More Help Securing PHP Installations

You probably recall the Month of PHP Bugs (MOPB), which I wrote about in March (see the first URL below). By the end of the MOPB, 41 bugs had been published. Jeff Forristal, a senior research and development engineer at SPI Dynamics, monitored the bug postings, and mid-month, he wrote an article that offers a general overview and analysis (at the second URL below).

Forristal's article offers some interesting information about the potential impact of the bugs released up to that time. Most notable is that two of the bugs could lead to a serious server security compromise for those who allow third parties to upload and run PHP-based scripts on their servers. Forristal wrote that "Web hosting companies offering PHP hosting services should be really concerned right now."

Last week, Forristal published a second article regarding MOPB, which is available at the URL below. Again he offers some very interesting analysis that gives you plenty of reason to make absolutely certain that you're using the latest version of PHP 4 or 5. While the analysis is very helpful, I found the information in the section "Being proactive with your PHP installation" even more helpful.

In that section, Forristal offers a lengthy list of various configuration settings that should be checked. In some cases, you might find that there are a lot of PHP features that your applications don't use and that therefore shouldn't be enabled. You can think of securing your PHP installation as you would any other server hardening process--if you aren't using a component, it shouldn't be enabled on the system.

The next version of PHP 5--PHP 5.2.2--is under development, and Release Candidate 1 (RC1) will have been released into testing by the time you read this or soon will be. While the final version release date isn't set yet, hopefully it won't be too far in the future. When it becomes available, make certain that you upgrade as soon as you can. Unfortunately, there isn't any news as to when a new version of PHP 4 will become available. You can check for news at the Web site, and look for future announcements in the php.internals news group at the URL below.

For yet more ways to secure your PHP installation, see my earlier article at the URL below.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.