[Phpwm] Month of Bugs/ Suhosin

David Goodwin david at codepoets.co.uk
Tue Feb 27 20:21:45 GMT 2007

> I'm sure many will be aware of this, but Thursday (1st March) will see the  
> beginning of Steffan Esser's 'Month of Bugs', whereby he's planning on  
> announcing (and describing in detail) a security-related 'flaw' (ahem) in  
> PHP. I assume he'll be doing it on his blog, which is here:  
> http://blog.php-security.org/ (the announcment is only a couple of posts  
> down...).

Indeed :)

> Most security exploits found so far with PHP (around 90% according to  
> Rasmus on Friday) have only been a problem for people on shared hosting  
> (i.e. someone has to already have server access to do anything) so I'm not  
> hugely worried, but it will be interesting to see the community's (and I  
> include Zend in that) reaction, and how quickly any new flaws are fixed.

Yes; well, i think it's one reason why 5.2.1 was released - in an effort
to fix any remotely exploitable bugs they (Zend/PHP devs) had been
sitting on for sometime...

> On a related note, Steffan is one of (the main) developer of the Suhosin  
> patch/extension to PHP, which aims to fix some things in the PHP core that  
> help with security (http://www.hardened-php.net/suhosin.127.html). I seem  
> to remember David mentioning that he uses it, or has used it, 

I do use it, and it doesn't appear to cause any problems what so ever.
It has a few funky features - e.g. encryption of session files, so
people can't just read them (assuming file permissions), and it also
stops header injection through mail() (which is good, but you really
need to remember that it's there, else when you try and demo a security
exploit to trainees it fails miserably!)

> but does  
> anyone else? And has it caused any problems at all with apps you've  
> developed? 


> I believe it can be setup to log things that it has protected  
> against. 

Yes; it logs to syslog, which I get in an email via logwatch/logcheck.

> Do you use that option (if I didn't imagine it...), and has  
> anything interesting cropped up?

Not that I've noticed, aside from it dropping various dodgy request
variables, or truncating _very_ long $_GET parameters etc.

I started using the hardening patch around a year ago, after the 1st
phplondon conference; suhoisin is just an extension of that.


David Goodwin 

[ david at codepoets dot co dot uk ]
[ http://www.codepoets.co.uk       ]

More information about the Phpwm mailing list