Month of PHP bugs summary
Well, the "Month of PHP Bugs" has concluded, exposing 41 security issues in the PHP web development language. Some don’t agree with this method of publishing vulnerabilities, but sometimes it’s necessary to help developers focus on security. Embarrassment is an highly effective motivator. Personally I think this was sorely need for PHP and Stefan Esser should be congratulated.
If you haven’t been following along, Jeff Forristal of SPI Dynamics has written an excellent summary of the Month of PHP Bugs on his blog. Well worth reading. He also recommends several compile-time flags and php.ini settings to disable high risk functions, including a couple settings that aren’t listed by phpinfo() that I wasn’t aware even existed.
However, as the Month of PHP Bugs has demonstrated, the design of PHP (and quality of most PHP code) is such that disabling specific functions and tweaking php.ini is far from being a complete solution. I strongly recommend also installing the Suhosin extensions, sitting your web servers behind an application layer filter such as mod_security, and of course continually monitoring activity on the network and servers.
Related posts:
- Hardening PHP servers with suhosin
- Port scanning with Adobe Flash
- Core GRASP – SQL injection prevention for PHP
Tags: intrusion prevention, php, php security, vulnerabilities, web application security