Well it March is over and the Month of PHP Bugs has drawn to a close. Over the period 44 vulnerabilities have been released that affect PHP. 

Of the 44 released advisories we have nineteen vulnerabilities that have not been fixed in the February bumper PHP patches. We even got a bonus vulnerability in the Apache mod_security module and two bonus vulnerabilities in the Zend Platform.

It is safe to say, if you run PHP on your web server then you must upgrade to the latest release as soon as possible. There are a number of vulnerabilities that can be exploited remotely and some which would require access to the server to add PHP scripts to exploit a vulnerability. Alas this will still leave you open to the unpatched issues.

A good number of these issues are information leakage and similar lower risk issues when exploited by themselves. However, some of the information disclosure issues can be used with other vulnerabilities to increase their effectiveness. There is a few issues that would present a real risk in shared hosting environments where an attacker can upload their own PHP scripts onto the server, one example of these issues is MOPB-27-2007 which describes a problem with the interaction with GD.

There are also a number of remotely or potentially remotely exploitable vulnerabilities. Some are denial of service others could result in arbitrary code execution on the targeted host.

All in all quite a bag of problems that need fixing, some should be easier to address than others. In the mean time vigilance is the order of the day, many of the unpatched vulnerabilities have proof of concept code available as part of the advisory, some of the potentially remotely exploitable vulnerabilities will require work to get them to work so you do have some breathing space.

Another thing to come out of this project is the poor quality of code produced by the PHP Developers, one example is an instance of a bug being introduced into a new CVS release, another is functionality added in 5.2.x releases that is just broken and introduces security vulnerabilities. Even more serious are backported security fixes that introduce more serious issues than the ones they address. All in all the PHP developers really need to step back and rethink their approach to development to include secure coding practices to ensure issues like this never make it into final releases.  

To get the full list of advisories released by MoPB visit the web site here.

Add this page to your favorite Social Bookmarking websites