php5-5.2.11_1 Vulnerabilities

Jeremy Chadwick freebsd at
Sat Dec 26 12:39:56 UTC 2009

On Sat, Dec 26, 2009 at 12:06:36PM +0000, Vincent Hoffman wrote:
> Xin LI wrote:
> > I think ale@ has posted a patch to update it to PHP 5.3.1 which is not
> > vulnerable.  Is it an option for you?
> >
> >
> >   
> We've found 5.3 is different enough from 5.2 at work that a number of
> customers have needed downgrading again after upgrading. (We're a linux
> shop but same theory applies) a particular gotcha was the removal of the
> mhash module which is used by plenty of shopping cart code, (its now
> emulated by the built in hash stuff, but php configure needs the
> --with-mhash flag. And because its emulated it cant be built as a
> module.) Test throughly if your thinking of moving to php5.3.
>     However as yet various stuff thats in the php5.2.11 port isnt
> available or has changed a bit for 5.2.12. for example the Suhosin
> hardening patch isnt available for 5.2.12 yet (People taking time off
> for the holidays I'd guess ;)

People said the exact same thing about PHP 4 --> PHP 5.  "Oh crap, don't
upgrade, it'll break all kinds of stuff!"  In that case, it was the
migration to $_GET, $_POST, and $_COOKIE with register_globals being
disabled by default.  There were other changes which stomped on people
as well.

Then there was an OO change between minor versions of PHP 5 where code
that was previously allowed now started throwing "Cannot access empty
property" errors.  This was because $this->$var (where $var is a
variable defined within the class itself) should have been $this->var,
but PHP let people get away with it... until that update.

Have you taken the time to investigate the major changes in PHP 6[1]?
The major ones which are going to bite you are below.  The latter two
probably won't hurt that many, but the first two will.

- Removal of magic_quotes
- Removal of ereg(), eregi(), ereg_replace(), and ereg_replacei()
- Removal of register_long_arrays
- Removal of register_globals

Let's not forget the huge battle that ensued amongst PHP devteam folks,
as well as between devs and users, when it came to what the namespace
separator string should be.  They ultimately agreed upon "::", which is
what every other language uses, but did you know that the initial
implementation, which is what sparked the argument, was to use "\"?
Check out some of the other proposals[2], including ":)" (yes really).

PHP is a horrible language.  You're screwed no matter which way you go
with it -- if you stay with an old version you're likely susceptible to
security holes, while if you upgrade to a new version you're susceptible
to breakage because the core language was never truly engineered -- just
a bunch of monkeys banging on pots.

I say this as both someone who does web hosting and codes in PHP.  I
often wonder what the point of PHP is given Markup::Perl[3]'s existence.


| Jeremy Chadwick                                   jdc at |
| Parodius Networking              |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-stable mailing list