[Phpwm] Month of Bugs/ Suhosin
Greg Jones
greg.jones at gmail.com
Tue Feb 27 19:08:41 GMT 2007
I'm sure many will be aware of this, but Thursday (1st March) will see the
beginning of Steffan Esser's 'Month of Bugs', whereby he's planning on
announcing (and describing in detail) a security-related 'flaw' (ahem) in
PHP. I assume he'll be doing it on his blog, which is here:
http://blog.php-security.org/ (the announcment is only a couple of posts
down...).
Most security exploits found so far with PHP (around 90% according to
Rasmus on Friday) have only been a problem for people on shared hosting
(i.e. someone has to already have server access to do anything) so I'm not
hugely worried, but it will be interesting to see the community's (and I
include Zend in that) reaction, and how quickly any new flaws are fixed.
On a related note, Steffan is one of (the main) developer of the Suhosin
patch/extension to PHP, which aims to fix some things in the PHP core that
help with security (http://www.hardened-php.net/suhosin.127.html). I seem
to remember David mentioning that he uses it, or has used it, but does
anyone else? And has it caused any problems at all with apps you've
developed? I believe it can be setup to log things that it has protected
against. Do you use that option (if I didn't imagine it...), and has
anything interesting cropped up?
Greg
--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
More information about the Phpwm
mailing list