PHP is a hugely popular programming language used on countless Web sites. It's basically a scripting language, which essentially means that it compiles at runtime. PHP has a lot of community support, so a ton of open-source libraries are available for many different tasks. Some of the most popular applications available today, such as WordPress, are powered by PHP.
PHP isn't without its security problems. Over the years, the developers have worked to fix the problems, but sometimes not fast enough to please everyone. Last week, PHP developer Stefan Esser resigned from the PHP Security Response Team in disgust.
In his blog, Esser wrote that "\[the reasons why I resigned\] are many, but the most important one is that I have realised that any attempt to improve the security of PHP from the inside is futile." Esser went on to say that, "The PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user but the moment you criticize the security of PHP itself you become persona non grata. I stopped counting the times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin."
In closing, Esser wrote, "For the ordinary PHP user \[my resignation\] means that I will no longer hide the slow response time to \[PHP\] security holes in my advisories. It will also mean that some of my advisories will come without patches available, because the PHP Security Response Team refused to fix them for months. It will also mean that there will be a lot more advisories about security holes in PHP."
Fortunately, Esser did develop Suhosin, which is a powerful security patch for PHP. The name is a South Korean word that essentially means "guardian angel." If you use PHP and you've never looked at Suhosin, you're missing some great security enhancements. You can find a complete list of the configuration options that Suhosin introduces at the URL below. Just to give you a quick example, Suhosin lets you gain better control over crucial aspects of PHP applications, such as cookie functionality, session parameters, SQL parameters, and more. Effectively, it lets you filter a lot of stuff that might otherwise become dangerous.
Installing Suhosin requires that you recompile PHP. This is a simple task on Linux platforms but might prove more difficult on Windows, which doesn't come with a compiler. If you can get access to the required tools on Windows or you use PHP on a Linux system, installing Suhosin is definitely worth the effort.
In a nutshell, you download the PHP source code, the Suhosin patch, and the Suhosin extension source code. Then you apply the patch and compile PHP. After that, you compile the Suhosin extension. With that done, you add one line to your php.ini file to tell PHP to load the extension. That's about it. Then you can configure Suhosin to your exact needs by adding parameters to your php.ini file. However, as is mentioned on the Web site, you can probably use most of the features in the default configuration, which means your implementation effort doesn't require a lot of time reading through the explanations for dozens of possible settings.
I'm not aware of any PHP packages precompiled with Suhosin for Windows. If you know of one, send me an email message with information about where to get it and I'll share that information with the readers of this newsletter.
If you run PHP without Suhosin, your PHP-based applications are far more vulnerable than they need to be. Head over to the Suhosin site and take a look, and I think you'll agree that Suhosin is an essential addition to your PHP platform. http://www.hardened-php.net/suhosin/index.html