Suhosin: A Guardian Angel for PHP

Suhosin: A Guardian Angel for PHP
Suhosin: A Guardian Angel for PHP

Forwarded from: Security UPDATE 


Is Your Antivirus Effective in Detecting Spyware? Test Drive CounterSpy 

Discover Atempo's leading PC backup solution. 

Podcast: Five Keys to Choosing the Right Antispyware Solution 

=== CONTENTS ==================================================
IN FOCUS: Suhosin: A Guardian Angel for PHP

   - Triple Threat Against Microsoft Word
   - Metavize Changes Name and Strategy
   - Forefront Security for Exchange Server Released
   - Recent Security Vulnerabilities

   - Know Your IT Security Contest Winners!
   - Security Matters Blog: More Goodies for Your Security Toolkit
   - FAQ: What Is Microsoft Forefront?
   - From the Forum: Determining Activity from the Security Log
   - Share Your Security Tips

   - Monitor Your Database from Afar
   - Wanted: Your Reviews of Products 




=== SPONSOR: Sunbelt ==========================================
Is Your Antivirus Effective in Detecting Spyware? Test Drive CounterSpy 
   Are you protected company-wide against spyware, keyloggers, adware, 
and backdoor Trojans? Test the state of the art scanning engine that 
uses threat signatures from multiple sources to track down the culprits 
that antivirus solutions alone can't protect you against. Download your 
free 30 day trial of CounterSpy Enterprise today! 

=== IN FOCUS: Suhosin: A Guardian Angel for PHP ===============   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

PHP is a hugely popular programming language used on countless Web 
sites. It's basically a scripting language, which essentially means 
that it compiles at runtime. PHP has a lot of community support, so a 
ton of open-source libraries are available for many different tasks. 
Some of the most popular applications available today, such as 
WordPress, are powered by PHP. 

PHP isn't without its security problems. Over the years, the developers 
have worked to fix the problems, but sometimes not fast enough to 
please everyone. Last week, PHP developer Stefan Esser resigned from 
the PHP Security Response Team in disgust. 

In his blog, Esser wrote that "[the reasons why I resigned] are many, 
but the most important one is that I have realised that any attempt to 
improve the security of PHP from the inside is futile." Esser went on 
to say that, "The PHP Group will jump into your boat as soon you try to 
blame PHP's security problems on the user but the moment you criticize 
the security of PHP itself you become persona non grata. I stopped 
counting the times I was called immoral traitor for disclosing security 
holes in PHP or for developing Suhosin." 

In closing, Esser wrote, "For the ordinary PHP user [my resignation] 
means that I will no longer hide the slow response time to [PHP] 
security holes in my advisories. It will also mean that some of my 
advisories will come without patches available, because the PHP 
Security Response Team refused to fix them for months. It will also 
mean that there will be a lot more advisories about security holes in 

Fortunately, Esser did develop Suhosin, which is a powerful security 
patch for PHP. The name is a South Korean word that essentially means 
"guardian angel." If you use PHP and you've never looked at Suhosin, 
you're missing some great security enhancements. You can find a 
complete list of the configuration options that Suhosin introduces at 
the URL below. Just to give you a quick example, Suhosin lets you gain 
better control over crucial aspects of PHP applications, such as cookie 
functionality, session parameters, SQL parameters, and more. 
Effectively, it lets you filter a lot of stuff that might otherwise 
become dangerous. 

Installing Suhosin requires that you recompile PHP. This is a simple 
task on Linux platforms but might prove more difficult on Windows, 
which doesn't come with a PHP compiler. If you can get access to the 
required tools on Windows or you use PHP on a Linux system, installing 
Suhosin is definitely worth the effort. 

In a nutshell, you download the PHP source code, the Suhosin patch, and 
the Suhosin extension source code. Then you apply the patch and compile 
PHP. After that, you compile the Suhosin extension. With that done, you 
add one line to your php.ini file to tell PHP to load the extension. 
That's about it. Then you can configure Suhosin to your exact needs by 
adding parameters to your php.ini file. However, as is mentioned on the 
Web site, you can probably use most of the features in the default 
configuration, which means your implementation effort doesn't require a 
lot of time reading through the explanations for dozens of possible 

I'm not aware of any PHP packages precompiled with Suhosin for Windows. 
If you know of one, send me an email message with information about 
where to get it and I'll share that information with the readers of 
this newsletter. 

If you run PHP without Suhosin, your PHP-based applications are far 
more vulnerable than they need to be. Head over to the Suhosin site and 
take a look, and I think you'll agree that Suhosin is an essential 
addition to your PHP platform. 

=== SPONSOR: Atempo ===========================================
Discover Atempo's leading PC backup solution.
   Stop losing valuable information stored on your employees' laptops! 
The financial impact of information loss and system failure can be very 
high and recovering data or a corrupted system is complicated and time 
consuming. In today's enterprise, the workforce is highly mobile, and 
business-critical information is most often stored on globe-trotting 
laptops. Atempo LiveBackup can put an end to your mobile data 
headaches. This automatic and continuous backup software keeps laptop 
data protected up to the moment of failure and empowers end-users to 
recover files by themselves. 

=== SECURITY NEWS AND FEATURES ================================
Triple Threat Against Microsoft Word
   Three exploits that affect Microsoft Word were released in the last 
two weeks. At least one of the exploits also reportedly affects the 
OpenOffice platform. 

Metavize Changes Name and Strategy
   California-based Untangle, formerly Metavize, recently announced the 
company's name change and a new plan to offers its products free to 
very small companies. 

Forefront Security for Exchange Server Released
   Coinciding with the release of Exchange Server 2007, Microsoft 
released Forefront Security for Exchange Server, based on Sybari's 
Antigen for Exchange. 

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at 

=== SPONSOR: PC Tools =========================================
Podcast: Five Keys to Choosing the Right Antispyware Solution
   Randy Franklin Smith outlines five evaluation points to consider 
when choosing your anti-spyware solution in this free podcast. Download 
it today! 

=== GIVE AND TAKE =============================================
   Congratulations to the winners of the Know Your IT Security Contest: 
Rob John, Josh Kunken, John Penrose, Gregory Smith, Jim Turner, Tony 
Weil, and Will Willis. Their entries on a variety of topics--from 
creative use of a network monitor to aid in an investigation of stolen 
laptops to a script that takes a security snapshot of key domain groups 
and reports on changes--will appear on the Security Pro VIP Web site in 
the coming months. And each winner will receive a Microsoft Zune, 
courtesy of our contest sponsor: Microsoft Learning Paths for Security 
(at the URL below). Thanks to all who participated. 

SECURITY MATTERS BLOG: More Goodies for Your Security Toolkit 
by Mark Joseph Edwards, 

Still have room in your security toolkit? Read this blog article to 
learn about a few more tools you might want to add. 

FAQ: What Is Microsoft Forefront?
by John Savill, 

Q: What is Microsoft Forefront?

Find the answer at 

FROM THE FORUM: Determining Activity from the Security Log
   A forum participant is wondering how to determine what caused a 
certain authentication to take place. The caller username shows the 
server name followed by the dollar sign. The logon type is 3 with an 
event ID of 540. Kerberos is the authentication package. Offer your 
input at the URL below: 

   Share your security-related tips, comments, or problems and 
solutions in the Windows IT Security print newsletter's 
Reader to Reader column. Email your contributions to If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS ================================================== by Renee Munshi, 

Monitor Your Database from Afar
   RippleTech announced the release of Informant 2.0. The new version 
of the database security application has a Web-based administration 
console that lets you monitor database and application security from 
any location at any time. Other upgrades include role-based access to 
reports, secure management of audit logs, centralized reporting across 
supported database servers (including Microsoft SQL Server, Oracle, and 
IBM DB2), and integration with the security event management framework 
(SIEM). Informant alerts IT administrators about unauthorized attempts 
to access applications and databases and creates an audit trail for 
forensics. For more information about Informant 2.0, go to 

WANTED: your reviews of products you've tested and used in 
production. Send your experiences and ratings of products to and get a Best Buy gift certificate. 

=== RESOURCES AND EVENTS ======================================   For more security-related resources, visit 

Are you an Oracle professional who has cross-platform responsibilities, 
or do you need to transfer your skill set to SQL Server? If so, 
register for free to attend the Cross Platform Data online event 
January 30 and 31 and February 1, 2007. In a seminar featuring SQL 
Server/Oracle experts Andrew Sisson from Scalability Experts and 
Douglas McDowell from Solid Quality Learning, you'll learn key concepts 
about SQL Server 2005, including how to deploy SQL Server's BI 
capabilities on Oracle, proof points demonstrating that SQL Server is 
enterprise-ready, and how to successfully deploy Oracle on the Windows 

Learn all you need to know about code signing technology, including the 
goals and benefits of code signing, how code signing works, and the 
underlying cryptographic and security concepts and building blocks. 

Take the necessary steps for application management, from conversion of 
legacy applications to MSI to customizing applications to fit corporate 
standards. Don't overlook an important component of an OS migration--
join us for the free on-demand Web seminar. 

Total Cost of Ownership--TCO. It's every executive's favorite buzzword, 
but what does it really mean and how does it affect you? In this 
podcast, Ben Smith explains how your organization can use 
virtualization technology to measurably improve the TCO for servers and 

Does your company have $500,000 US to spend on one email discovery 
request? Join us for this free Web seminar to learn how you can 
implement an email archiving solution to optimize email management and 
proactively take control of e-discovery--and save the IT search party 
for when you really need it! On-Demand Web Seminar 

Find the buried treasure by uncovering the secrets to Web filtering. 
Complete this quiz correctly and you could be a winner! 

=== FEATURED WHITE PAPER ======================================
Branch offices need flexibility and autonomy in implementing IT 
solutions; corporate requirements require centralized management, 
security, and compliance initiatives. Learn to resolve these conflicts 
and reduce your operational costs for branch offices with limited IT 
resources. Download the free white paper today! 

BONUS: Register for any white paper from Windows IT Pro in the month of 
December, and be entered to win a Wii! Visit for more information 
and a complete white paper listing.

=== ANNOUNCEMENTS =============================================
Holiday Offer--Save $40 off Windows IT Pro
   Don't miss Windows IT Pro magazine in 2007! As a subscriber, you'll 
have full access to must-have content covering Windows Vista 
deployment, virtualization & disaster recovery, Active Directory 
enhancements, the Office 2007 launch, SharePoint fundamentals, and much 
more. Order now and save $40: 

Vote for the Next "IT Pro of the Month!" 
   Your vote counts! Take the time to reward excellence in an IT pro 
who deserves it. The first 100 readers to cast a vote will receive a 
one-year subscription to Windows IT Pro, compliments of Microsoft. 
Voting takes only a few seconds, so don't miss out. Cast your vote now: 

Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and the Windows IT Security newsletter 
(subscribe at the second URL below). 

Subscribe to Security UPDATE at 

Be sure to add 
to your antispam software's list of allowed senders.

To contact us: 
About Security UPDATE content -- 
About technical questions -- 
About your product news -- 
About your subscription -- 
About sponsoring Security UPDATE -- 

View the Windows IT Pro privacy policy at 

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods