• PHP 5.2.4 <= dl() open_basedir_bypass&code exec&dos - input for the dl() function is not handled correctly and can lead to arbitrary code being loaded and executed
• PHP <=5.2.4 iconv_substr() denial of service - memory limit issue can be used in a DoS attack
• PHP < 5.2.4 setlocale() denial of service - memory limit issue can be used for a DoS attack

The dl() overflow is marked as a medium threat (largely because it allows for arbitrary code execution) but the other two are shown as low threat. A patch is also given for the dl() issue to help correct the problem.

Nexen recently posted a great survey on PHP usage (perhaps they beat NetCraft to the punch this time?). We've seen these trends before: PHP is on the steady rise for numbers of installations. Coupled with Apache, it is the most popular web development platform around.

My question is: does that really matter?

By "matter" I mean, "does it affect PHP's credibility in a positive way?"; and also: "does it prove anything?"

He wonders if the numbers that show on the surveys are PHP usage because people want to use it, or if it's simply that it's preinstalled in so many places these days (and has a low "barrier to entry") that it's being mistaken for popularity. He also mentions something that I think we all, as PHP developers and ambassadors, should think about:

So, rather than the community resting on its collective laurels for one more year of increased installations, I encourage us all to consider what can be done to promote PHP through education, standards, and best practices to its rightful place as much, much more than simply a popular web development language. ]]> Fri, 06 Jan 2006 07:08:53 -0600