'm sure many will be aware of this, but Thursday (1st March) will see the  
beginning of Steffan Esser's 'Month of Bugs', whereby he's planning on  
announcing (and describing in detail) a security-related 'flaw' (ahem) in  
PHP. I assume he'll be doing it on his blog, which is here:  
http://blog.php-security.org/ (the announcment is only a couple of posts  

Most security exploits found so far with PHP (around 90% according to  
Rasmus on Friday) have only been a problem for people on shared hosting  
(i.e. someone has to already have server access to do anything) so I'm not  
hugely worried, but it will be interesting to see the community's (and I  
include Zend in that) reaction, and how quickly any new flaws are fixed.

On a related note, Steffan is one of (the main) developer of the Suhosin  
patch/extension to PHP, which aims to fix some things in the PHP core that  
help with security (http://www.hardened-php.net/suhosin.127.html). I seem  
to remember David mentioning that he uses it, or has used it, but does  
anyone else? And has it caused any problems at all with apps you've  
developed? I believe it can be setup to log things that it has protected  
against. Do you use that option (if I didn't imagine it...), and has  
anything interesting cropped up?


Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

More information about the Phpwm mailing list