Joomla extensions have moved!

Galaxiis (formely www.waltercedric.com) creates industry leading premium Joomla Extensions and is the longest running Joomla extensions provider since 2005.

Powerful Joomla extensions. - Excellent documentation. - Amazing support.

Visit now www.galaxiis.com

If you consider using PHP on a new server, use  nothing else than PHP 5.2.3, it may be a pain to rewrite or patch foreign code, but PHP 5.2 is more secure and 100% faster than PHP4, moreover PHP4 is soon dead!

PHP 4 end of life announcement
"Today it is exactly three years ago since PHP 5 has been released. In those three years it has seen many improvements over PHP 4. PHP 5 is fast, stable & production-ready and as PHP 6 is on the way, PHP 4 will be discontinued.
The PHP development team hereby announces that support for PHP 4 will continue until the end of this year only. After 2007-12-31 there will be no more releases of PHP 4.4. We will continue to make critical security fixes available on a case-by-case basis until 2008-08-08. Please use the rest of this year to make your application suitable to run on PHP 5. For documentation on migration for PHP 4 to PHP 5, we would like to point you to our migration guide. There is additional information available in the PHP 5.0 to PHP 5.1 and PHP 5.1 to PHP 5.2 migration guides as well. from http://www.php.net/

If you are not able to use the latest version, consider applying PHP hardening patches from http://www.hardened-php.net/hphp/how_to_install_or_upgrade.html and compiling PHP  for yourself (these patches are no more needed in PHP 5.2 since they are part of the main source tree). A lot of  people already do that,  even if it is not easy.

PHP applications should not execute OS code... Disable certain PHP functions (system,exec,shell_exec, phpinfo)
Malicious commands can be executed though PHP shell functions. If some programs still require these functions, consider:
  • Looking for another application working without these functions.
  • Patching the code.
  • Asking authors to remove them, or find a workaround.
A lot of people do not configure PHP correctly...

In fact not so much people are correctly configuring their PHP runtime, as shown in this study of 11 000 hosts based on phpinfo() . How can hacker find such kind of  vital informations? quite easily thanks to any search engine.
For example, in Google (the engine I know the best) by typing allinurl: phpinfo.php I get 39200 hosts that are revealing these vital settings

Conclusions from PHP configuration statistics
[..]
Configuration values hold surprises, or not. After reading those values, we may even wonder if some functionalities did require a directive or not...
As usually, default values from the distribution are the most commonly used values : it shows how much trust PHP programmers have in the PHP group. Or, it may also show that too few people read the php.ini file, and understand it.
[..]
Rules:
  1. Allways use the latest patch level version.
  2. Open and setup ALL  php.ini on disk (find / -name php.ini) this is especially true if you run more than one php version (php4/php5 as module of fast cgi)
  3. It is recommended to run PHP as fastCGI
  4. Recommended settings for a secure PHP are:
    register_globals = 0
    safe_mode = 1
    // a well written PHP appliation should not rely on these functions to operate
    disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
    allow_url_fopen = 0
    magic_quotes_gpc = 1
    open_basedir = /www/httprootdir
more to come here soon
comments powered by Disqus

You might like also

Learning Orented Object Programming (OOP) in PHP
Came across this excellent collection of resources (https://github.com/marcelgsantos/learning-oop-in-php) to learn object-oriented programming and related concepts for PHP developers. A lot of tutorials on OOP Fundamentals, OOP Advanced, Object Oriented Design, Design Patterns, Refactoring, Architecture, and more. …
1331 Days ago
How To Debug PHP scripts with PhpStorm
JetBrains PhpStorm is a commercial IDE for PHP built on JetBrains' IntelliJ IDEA platform. PhpStorm provides intelligent editor for PHP code, HTML and JavaScript with on-the-fly code analysis and automated refactoring for PHP and JavaScript code. Code completion supports PHP 5.3 including namespaces and closures. …
2637 Days ago
How to install the latest PHP version for Ubuntu
Ubuntu 10.10 (Maverick) is offering as for today a relative old version PHP 5.3.3, if you want to have a better version, you’ll have to trust an unofficial APT repository. Here is How Thanks to the NGINX team, you can find nearly the latest version of PHP online at https://launchpad.net/~nginx/+archive/php5 Create a new file php5-ppa.list vi /etc/apt/sources.list.d/php5-ppa.list and depending on the version of your ubuntu, you can replace the word maverick with the oldest oneiric, natty, or the latest lucid …
2802 Days ago
No Thumbnail was found
Impact of Zend Optimizer on PHP PerformanceThe Zend Optimizer FAQ answers the question "Why use the Zend Optimizer?" with this statement: "The standard Zend run-time compiler used by PHP is indeed extremely fast, generating code that is usually 2 to 10 times faster. But an application that uses the Zend Optimizer typically executes another 40% to 100% faster."Read the results of the load test HERE. …
3980 Days ago
No Thumbnail was found
The Alternative PHP Cache (APC) is a free and open opcode cache for PHP. It was conceived of to provide a free, open, and robust framework for caching and optimizing PHP intermediate code. from http://nl2.php.net/apc Links:http://nl2.php.net/apc http://pecl.php.net/package/APCJoomla! performance testing "For shared hosts you can best make use of APC or eAccelerator" …
4202 Days ago