…and one giant step for PHP security

While hosts are still undecided on whether to upgrade to PHP5 or not, the people pushing the limits of possibility are busy planning PHP6. PHP6 is mainly a cleanup of code and the addition of some object oriented features (and some other little bits which probably mean more to others than to me). Nevertheless in terms of security it’s something I’m already drooling over.

Every week several exploits are found in various applications made by PHP. Even given the vast number of applications (and therefore flaws) some problems can’t be blamed solely on the coder. At least for me there have always been functions I’m extremely careful of when I pass any parameter into. Now all this is going to be made simpler, safer, better.

Register globals are gone! No more detection and coding around it, or worse; no detection and getting your ass pawned. To be honest no one really has it on any more anymore and but I’ve still found it a major hassle. Specially when I’m helping people out who are used to having it on and suddenly have lost it.

Magic quotes are gone! Again, no hassle of detection. Instead we’ll have the input_filter extension which is so very much better.

Easier detection of MIME types. Should improve checking if those uploaded files are valid.

header() will only accept one header, hopefully virtually killing off HTTP response splitting attacks.

For full details about the April PHP6 meeting read the minutes.

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    The register_globals and header() changes are much welcomed. RG is a security disaster and has been from day one. I’ve also been one of the first to call for header() to be fixed. I submitted Bug #19286 against PHP 4.2.3 in September 2002 to this effect:


  • http://hackbloc.org Johnny

    From a blackhat view, I hate magic_quotes with a vengeance. I can still perform XSS in some situations where magic_quotes is enabled, but that requires time, patience, and adding lots of random slashes everywhere hoping that the next time you do it the code will be parsed, and your pretty alert saying “/XSS/” will appear =D

    From a whitehat view, it doesn’t pose much problem to me. It’s easy to stripslashes, and it is also a nice backup (which I do NOT rely on) for if I forget to escape the odd SQL query.

    From both views, the header() change won’t make much difference to me, its not THAT often that a script is vulnerable to CSLF injection, and I rarely use header() – practically NEVER relying on user input.

    The magic_quotes replacement looks weird though, although I’m sure it’ll be quite simple when it officially comes out. I wonder how much it rivals magic_quotes’s security?