Someday I'll look back on this post and think it's super lame, but my recent submission of two tests for PHP's putenv() function made it into PHP_5_3! I've officially made a contribution it's a red letter day, folks. Without Atlanta PHP and PHP's Testfest, none of this would have been possible.

His tests ran with putenv() and the safe_mode_allowed_env_vars/safe_mode_protected_env_vars settings in use. You can see the inclusion in this commit message (by Lars Strojny).

This release focuses on improving the stability ofthe PHP 5.2.x branch with over 120 bug fixes, several of which are security related.All users of PHP are encouraged to upgrade to this release. Further details about the PHP 5.2.6 release can be found in the release announcement for 5.2.6, the full list of changes is available in the ChangeLog for PHP 5.

Security updates include prevention of a buffer overflow in FastCGI mode, an integer overflow in printf, correction for a safe_mode bypass method in cURL and the bundling of PCRE 7.6 to update the regular expression functionality of the language.

You can grab this latest release from the downloads page on PHP.net (or your favorite mirror) - both the source and the Windows binaries.

The challenge is to secure the box not just from outside attack (something you have to do anyway, and which I'll cover later in this series), but also to make sure that code running on one website can't steal confidential data like MySQL passwords from any of the other websites.

It's not just a problem that PHP has, but it does, thankfully, have several settings and things that you can do to help. Among those on the list are things like: safe_mode, open_basedir and how PHP 6 will effect both of these. He's included settings for both of them to get you started.

The exploit has been published as a PHP file for easy testing on your Windows/PHP installation (it was tested on WinXP Pro SP2 on both the CLI and Apache). No additional modules are needed for this exploit - only the COM functions and a Windows system.

The issue comes from an overflow in the str_repeat function allowing for the execution of whatever applications the developer wants on the remote Windows machine (including the ability to create and remove files and directories). There is no path for this issue currently (should be corrected in the next minor PHP release).

Zip-1.8.7 fixes two problems related to open_basedir and safe mode. One was discovered by Stefan Esser (#20 in his mopb) and affects the zip:// stream wrapper. The other is in the open method of the ZipArchive class. I I forgot these two places while applying the php6+ changes and cleaning the code base. I recommend to upgrade as soon as possible.

He notes that, thanks to information from Stefan Esser, this issue was fixed the same day it was posted (the zip:// flaw he mentioned). You can get more information on this package from its PECL homepage or just grab the latest update here.

The first post makes a point about bug reports and testing before sending. He recieved a report that the PEAR installer (go-pear) was broken when safemode is on. Fortunately, it turned out to be a lack of knowledge on the user's part and just being a matter of permissions.

Post number two talks about the newly released version of the PEAR installer, including a new version of the Web frontend (0.5.1). The new installer version corrects a bug where the server will have to request channel servers for every command over and over again - all due to the lack of a cache directory.

You can grab this latest update for the installer here and for the web frontend here