hardened-php-user Mailing List for Hardened PHP
Brought to you by:
sesser
Menu
▾
▴
hardened-php-user — This is the right list for general user questions
You can subscribe to this list here.
| 2004 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(5) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2005 |
Jan
(2) |
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2006 |
Jan
|
Feb
(2) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Casey A. S. <cs...@se...> - 2006-02-28 00:54:19
|
On Monday 27 February 2006 21:34, Casey Allen Shobe wrote: > Using Hardened-PHP with PHP 5.1.1 and phpPgAdmin causes apache children to > segfault. Turning it off seems to fix things. On another server, Hardened-PHP+PHP 5.1.1 keeps Notice errors from being displayed when error_reporting is set to 2047. Didn't bother to check for other error levels, Hardened-PHP seems to have lots of bugs with PHP 5.1.1, so I just removed it...please let me know what's going on... -- Casey Allen Shobe | cs...@se... | 206-381-2800 SeattleServer.com, Inc. | http://www.seattleserver.com |
|
From: Casey A. S. <li...@se...> - 2006-02-27 21:37:32
|
Hi, Using Hardened-PHP with PHP 5.1.1 and phpPgAdmin causes apache children to segfault. Turning it off seems to fix things. :( Is there a fix in the works and/or is there a way to disable hardened per-directory like you can do with other php_flags with .htaccess? Cheers, -- Casey Allen Shobe | cs...@se... | 206-381-2800 SeattleServer.com, Inc. | http://www.seattleserver.com |
|
From: Casey A. S. <li...@se...> - 2005-05-31 18:22:10
|
Well this has been entertaining: http://casey.shobe.info/ioncube_hardened_ticket.html ...so maybe IonCube Decoder will be available for Hardened-PHP soon. Cheers, -- Casey Allen Shobe | http://casey.shobe.info cs...@se... | cell 425-443-4653 AIM & Yahoo: SomeLinuxGuy | ICQ: 1494523 SeattleServer.com, Inc. | http://www.seattleserver.com |
|
From: Stefan E. <se...@ph...> - 2005-04-27 22:05:16
|
Hi, > I want to change the logging of attackers IP and attacked script from > sylog into an extra file like php_attackers.log? > Is this possible? Nope sorry, with 0.2.x this is not possible, because only a cheap syslogging functionality was implemented. However there are already preview versions of 0.3.0 on the site that have not all features I want to see in 0.3.0 but they already have a much better logging system. You can decide what kind of errors are logged to syslog, apache error log or even given to a shellscript of your choice. And well in 0.3.0 you can finetune what logpriority and logfacility HPHP uses when logging to syslog. With later you can implement what you want. Stefan |
|
From: Christian <Sat...@we...> - 2005-04-27 17:48:22
|
Hi! I want to change the logging of attackers IP and attacked script from sylog into an extra file like php_attackers.log? Is this possible? Thanks in advance for your replys. -- Greets Christian |
|
From: Sander H. - O. X. <in...@or...> - 2005-02-11 15:41:31
|
> Hi Sander, > > > PHP Warning: PHP Startup: session: Unable to initialize module > > Module compiled with module API=20041030, debug=0, > thread-safety=0 > > PHP compiled with module API=1020041030, debug=0, > thread-safety=0 > > These options need to match > > in Unknown on line 0 > > > > > > I have no clue as to why PHP says it is using module API 1020041030 > > instead of 20041030. Is this added by Hardened PHP? > > Yes Hardened-PHP does this because Hardened-PHP changes the > internas of the Zend-Engine... This will become more and more > dramatical with every new feature added. I usually only > release new versions when several bigger changes have been > made (f.e. within the next week). The problem > is: if you would be able to load those extensions without PHP > warning about a wrong version this would simply result in crashes. Thanks! I figured something like that. Saves me the trouble (and that of others) of posting this to the PHP mailinglist :-) > The only way to fix this is to recompile the extensions. With > 3rd party extensions like Zend Tools this is not possible. > But I guess Zend will sooner or later give in to users > demanding compatible extensions. > Mandrake Linux 10.2 f.e. now ships default with Hardened-PHP > and is therefore incompatible to Zend by definition. This is where I think the difficulty comes in. I'm using FreeBSD, so I basically build everything from ports. Recompiling / Reinstalling extensions doesn't seem to work because they always get compiled against 20041030. How can I get extension compiled against 1020041030? Is there some build-argument I need to specify? Kind Regards, Sander Holthaus PS: Thanks for the very speedy reply! |
|
From: Sander H. - O. X. <in...@or...> - 2005-02-11 15:11:07
|
I recently reinstalled PHP 5.03 as FastCGI and with the hardened patch (under FreeBSD 4.10 using the www/php5-cgi port). Ever since then, I've been unable to add/reinstall extensions, as they fail with the following error: PHP Warning: PHP Startup: session: Unable to initialize module Module compiled with module API=20041030, debug=0, thread-safety=0 PHP compiled with module API=1020041030, debug=0, thread-safety=0 These options need to match in Unknown on line 0 I have no clue as to why PHP says it is using module API 1020041030 instead of 20041030. Is this added by Hardened PHP? Kind Regards, Sander Holthaus |
|
From: Stefan E. <se...@ph...> - 2005-01-19 12:11:05
|
Hi Gavin,
> if (zend_hash_canary_inited) {
> + zend_hash_canary = zend_canary();
> + zend_hash_canary_inited = 1;
> + }
this part of the code is indeed wrong. It should be
if (!zend....) {
...
}
Right now the Hash-Protection canary is not random. This is now fixed in
my tree for the next release.
Thank You,
Stefan
|
|
From: Gavin <ga...@ve...> - 2005-01-19 01:35:14
|
FYI,
In the 0.2.6 patch:
.
.
+ zend_bool zend_hash_canary_inited =3D 0;
.
.
if (zend_hash_canary_inited) {
+ zend_hash_canary =3D zend_canary();
+ zend_hash_canary_inited =3D 1;
+ }
.
.
zend_hash_canary_inited does not appear anywhere else in the patch.
Cheers,
Gavin |
|
From: Daniel L. <ml-...@lo...> - 2004-12-22 23:11:22
|
Hi > s/ZendEncoder/ZendOptimizer/, but in a way, both is true ;) So, H-PHP won't work with ZendOptimizer. But people are using encoded files and there is a need for a compatible loader. So far, I found Turk MMCache (Turk Loader, more specifically) which claims to be compatible with ZendEncoder's bytecode format. Doesn't work for me, though: http://turck-mmcache.sourceforge.net/index_old.html Daniel |
|
From: Daniel L. <ml-...@lo...> - 2004-12-22 17:42:51
|
Hi > http://sourceforge.net/tracker/?group_id=106971&atid=646223 Issues Resolved, thanks Stefan. Daniel |
|
From: Daniel L. <ml-...@lo...> - 2004-12-22 14:07:27
|
Hi > It turns out there are some also some other bugs in H-PHP. One of the > bigger issues is (IMO) the incompatibility to ZendEncoder which cannot > be solved easily. Whoever runs into problems compiling PHP with > Hardened-PHP-Patch should first look here: s/ZendEncoder/ZendOptimizer/, but in a way, both is true ;) Daniel |
|
From: Daniel L. <ml-...@lo...> - 2004-12-22 14:03:52
|
Hi It turns out there are some also some other bugs in H-PHP. One of the bigger issues is (IMO) the incompatibility to ZendEncoder which cannot be solved easily. Whoever runs into problems compiling PHP with Hardened-PHP-Patch should first look here: http://sourceforge.net/tracker/?group_id=106971&atid=646223 Daniel |
|
From: Daniel L. <ml-...@lo...> - 2004-12-16 18:49:59
|
Hi I'm getting this error when trying to compile PHP 4.3.10 patched with hardened-php-4.3.10-0.2.4.patch: /usr/src/php/php-4.3.10/main/hardened_php.c: In function `php_security_log': /usr/src/php/php-4.3.10/main/hardened_php.c:77: parse error before `char' /usr/src/php/php-4.3.10/main/hardened_php.c:80: `ip_address' undeclared (first use in this function) /usr/src/php/php-4.3.10/main/hardened_php.c:80: (Each undeclared identifier is reported only once /usr/src/php/php-4.3.10/main/hardened_php.c:80: for each function it appears in.) /usr/src/php/php-4.3.10/main/hardened_php.c:85: `fname' undeclared (first use in this function) make: *** [main/hardened_php.lo] Error 1 I am running # uname -a Linux tsunami4 2.4.24-grsec #4 Sun Mar 28 06:47:47 CEST 2004 i686 unknown And the configure line is as follows: ./configure \ --prefix=/usr \ --disable-rpath \ --disable-static \ --disable-debug \ --enable-sysvsem \ --enable-sysvshm \ --enable-ftp \ --enable-discard-path \ --enable-memory-limit \ --enable-calendar \ --enable-track-vars \ --enable-trans-sid \ --enable-bcmath \ --enable-ctype \ --enable-exif \ --enable-mbstring \ --enable-sockets \ --enable-wddx \ --enable-yp \ --enable-inline-optimization \ --enable-dba \ --enable-xslt \ --with-curl \ --with-dom \ --with-xml \ --with-xslt-sablot \ --with-ndbm \ --with-layout=GNU \ --with-zlib \ --with-bz2 \ --with-iconv \ --with-imap \ --with-regex=system \ --with-gettext \ --with-gd \ --with-jpeg-dir=/usr/lib \ --with-png-dir=/usr/lib \ --with-freetype-dir=/usr/lib \ --with-zlib-dir=/usr/lib \ --with-ttf=shared,/usr \ --with-mhash \ --with-mcrypt \ --with-zlib \ --with-openssl \ --with-cdb \ --with-config-file-path=/etc/php4/cgi Anything else you need to know to make sense out of that error messge? If so, please let me know. Daniel |
|
From: Zach R. <ad...@li...> - 2004-07-14 02:02:45
|
I downloaded a vanilla php 4.3.8 and patched it (without errors) with hardened-php-4.3.8-0.2.0.patch.gz. The following are the errors I get. vanir# make /bin/sh /usr/buildapache/php-4.3.8/libtool --silent --preserve-dup-deps --mode=compi le gcc -DHAVE_CONFIG_H -Iext/mbstring/ -I/usr/buildapache/php-4.3.8/ext/mbstri ng/ -DPHP_ATOM_INC -I/usr/buildapache/php-4.3.8/include -I/usr/buildapache/p hp-4.3.8/main -I/usr/buildapache/php-4.3.8 -I/usr/buildapache/php-4.3.8/Zend -I/usr/local/include -I/usr/X11R6/include -I/usr/local/include/freetype2 -I /usr/local/include/c-client -I/usr/buildapache/php-4.3.8/ext/mbstring/mbrege x -I/usr/buildapache/php-4.3.8/ext/mbstring/libmbfl -I/usr/buildapache/php-4 .3.8/ext/mbstring/libmbfl/mbfl -I/usr/local/include/mysql -I/usr/buildapache /php-4.3.8/ext/xml/expat -I/usr/buildapache/php-4.3.8/TSRM -g -O2 -prefer -pic -c /usr/buildapache/php-4.3.8/ext/mbstring/mbstring.c -o ext/mbstring/mbstring.lo /usr/buildapache/php-4.3.8/ext/mbstring/mbstring.c:1470: conflicting types for `arg' /usr/buildapache/php-4.3.8/ext/mbstring/mbstring.c:1470: previous declaration of `arg' /usr/buildapache/php-4.3.8/ext/mbstring/mbstring.c: In function `php_mbstr_encoding_handler': /usr/buildapache/php-4.3.8/ext/mbstring/mbstring.c:1598: `new_val_len' undeclared (first use in this function) /usr/buildapache/php-4.3.8/ext/mbstring/mbstring.c:1598: (Each undeclared identifier is reported only once /usr/buildapache/php-4.3.8/ext/mbstring/mbstring.c:1598: for each function it appears in.) /usr/buildapache/php-4.3.8/ext/mbstring/mbstring.c: In function `php_mbstr_post_handler': /usr/buildapache/php-4.3.8/ext/mbstring/mbstring.c:1629: warning: passing arg 1 of `php_mbstr_encoding_handler' makes integer from pointer without a cast /usr/buildapache/php-4.3.8/ext/mbstring/mbstring.c:1629: too many arguments to function `php_mbstr_encoding_handler' /usr/buildapache/php-4.3.8/ext/mbstring/mbstring.c: In function `mbstr_treat_data': /usr/buildapache/php-4.3.8/ext/mbstring/mbstring.c:1729: warning: passing arg 1 of `php_mbstr_encoding_handler' makes integer from pointer without a cast /usr/buildapache/php-4.3.8/ext/mbstring/mbstring.c:1729: warning: passing arg 2 of `php_mbstr_encoding_handler' makes pointer from integer without a cast /usr/buildapache/php-4.3.8/ext/mbstring/mbstring.c:1729: too many arguments to function `php_mbstr_encoding_handler' *** Error code 1 Stop in /usr/buildapache/php-4.3.8. -- Zach |
|
From: <ben...@id...> - 2004-05-25 08:40:46
|
Dear Open Source developer I am doing a research project on "Fun and Software Development" in which I kindly invite you to participate. You will find the online survey under http://fasd.ethz.ch/qsf/. The questionnaire consists of 53 questions and you will need about 15 minutes to complete it. With the FASD project (Fun and Software Development) we want to define the motivational significance of fun when software developers decide to engage in Open Source projects. What is special about our research project is that a similar survey is planned with software developers in commercial firms. This procedure allows the immediate comparison between the involved individuals and the conditions of production of these two development models. Thus we hope to obtain substantial new insights to the phenomenon of Open Source Development. With many thanks for your participation, Benno Luthiger PS: The results of the survey will be published under http://www.isu.unizh.ch/fuehrung/blprojects/FASD/. We have set up the mailing list fa...@we... for this study. Please see http://fasd.ethz.ch/qsf/mailinglist_en.html for registration to this mailing list. _______________________________________________________________________ Benno Luthiger Swiss Federal Institute of Technology Zurich 8092 Zurich Mail: benno.luthiger(at)id.ethz.ch _______________________________________________________________________ |
|
From: Stefan E. <s....@e-...> - 2004-05-16 00:40:18
|
------------------------------------------------------------------------
_ _ _ _ ___ _ _ ___
| || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \
| __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/
|_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_|
------------------------------------------------------------------------
The Hardened-PHP project team is pleased to announce the release of
version 0.1.1 of our PHP security hardening patch. This new Hardened-PHP
release is the first one that is publicly announced and is considered
stable on atleast linux systems.
Hardened-PHP is a patch against the PHP codebase which adds security
hardening features to it to protect servers on the one hand against a
number of well known problems in hastily written PHP scripts and on
the other hand against potential unknown vulnerabilities within the
engine itself.
Hardened-PHP provides:
+ Protection of the Zend Memory Manager with canaries
+ Protection of Zend Linked Lists with canaries
+ Protection against internal format string exploits
+ Protection against arbitrary code inclusion
+ Syslog logging of attackers IP
We consider Hardened-PHP 0.1.1 to be the best version of Hardened-PHP
available and we strongly recommend that users of older versions upgrade
as soon as possible.
Hardened-PHP is available for download via HTTP from
http:///www.hardened-php.net/download.php
The distribution file name is:
hardened-php-4.3.6-0.1.1.patch.gz
MD5 checksum: 62f7d49b89c93dace247c2bc189b7503
Yours,
The Hardened-PHP Project Team...
http://www.hardened-php.net
|
