Thinking about the FUD surrounding the PHPbb exploit
I have been reading about PHP in the press and a comment from Jan Schneider.
I'm thinking the reason why people are assuming that the phpBB exploit would affect projects like Horde is due to them not understanding that the phpBB exploit was due to insecure programming. The Horde project was not vulnerable to the same vulnerability that phpBB was. We've always been reminded that we should never trust user data without validating the data. I call this "scrubbing the data".
I just wanted to pass along my concern about the beating that PHP is taking all over the press. Actually not just a beating, it's really being shit on, frankly. I've been looking around at all my usual large PHP sites, and not one word about the bad press, not even on phpBB. I'm amazed. I can only conclude that PHP people might be saying something like, "we put the patches out months ago and if people don't install them, then too bad, and we'll just wait 'til this blows over".
Why would we want to write press releases to state that because phpBB have included PHP in their project name it brings bad karma to the PHP project. In the License FAQ on the PHP.net website we state:
Q. I've written a project in PHP that I'm going to release as open source, and I'd like to call it PHPTransmogrifier. Is that OK?
A. We cannot really stop you from using PHP in the name of your project unless you include any code from the PHP distribution, in which case you would be violating the license. But we would really prefer if people would come up with their own names independent of the PHP name.
Why you ask? You are only trying to contribute to the PHP community. That may be true, but by using the PHP name you are explicitly linking your efforts to those of the entire PHP development community and the years of work that has gone into the PHP project. Every time a flaw is found in one of the thousands of applications out there that call themselves "PHP-Something" the negative karma that generates reflects unfairly on the entire PHP project. We had nothing to do with PHP-Nuke, for example, and every bugtraq posting on that says "PHP" in it. Your particular project may in fact be the greatest thing ever, but we have to be consistent in how we handle these requests and we honestly have no way of knowing whether your project is actually the greatest thing ever.
So, please, pick a name that stands on its own merits. If your stuff is good, it will not take long to establish a reputation for yourselves. Look at Zope, for example, that is a framework for Python that doesn't have Python in the name. Smarty as well doesn't have PHP in the name and does quite well.
I use Smarty for web-based applications which I've worked on in the past and IMHO I've found it to be the easiest template engine to work with.
For example I started developing an Application Framework a few months back and was thinking what do I name this framework. I thought about it for a while and asked a few friends about what they thought about a couple of names I came up with. I decided that I was not going to want to use PHP in the application name because of the karma isssue. Eventually I called it the Tshukudu Application Framework which means rhino in Sotho which is one of the official languages in South Africa.
The Horde Project is another example of a project who do not use PHP in their highly successfuly projects name.
That's fine, except then there's no response to all the disinformation out there. The non-tech-savvy sites are making it sound as though all PHP is susceptible to these attacks. I read enough to check on my version of PHP and what commands to look for in scripts, so I think I'm OK. I write scripts, and even I'm not completely sure.
Derick Rethans, another person from the PHP project, wrote up on his blog an entry about phpBB worm FUD which explains how the PHPbb exploit, the Santy.A worm, does not utilise any of the security issues addressed by the latest PHP bugfix release. It was due to a badly checked input variable which was passed to preg with the /e modifier. PHP also is vulnerable to other items addressed by the bugfix releases of PHP. They are incorrect on passing the blame to the PHP group and saying that it is not their fault. Trusting data from users without validating the data is the problem. Badly written PHP code can be exploitable in certain cases.
I remember when there was an exploit for earlier releases of phpBB which would allow non admin users to become admin users on your phpBB installation. I remember that was when I started looking around for another forum package which was written with security in mind. That was when I started using FUDforum.
Users don't either have not taken the time to learn how to code with security in mind for example turning register_globals which is a good start which reduces the likelyhood of someone injecting random data into your script which your script then uses. When register_globals are on it could even be possible to compromise settings in $_SESSION[] when the client requests a page from your site. For example you call a page like http://www.example.org/?_SESSION['auth']=1 when registered_globals is on it would set the $_SESSION['auth'] to 1. PHP Manual: register_globals explains this sort of attack more in detail.
FUDforum which has been developed by Ilia who one of the developers of the PHP language has written an the FUDforum wrote it with security in mind.
There are articles written to help users improve the way they write PHP code.
For example:
<?php
/**
* Bad code ahead!
*/
include ($_GET['page']);
?>
The above code snipbit basically allows people to pass unchecked data via the script to include a file. A better way of doing it would be:
<?php
$pages = array (
'aboutus.php',
'contactus.php',
'nav.php'
);
if (in_array($_GET['page'], $pages)) {
include ($_GET['page']);
} else {
die ("Fiddling.");
}
?>
I prefer not using doing inclusions like the above where you include files into your script. I find index.php?page=nav.php (a) looks ugly and (b) it's fine to have each file being seperate like nav.php which you would call normally.
Recommended Reading