hype-free: The progress of MOPB

Sunday, March 04, 2007

The progress of MOPB

The Month of PHP bugs is progressing nicely and the counter is up to nine (at this rate - supposing that we have a linear progression - we will have almost 70 vulnerabilities!). The new ones repeat the same patterns as the previous ones: they can be mitigated in environments where a single user controls the server, but in a shared hosting environments they can present serious problems (for example this bug - MOPB-05-2007: PHP unserialize() 64 bit Array Creation Denial of Service Vulnerability allows to very easily DoS the computer if it's running an older version of PHP on a 64 bit machine).

My advice remains the same: forget shared hosting (both as a client and as a Service Provider) and patch, patch, patch - also consider things like Suhosin and mod_security. I know that (especially the later) can be a pain in the rear end to configure, but the alternative - being owned or DoS-ed out of existence - is by no means better.

PS. This week seems to be a bad one for PHP security since the distribution server for Wordpress (a popular blogging platform written in PHP) was compromised - my respect to them for saying cracker, not hacker - and contains a backdoor. Via Slashdot.

0 comments:

Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.

Using the embedded comment form requires JavaScript to be turned on for the blogger.com domain. However, you can still comment using the traditional method.