background preloader

PHP

Facebook Twitter

Hypertext Preprocessor. We are continuing to work through the repercussions of the php.net malware issue described in a news post earlier today. As part of this, the php.net systems team have audited every server operated by php.net, and have found that two servers were compromised: the server which hosted the www.php.net, static.php.net and git.php.net domains, and was previously suspected based on the JavaScript malware, and the server hosting bugs.php.net.

The method by which these servers were compromised is unknown at this time. All affected services have been migrated off those servers. We have verified that our Git repository was not compromised, and it remains in read only mode as services are brought back up in full. As it's possible that the attackers may have accessed the private key of the php.net SSL certificate, we have revoked it immediately. To summarise, the situation right now is that: Over the next few days, we will be taking further action: php.net users will have their passwords reset. Hypertext Preprocessor. Block8/PHPCI. Mikaelrandy : "T'es dingue, c'est une truelle ... Omansour : Ne manquez pas les confs de ... Dr4goonis : PHP Streetfighter :) #php ... Photos du journal. News Archive - 2012. 03-May-2012 There is a vulnerability in certain CGI-based setups (Apache+mod_php and nginx+php-fpm are not affected) that has gone unnoticed for at least 8 years.

Section 7 of the CGI spec states: Some systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an `indexed' query. This is identified by a "GET" or "HEAD" HTTP request with a URL search string not containing any unencoded "=" characters. So, requests that do not have a "=" in the query string are treated differently from those who do in some CGI implementations. A large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. If you are using Apache mod_cgi to run PHP you may be vulnerable. To fix this, update to PHP 5.3.12 or PHP 5.4.2. We recognize that since CGI is a rather outdated way to run PHP, it may not be feasible to upgrade these sites to a modern version of PHP. PHP is much better than what you think. Rants about PHP are everywhere, and they even come from smart guys. When Jeff Atwood wrote yet another rant about PHP, it made me think about the good parts of PHP.

The biggest problem of these rants is that they come from people stuck in the old days of PHP. They either don't care or they don't want to admit that PHP actually evolves at a very fast pace, both at the language level but also at the community level. In fact, it evolves much faster than any other language or web platform. It has not always been the case, but the last 5 years have been an amazing journey for PHP. Before talking about the amazing things the PHP community has achieved recently, let's have a look at some interesting numbers: PHP is used by 77.9% of all the websites whose server-side programming language is known.

PHP must have done something right, no? PHP, the Language PHP 5.0 (released in 2004) brought us a very solid object model... wait a minute, I'm talking about something released almost 8 years ago. Git.