The Hardened-PHP Project has just released their Hardening-Patch 0.4.6 for PHP

New features:

• Added a protection for the long versions of the superglobals, so that they cannot be overwritten through HTTP headers anymore
• Added a validate session identifier hook to the session extension
• Added a session.use_strict_mode flag to the configuration, that enables a strict handling of the session identifier (enabled by default)
• Added two optional parameters to session_set_save_handler() to give user space session handlers the chance to overwrite the session identifier creation and validation
• Added a default session identifier validator, that only accepts a limited charset and therefore protects against several attacks through the session identifier (f.e. SQL injection in user space session handlers, ...).
• Added an optional parameter to session_regenerate_id() that allows deletion of previous session (this is a backport from PHP 5.1.0)

Bugfixes:

• Added a workaround for a GCC bug that caused crashes with Solaris 10 on SPARCs
• Fixed a Thread Safety problem, that caused the 'linked list canary overwritten' messages when running in a multithreaded SAPI
• Fixed a bug in the logging configuration

Download:

• as patch against the released PHP tarball
• NEW: as prepatched tarball

Today a guy from the Joomla team mailed to the phpsec mailinglist, that they have released a new version of Joomla because of a security hole, that according to him is used by script kiddies to install rootkits on servers.

The URL to the announcement he posted is: http://www.joomla.org/content/view/498/74/

At this official announcement URL they say that they fixed 6 vulnerabilities, but only describe 5 of them, leaving out the most critical, that allows remote code execution. After reading this I was of course curious and asked the guy by email:

Is it project policy, to announce that you fix 6 vulnerabilities, then only describe 5 of them and leave out the one that allows remote code execution?

Unfortunately the phpsec moderator Marco Tabini thinks that my question is not appropriate for a PHP security mailinglist and censored it away.

Update: meanwhile the announcement mentioned above adds a 6th vulnerability to the list. But It only speaks about another XSS vulnerability and does not say anything about the remote PHP code execution vulnerability.

Everyone knows the proverb about the infamous rice sack that tips over in china. This is what you think first about, when friends of a certain group of people blog about the news, that the people in question have just released a summary about a summary about other people's hard work on their site. It always makes me wonder how insane this world is, when you get more publicity for summarizing the hard work of others and labeling it with your own name, than for actually doing the hard work. Such news even end up on the frontpage of a website of a PHP magazine as important news.

Well but the funniest thing about all this is, that the summaries about summaries about other people's hard work that are advertised as today's news were actually written in the middle of september, which was 2 months ago. Meanwhile there are already newer summaries of summaries of other people's hard work posted.

Until today there have been a lot of blog postings about the Zend Framework. People love or hate it for their own special reasons. I personally think that everyone who works on it should really consider what he does by signing the CLA and working on it. The message he gives is, that Zend is right in communicating the Zend Framework as a must, because all other frameworks are by definition bad and untrustworthy, because they are only developed by a bunch of open source geeks and there is no company in control. I seriously dislike this kind of message, because it is simply not true. I have released lots of security advisories and dealt with lots of vendors during the last 6 years. The worst security contacts were either when the project was developed by 16 year olds or when there was a company behind the project. These companies usually consider security holes as very bad publicity and always try to downplay the impact.

On the other hand one must see what a framework, which is used everywhere means for security researchers like me. When a common framework is used, this is a single point of failure for tons of web applications. A security hole in the framework will expose a large number of servers at the same time. We have recently seen how a flaw in PHP ($GLOBALS) put PEAR.php at risk and with it everything that is build around it. When everyone is using the Zend Framework, this also means, that the bad guys have a single attack vector to concentrate their power on.

The good thing from an attacker's point of view is, that the whole security of the Zend Framework will most probably rely on the skills of Chris 'not really an international recognised expert in the field of PHP Security and no PHP core developer at all' Shiflett. As long Zend continues to rely on his services, no serious security researcher will join their team and so long there will be no real security in the Zend Framework.

I previously blogged about the fact, that the Hardened-PHP Project visited the International PHP Conference and presented itself in a booth. For me it was the first time, that I attended a PHP conference and I was very suprised how relaxed the atmosphere is. I had expected to see a lot of people in suits with ties, but in reality most visitors were dressed like normal human beings. It was a lot of fun to finally meet people face to face, that I know from IRC for years.

I really enjoyed my stay, because I learned a lot about how the german PHP community ticks and what information they miss in my documentation. However from a security point of view the PHP conference was a nightmare...

Next week the Hardened-PHP Project will be present at the International PHP Conference in Frankfurt. In our project booth we will demonstrate the features of the Hardening-Patch, explain our future plans and answer general questions about PHP security.

If you ever wanted to have a beer with the persons behind all those advisories this is your chance.

For interested readers, there will also be a preview copy of the upcoming german book PHP-Sicherheit: PHP/MySQL-Webanwendungen sicher programmieren by Christopher Kunz and Peter Prochaska of the Hardened-PHP Project available at our booth.