Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHP.net:
PHP 5.2.16 Released (End of Support for 5.2.x Series)
Dec 16, 2010 @ 08:52:25

The latest version in the PHP 5.2.x series has been released today - PHP 5.2.16, the end of support for the 5.2.x series.

This release focuses on addressing a regression in open_basedir implementation introduced in 5.2.15 in addition to fixing a crash inside PDO::pgsql on data retrieval when the server is down. All users who have upgraded to 5.2.15 and are utilizing open_basedir are strongly encouraged to upgrade to 5.2.16 or 5.3.4.

They also link to the PHP 5.3 migration guide to help make the upgrade to the world of PHP 5.3 simpler. If you want the full list of changes in this release, check out the Changelog.

tagged: release endofsupport openbasedir changelog

Link:

Web Developement Blog:
Curl: Location redirect while open_basedir is set
Feb 04, 2009 @ 12:06:09

Recently on the Web Developement Blog, Olaf showed how to do a Location redirect with cURL while open_basedir is set.

If you need to follow redirects within your php code using Curl and the open_basedir is set you came into some trouble. If you disable this directive all your directories with a 777 permission are not safe (if one or more website on the same server has some security issues). If you don’t have additional protections you should NEVER disable the open_basedir directive (at least if you’re using 3rd party applications).

He writes up a simple cURL-based link checker to see which of the URLs in question would throw an error. He modifies it so that it checked the HTTP response code from the server and, if its a 200/302/301, you know things are okay and a shell_exec can be called to execute the file from that location.

tagged: curl location redirect shellexec openbasedir tutorial

Link:

Stuart Herbert's Blog:
PHP's Built-In Solutions For Shared Hosting
Nov 27, 2007 @ 10:25:00

Following up on a previous article, Stuart Herbert has posted some of the things that PHP can do to help solve the previously mentioned shared hosting problems.

The challenge is to secure the box not just from outside attack (something you have to do anyway, and which I’ll cover later in this series), but also to make sure that code running on one website can’t steal confidential data like MySQL passwords from any of the other websites.

It's not just a problem that PHP has, but it does, thankfully, have several settings and things that you can do to help. Among those on the list are things like: safe_mode, open_basedir and how PHP 6 will effect both of these. He's included settings for both of them to get you started.

tagged: shared hosting solution safemode openbasedir shared hosting solution safemode openbasedir

Link:

Stuart Herbert's Blog:
PHP's Built-In Solutions For Shared Hosting
Nov 27, 2007 @ 10:25:00

Following up on a previous article, Stuart Herbert has posted some of the things that PHP can do to help solve the previously mentioned shared hosting problems.

The challenge is to secure the box not just from outside attack (something you have to do anyway, and which I’ll cover later in this series), but also to make sure that code running on one website can’t steal confidential data like MySQL passwords from any of the other websites.

It's not just a problem that PHP has, but it does, thankfully, have several settings and things that you can do to help. Among those on the list are things like: safe_mode, open_basedir and how PHP 6 will effect both of these. He's included settings for both of them to get you started.

tagged: shared hosting solution safemode openbasedir shared hosting solution safemode openbasedir

Link:

Secunia.com:
PHP Integer Overflow Vulnerability and Security Bypass
Jun 01, 2007 @ 11:33:00

Secunia has released an advisory for PHP today related to an issue caused by an integer overflow that could allow for bypassing of security of an application.

A weakness and a vulnerability have been reported in PHP 5, where the vulnerability has unknown impact and the weakness can be exploited by malicious, local users to bypass certain security restrictions.

The issue is caused by issues with the chunk_split and realpath functions that can lead to a bypass of the open_basedir restriction on a server.

The issue is marked as "moderately critical" and it is suggested that users update to PHP 5.2.3 to correct the issue.

tagged: integer overflow vulnerability security bypass openbasedir integer overflow vulnerability security bypass openbasedir

Link:

Secunia.com:
PHP Integer Overflow Vulnerability and Security Bypass
Jun 01, 2007 @ 11:33:00

Secunia has released an advisory for PHP today related to an issue caused by an integer overflow that could allow for bypassing of security of an application.

A weakness and a vulnerability have been reported in PHP 5, where the vulnerability has unknown impact and the weakness can be exploited by malicious, local users to bypass certain security restrictions.

The issue is caused by issues with the chunk_split and realpath functions that can lead to a bypass of the open_basedir restriction on a server.

The issue is marked as "moderately critical" and it is suggested that users update to PHP 5.2.3 to correct the issue.

tagged: integer overflow vulnerability security bypass openbasedir integer overflow vulnerability security bypass openbasedir

Link:

Pierre-Alain Joye's Blog:
Zip 1.8.7, safemode and open_basedir fixes
Mar 20, 2007 @ 09:56:00

Pierre-Alain Joye has posted about the release of the latest version of his Zip PECL extension - version 1.8.7 - including what it fixes.

Zip-1.8.7 fixes two problems related to open_basedir and safe mode. One was discovered by Stefan Esser (#20 in his mopb) and affects the zip:// stream wrapper. The other is in the open method of the ZipArchive class. I I forgot these two places while applying the php6+ changes and cleaning the code base. I recommend to upgrade as soon as possible.

He notes that, thanks to information from Stefan Esser, this issue was fixed the same day it was posted (the zip:// flaw he mentioned). You can get more information on this package from its PECL homepage or just grab the latest update here.

tagged: zip pecl extension safemode openbasedir fix release zip pecl extension safemode openbasedir fix release

Link:

Pierre-Alain Joye's Blog:
Zip 1.8.7, safemode and open_basedir fixes
Mar 20, 2007 @ 09:56:00

Pierre-Alain Joye has posted about the release of the latest version of his Zip PECL extension - version 1.8.7 - including what it fixes.

Zip-1.8.7 fixes two problems related to open_basedir and safe mode. One was discovered by Stefan Esser (#20 in his mopb) and affects the zip:// stream wrapper. The other is in the open method of the ZipArchive class. I I forgot these two places while applying the php6+ changes and cleaning the code base. I recommend to upgrade as soon as possible.

He notes that, thanks to information from Stefan Esser, this issue was fixed the same day it was posted (the zip:// flaw he mentioned). You can get more information on this package from its PECL homepage or just grab the latest update here.

tagged: zip pecl extension safemode openbasedir fix release zip pecl extension safemode openbasedir fix release

Link:

PHP Security Blog:
Open_basedir confusion
Feb 15, 2007 @ 07:42:00

Stefan Esser is trying to clear up some confusion in a new post to the PHP Security Blog today about his stand on enabling open_basedir on your PHP installation.

From time to time I get the question why I recommend enabling open_basedir and on the other hand call it a solution flawed by design. This is actually a good question, because the untrained PHP user might get a little bit confused about this and might believe that I change my opinion on a daily basis.

He talks about his reasoning - how it does it's job protecting PHP developers from being able to get to those file, but how it's also flawed with issues due to some 3rd party libraries that have their own problems.

tagged: openbasedir confusion useful flawed thirdparty library openbasedir confusion useful flawed thirdparty library

Link:

PHP Security Blog:
Open_basedir confusion
Feb 15, 2007 @ 07:42:00

Stefan Esser is trying to clear up some confusion in a new post to the PHP Security Blog today about his stand on enabling open_basedir on your PHP installation.

From time to time I get the question why I recommend enabling open_basedir and on the other hand call it a solution flawed by design. This is actually a good question, because the untrained PHP user might get a little bit confused about this and might believe that I change my opinion on a daily basis.

He talks about his reasoning - how it does it's job protecting PHP developers from being able to get to those file, but how it's also flawed with issues due to some 3rd party libraries that have their own problems.

tagged: openbasedir confusion useful flawed thirdparty library openbasedir confusion useful flawed thirdparty library

Link: