News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHP.net:
PHP 5.2.16 Released (End of Support for 5.2.x Series)
December 16, 2010 @ 08:52:25

The latest version in the PHP 5.2.x series has been released today - PHP 5.2.16, the end of support for the 5.2.x series.

This release focuses on addressing a regression in open_basedir implementation introduced in 5.2.15 in addition to fixing a crash inside PDO::pgsql on data retrieval when the server is down. All users who have upgraded to 5.2.15 and are utilizing open_basedir are strongly encouraged to upgrade to 5.2.16 or 5.3.4.

They also link to the PHP 5.3 migration guide to help make the upgrade to the world of PHP 5.3 simpler. If you want the full list of changes in this release, check out the Changelog.

0 comments voice your opinion now!
release endofsupport openbasedir changelog


Web Developement Blog:
Curl Location redirect while open_basedir is set
February 04, 2009 @ 12:06:09

Recently on the Web Developement Blog, Olaf showed how to do a Location redirect with cURL while open_basedir is set.

If you need to follow redirects within your php code using Curl and the open_basedir is set you came into some trouble. If you disable this directive all your directories with a 777 permission are not safe (if one or more website on the same server has some security issues). If you don't have additional protections you should NEVER disable the open_basedir directive (at least if you're using 3rd party applications).

He writes up a simple cURL-based link checker to see which of the URLs in question would throw an error. He modifies it so that it checked the HTTP response code from the server and, if its a 200/302/301, you know things are okay and a shell_exec can be called to execute the file from that location.

0 comments voice your opinion now!
curl location redirect shellexec openbasedir tutorial


Stuart Herbert's Blog:
PHP's Built-In Solutions For Shared Hosting
November 27, 2007 @ 10:25:00

Following up on a previous article, Stuart Herbert has posted some of the things that PHP can do to help solve the previously mentioned shared hosting problems.

The challenge is to secure the box not just from outside attack (something you have to do anyway, and which I'll cover later in this series), but also to make sure that code running on one website can't steal confidential data like MySQL passwords from any of the other websites.

It's not just a problem that PHP has, but it does, thankfully, have several settings and things that you can do to help. Among those on the list are things like: safe_mode, open_basedir and how PHP 6 will effect both of these. He's included settings for both of them to get you started.

0 comments voice your opinion now!
shared hosting solution safemode openbasedir shared hosting solution safemode openbasedir


Secunia.com:
PHP Integer Overflow Vulnerability and Security Bypass
June 01, 2007 @ 11:33:00

Secunia has released an advisory for PHP today related to an issue caused by an integer overflow that could allow for bypassing of security of an application.

A weakness and a vulnerability have been reported in PHP 5, where the vulnerability has unknown impact and the weakness can be exploited by malicious, local users to bypass certain security restrictions.

The issue is caused by issues with the chunk_split and realpath functions that can lead to a bypass of the open_basedir restriction on a server.

The issue is marked as "moderately critical" and it is suggested that users update to PHP 5.2.3 to correct the issue.

0 comments voice your opinion now!
integer overflow vulnerability security bypass openbasedir integer overflow vulnerability security bypass openbasedir


Pierre-Alain Joye's Blog:
Zip 1.8.7, safemode and open_basedir fixes
March 20, 2007 @ 09:56:00

Pierre-Alain Joye has posted about the release of the latest version of his Zip PECL extension - version 1.8.7 - including what it fixes.

Zip-1.8.7 fixes two problems related to open_basedir and safe mode. One was discovered by Stefan Esser (#20 in his mopb) and affects the zip:// stream wrapper. The other is in the open method of the ZipArchive class. I I forgot these two places while applying the php6+ changes and cleaning the code base. I recommend to upgrade as soon as possible.

He notes that, thanks to information from Stefan Esser, this issue was fixed the same day it was posted (the zip:// flaw he mentioned). You can get more information on this package from its PECL homepage or just grab the latest update here.

0 comments voice your opinion now!
zip pecl extension safemode openbasedir fix release zip pecl extension safemode openbasedir fix release


PHP Security Blog:
Open_basedir confusion
February 15, 2007 @ 07:42:00

Stefan Esser is trying to clear up some confusion in a new post to the PHP Security Blog today about his stand on enabling open_basedir on your PHP installation.

From time to time I get the question why I recommend enabling open_basedir and on the other hand call it a solution flawed by design. This is actually a good question, because the untrained PHP user might get a little bit confused about this and might believe that I change my opinion on a daily basis.

He talks about his reasoning - how it does it's job protecting PHP developers from being able to get to those file, but how it's also flawed with issues due to some 3rd party libraries that have their own problems.

0 comments voice your opinion now!
openbasedir confusion useful flawed thirdparty library openbasedir confusion useful flawed thirdparty library


Hardened-PHP Project:
Advisory - PHP open_basedir Race Condition Vulnerability
October 04, 2006 @ 09:10:00

The Hardened-PHP Project has released another vulnerability today, this time it's an issue with one of PHP's own internal functions - open_basedir.

The design of the open_basedir feature of PHP that is meant to disallow access to files outside a set of configured directories is vulnerable to race conditions.

It was discovered that this design flaw can be exploited with the usage of PHP's symlink() function in a very easy way. We believe that the only solution to this problem is disabling the function symlink() while open_basedir is used (this feature was therefore added to our Suhosin PHP Security Extension).

They also note, unfortunately, that the problem may not be fixable due to how it can be implemented. They provide a more detailed explaination and some PHP psuedo-code to help illustrate the point.

0 comments voice your opinion now!
openbasedir vulnerability race condition openbasedir vulnerability race condition



Community Events





Don't see your event here?
Let us know!


library composer list community interview introduction language tool opinion version framework symfony series artisanfiles security laravel podcast voicesoftheelephpant release conference

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework