PHP 4, 5, or neither? - BSD

This is a discussion on PHP 4, 5, or neither? - BSD ; I need to install PHP on my system for a web app. The web app can work with either PHP4 or PHP5. My impression is that PHP has a reputation for weak security. Which of PHP4 / PHP5 is more ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: PHP 4, 5, or neither?

  1. PHP 4, 5, or neither?

    I need to install PHP on my system for a web app.
    The web app can work with either PHP4 or PHP5.
    My impression is that PHP has a reputation for weak security.
    Which of PHP4 / PHP5 is more secure? Or are both bad news?

    Thanks,
    Dave Feustel

  2. Re: PHP 4, 5, or neither?

    dave wrote:
    > I need to install PHP on my system for a web app.
    > The web app can work with either PHP4 or PHP5.
    > My impression is that PHP has a reputation for weak security.
    > Which of PHP4 / PHP5 is more secure? Or are both bad news?


    Both are probably bad news, but the 5.x series is more regularly updated
    in OpenBSD, and also includes some patches that should enhance security
    (hardened-php in 4.0's -hardened flavour, suhosin in -current, IIRC).

    Joachim

  3. Re: PHP 4, 5, or neither?

    Joachim Schipper wrote:
    > dave wrote:
    >> I need to install PHP on my system for a web app.
    >> The web app can work with either PHP4 or PHP5.
    >> My impression is that PHP has a reputation for weak security.
    >> Which of PHP4 / PHP5 is more secure? Or are both bad news?

    >
    > Both are probably bad news, but the 5.x series is more regularly updated
    > in OpenBSD, and also includes some patches that should enhance security
    > (hardened-php in 4.0's -hardened flavour, suhosin in -current, IIRC).
    >
    > Joachim


    Thanks for the info. The web app that I'm interested in is Zoneminder, a
    comprehensive video security application. Zoneminder uses both mysql and
    php, either 4 or 5. I am not eager to install php. I am considering the
    alternative of building my own much simpler video security application
    using videod, fwtv and scripting tools.

  4. Re: PHP 4, 5, or neither?

    On Mon, 19 Feb 2007 07:25:20 -0600, dave wrote:

    > Thanks for the info. The web app that I'm interested in is Zoneminder, a
    > comprehensive video security application. Zoneminder uses both mysql and
    > php, either 4 or 5. I am not eager to install php. I am considering the
    > alternative of building my own much simpler video security application
    > using videod, fwtv and scripting tools.


    If php is used only for the application's management interface, you can
    reduce your risk by NOT allowing that management interface to be accessed
    from the internet.

    --
    Replying directly will get you locally blacklisted.
    Change the address; use my first name in front of the @ if you want to
    communicate privately.


  5. Re: PHP 4, 5, or neither?

    dave wrote:
    > Joachim Schipper wrote:
    >> dave wrote:
    >>> I need to install PHP on my system for a web app.
    >>> The web app can work with either PHP4 or PHP5.
    >>> My impression is that PHP has a reputation for weak security.
    >>> Which of PHP4 / PHP5 is more secure? Or are both bad news?

    >> Both are probably bad news, but the 5.x series is more regularly updated
    >> in OpenBSD, and also includes some patches that should enhance security
    >> (hardened-php in 4.0's -hardened flavour, suhosin in -current, IIRC).
    >>

    > Thanks for the info. The web app that I'm interested in is Zoneminder, a
    > comprehensive video security application. Zoneminder uses both mysql and
    > php, either 4 or 5. I am not eager to install php. I am considering the
    > alternative of building my own much simpler video security application
    > using videod, fwtv and scripting tools.


    This is a serious question: how do you know your home-made solution
    would not have holes of its own? The Intertubes are littered with the
    dead bodies of home-grown projects that were considered safe before
    falling apart. Security is hard to get right.

    There are hardened PHP5 packages that go through some source-level
    auditing, and include all known security issues of merit. These also
    get updated as the package maintainer folds solutions to newly
    discovered security problems into the package.

    As suggested else-thread, you must assess, first, what your threat
    profile is. How available is this service, and to whom?

  6. Re: PHP 4, 5, or neither?

    Clever Monkey wrote:
    > dave wrote:
    >> Joachim Schipper wrote:
    >>> dave wrote:
    >>>> I need to install PHP on my system for a web app.
    >>>> The web app can work with either PHP4 or PHP5.
    >>>> My impression is that PHP has a reputation for weak security.
    >>>> Which of PHP4 / PHP5 is more secure? Or are both bad news?
    >>> Both are probably bad news, but the 5.x series is more regularly updated
    >>> in OpenBSD, and also includes some patches that should enhance security
    >>> (hardened-php in 4.0's -hardened flavour, suhosin in -current, IIRC).
    >>>

    >> Thanks for the info. The web app that I'm interested in is Zoneminder, a
    >> comprehensive video security application. Zoneminder uses both mysql and
    >> php, either 4 or 5. I am not eager to install php. I am considering the
    >> alternative of building my own much simpler video security application
    >> using videod, fwtv and scripting tools.

    >
    > This is a serious question: how do you know your home-made solution
    > would not have holes of its own? The Intertubes are littered with the
    > dead bodies of home-grown projects that were considered safe before
    > falling apart. Security is hard to get right.
    >
    > There are hardened PHP5 packages that go through some source-level
    > auditing, and include all known security issues of merit. These also
    > get updated as the package maintainer folds solutions to newly
    > discovered security problems into the package.
    >
    > As suggested else-thread, you must assess, first, what your threat
    > profile is. How available is this service, and to whom?


    It's available to me when I activate it.

  7. Re: PHP 4, 5, or neither?

    dave wrote:
    > Clever Monkey wrote:
    >> dave wrote:
    >>> Joachim Schipper wrote:
    >>>> dave wrote:
    >>>>> I need to install PHP on my system for a web app.
    >>>>> The web app can work with either PHP4 or PHP5.
    >>>>> My impression is that PHP has a reputation for weak security.
    >>>>> Which of PHP4 / PHP5 is more secure? Or are both bad news?
    >>>> Both are probably bad news, but the 5.x series is more regularly updated
    >>>> in OpenBSD, and also includes some patches that should enhance security
    >>>> (hardened-php in 4.0's -hardened flavour, suhosin in -current, IIRC).
    >>>>
    >>> Thanks for the info. The web app that I'm interested in is Zoneminder, a
    >>> comprehensive video security application. Zoneminder uses both mysql and
    >>> php, either 4 or 5. I am not eager to install php. I am considering the
    >>> alternative of building my own much simpler video security application
    >>> using videod, fwtv and scripting tools.

    >> This is a serious question: how do you know your home-made solution
    >> would not have holes of its own? The Intertubes are littered with the
    >> dead bodies of home-grown projects that were considered safe before
    >> falling apart. Security is hard to get right.
    >>
    >> There are hardened PHP5 packages that go through some source-level
    >> auditing, and include all known security issues of merit. These also
    >> get updated as the package maintainer folds solutions to newly
    >> discovered security problems into the package.
    >>
    >> As suggested else-thread, you must assess, first, what your threat
    >> profile is. How available is this service, and to whom?

    >
    > It's available to me when I activate it.


    Is this who you want it available to, or is it also available to others?

    If this service is on your net but is accessible by the internet at
    large, then you have made that service "available" to everyone here.

    If this is a web service, then you have to consider what other
    user-agents, and from where, might have access to the service. This is
    the first level of the threat consideration.

    i.e., Who has access?

    Then you have to determine the vectors of attack those connections can
    leverage to subvert your service.

    i.e., What can these people do with this access.

    The answers to this last question can be many and complicated. Start by
    answering the first one _properly_ first to determine the scope of the
    second question.

  8. Re: PHP 4, 5, or neither?

    Clever Monkey wrote:
    > dave wrote:
    >> Clever Monkey wrote:
    >>> dave wrote:
    >>>> Joachim Schipper wrote:
    >>>>> dave wrote:
    >>>> The web app that I'm interested in is Zoneminder, a comprehensive
    >>>> video security application. Zoneminder uses both mysql and php,
    >>>> either 4 or 5. I am not eager to install php. I am considering the
    >>>> alternative of building my own much simpler video security
    >>>> application using videod, fwtv and scripting tools.
    >>> This is a serious question: how do you know your home-made solution
    >>> would not have holes of its own? The Intertubes are littered with the
    >>> dead bodies of home-grown projects that were considered safe before
    >>> falling apart. Security is hard to get right.
    >>>
    >>> There are hardened PHP5 packages that go through some source-level
    >>> auditing, and include all known security issues of merit. These also
    >>> get updated as the package maintainer folds solutions to newly
    >>> discovered security problems into the package.
    >>>
    >>> As suggested else-thread, you must assess, first, what your threat
    >>> profile is. How available is this service, and to whom?

    >>
    >> It's available to me when I activate it.

    >
    > Is this who you want it available to, or is it also available to others?
    >
    > If this service is on your net but is accessible by the internet at
    > large, then you have made that service "available" to everyone here.
    >
    > If this is a web service, then you have to consider what other
    > user-agents, and from where, might have access to the service. This is
    > the first level of the threat consideration.
    >
    > i.e., Who has access?
    >
    > Then you have to determine the vectors of attack those connections can
    > leverage to subvert your service.
    >
    > i.e., What can these people do with this access.
    >
    > The answers to this last question can be many and complicated. Start by
    > answering the first one _properly_ first to determine the scope of the
    > second question.


    Just as a suggestion: enable proper, IP-level (pf) security, and don't
    use the webserver on the box for anything else (for added paranoia,
    don't use any part of the box for anything else, and don't connect it to
    any network - this is highly dependent on just how hard it is to get
    at all your camera data, and how much you'd care if someone did).

    This way, PHP's usual security issues and any bugs in the application
    won't matter all that much. Of course, it will be somewhat inconvenient.

    Joachim

+ Reply to Thread