Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

PHP Project Updates, Then Rapidly Updates Again due to bug

PHP version 5.2.7 was only released earlier this week, but it introduced a serious bug. Effectively magic_quotes was forced off, irrespective of the local php.ini settings. While the feature is deprecated and being removed with PHP 6.0, it is still available within the PHP 5 branch.

Relying on magic_quotes became a crutch for many PHP developers when it came to managing user input and any other input that was passed to any particular script. It was the lazy developer's approach to security and is undoubtedly present in many, many scripts in use across the Internet (and many intranets). The forced disablement of magic_quotes would have made many of these scripts extremely vulnerable to exploitation.

Initial guidance for administrators and users who had updated and applied 5.2.7 was to revert to 5.2.6 until the issue could be addressed. Fortunately, this did not take long, and 5.2.8 is now available. All of the security improvements that were originally with 5.2.7 have been included and now there is the fix for the magic_quotes issue, as well. Administrators also had the option of recompiling 5.2.7 and disabling ext/filter, which is where the vulnerable code was.

11 December 2008

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.