PHP version 5.27 was officially released and quickly replaced with 5.28. The regression errors introduced in 5.27 affects configurations where magic_quotes_gpc is enabled. So skip 5.27 and go straight to 5.28.
PHP 5.27 replaced by 5.28
Reply
Tag Archives: security
New WordPress 2.6.3
A new version of WordPress has been released. It is a minor security release related to the Snoopy class, and can be upgraded with just 2 files. Now just waiting for inbuilt threaded comments in WP 2.7.
End of PHP4
It has been announced that PHP4 support is to cease with only critical support fixes to be made. The details are that new releases on the PHP 4 line will cease at the end of 2007, and security fixes may be made available until August 8, 2008. They encourage all users to upgrade to PHP5.
PHP6 is on the horizon but no definite timeframe is given.
But I Still love WordPress
The other day I had a whinge about WP security updates & releases. This post was written after I had just spent valuable time updated a number of WP sites I maintain.
Now I have that out of my system here are the reasons I use WP more and more:
- Not just a blog tool, but a legitimate small-medium CMS
- Large and knowledgeable support community
- A huge and vibrant community of themes and plugins
- FOSS (Free and Open Source Software) all the way
I have recently moved 2 more sites to WP, and both are better for it:
Girraween Athleticsfrom JoomladevReviewfrom custom code
When I next need to put together a site with content management type capabilities I will likely use WP again over alternatives I have tried.
Another WordPress Update
WordPress has released version 2.2.1. This means another round of updates for sites running older versions that I maintain. This one has security fixes so is a must.
These WordPress updates are starting to get to me. There have been too many in the last 12 months and security fixes have been in most.
And it seems WordPress themes are now a bigger part of the problem.
Ok, whinge over.
XSS and SQL Injection PHP Code Scanner
From XSS News comes a link to an application called Pixy. It is a java app that takes PHP code and warns of potential cross site scripting and/or SQL injection vulnerabilities.
There is plenty of documentation, with good explanations of what Pixy can and cannot achieve. For example you cannoy throw it a directory of code, and have it find problems. If your PHP code has multiple entry points, then it needs to be run once for each of these.
A web version is available to do XSS test on single pieces of PHP code. There is a requirement to have Perl installed on your system for the download version.
PHP 5.2.3 Released
A new PHP version has been released: 5.2.3. The development team states “This release continues to improve the security and the stability of the 5.X branch as well as addressing two regressions introduced by the previous 5.2 releases.” Nothing earth shattering but security updates are always a good thing.
Release notes and change log available.
No upgrade on the 4.4.x line.
Minor frustrations of IT
You would love to be doing great new and interesting things with all of your working day, but sometimes the boring and mechanical need to be done as well. WordPress release version 2.06 last week, so I upgraded the various sites I have responsibility for. Its not an exciting job, but better than falling prey to security issues. However it is a frustration to do it all again so soon after for 2.07.
Now what was that great idea I was working on.
Too much time on their hands
For a site we developed, a custom guestbook was added by us, to replace a previous 3rd party guestbook, which had been turned off a while ago due to security problems. A relatively simple affair to create, but with effort put in to make it secure against database injection and other nasties. And in this purpose it has been all good.
All entries are moderated, and this is made quite clear. Do you think this would deter the spammers? Not one bit. First week things are pretty quiet, second week about 30 attempted spam entries, and for week 3 almost 200. Wow there are some bored and desperate people. Not one of them got their viagra spam links on, but it didn’t stop repeated attempts. So possible bot activity as well.
A few extra lines of code to highlight the types of attempted spam we had seen, and auto reject the submission. This has had a positive effect, and the next week is down to under 30. I am not sure what these are trying achieve. Maybe the ‘Thank you for your submission entry’ makes them feel loved.
As an extra step we are adding some IP related filtering, and tweaking the word filtering. This should bring it back to single digits which is liveable.
We did consider captcha entry, email verification, but it was agreed this provides and inconvenience to the real users.