For all those that have not yet learned about my two new advisories through the usual channels. PHP 5.1.2 was released today, fixing among other things a serious HTTP Response Splitting vulnerability in the PHP5 session extension. The fix was implemented in a way similar to the SAPI hook in our Hardening-Patch and is the first move to get some of the Hardening-Patch features into the plain PHP. It is also merged into the PHP4 code tree.

This means: once PHP 4.4.2 is out (which will be very soon) HTTP Response Splitting Vulnerabilities in PHP applications are history. From now on, all new PHP versions will no longer support multiple headers in the header() call and therefore all vulnerable applications will only be exploitable on hosts with old PHP versions.

And yes you are brave if you do not use the latest PHP version, because of all the secretly fixed security holes in older versions.

I wanted to blog about this for a week but I spent most of my time far away from anything with an internet connection and therefore it had to wait.

In the very first days of 2006 I received a package from canada, from the guys at php|architect. I consider it a late christmas gift. It contained two books: "Guide to PHP Security" and "Guide to PHP Design Patterns".

I wanted to say thank you to php|architect for the two books and that when I have the time to actually read Ilia's book, I am going to write a little review about it. (I will also enjoy reading the second book)