Back to Top

Tuesday, April 03, 2007

Month of PHP bugs roundup

The month of PHP bugs is over and I thought that I make a little list with things you can do to mitigate the bugs where possible:

  • Update to PHP 5.2.1 and watch out for the next version and update to it as soon as it comes out. Do not PHP4, because there is a vulnerability which will not be fixed by the developers (because PHP4 is considered old code).
  • Install Suhosin (unfortunately it is currently only available for Linux)
  • If you have the Zend platform installed, take on look here to see if you are vulnerable to these exploits
  • Disable the following functions (there are some very common functions here, so unless you run your own server, you won't be able to generally disable them):
    • phpinfo()
    • substr_compare() - if you really need this function, you can find a replacement for it written in PHP on the documentation page (I didn't test it, but it looks like it should work).
    • mb_parse_str()
    • iptcembed() - already disabled if you disabled the GD extension
  • Disable the following extensions (they are rarely used, so in case you are a shared hosting, most probably you can get away with disabling them - of course if you host your own servers you should disable all the extensions which you don't use!):
    • WDDX
    • Ovrimos (in PECL, but you may have installed it with an older version of PHP)
    • The zip extension from PECL
    • bz2_filter
    • SQLite - the issues with it are fixed in PHP 5.2.1, however be sure to read the description here before relaxing (because you might use a different version than you think).
    • the GD extension - this is relatively widely used, so you can get away with disabling it only if you own you own server

Also my previous recomendations remain valid:

  • Run PHP as CGI rather than shared module
  • Configure your firewall rules strictly (if you don't have anything on port 4444, do not open port 4444!)
  • Consider using mod_security. While it is not perfect, it provides you with an added layer of security
  • If you are using a shared host account, consider moving to dedicated servers of VPS's! If you decided against it, consider it again! Think about this

Of course even you apply all these measures you won't be 100% safe, because some bugs remain unfixed and Esser hinted that he might be back later this month with an other month worth of PHP bugs.


  1. Anonymous11:28 AM

    Uhmm iptcembed() is not a function of ext/gd but of ext/standard

  2. My understanding is (based on the documentation page) that iptcembed is part of the GD extensions which is included by default in PHP. But I may be wrong.