Re: [Phplib-users] phplib 6.1, php3 and php4

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Thus spake Richard Archer on Wed, Jan 23, 2002 at 10:35:32PM CST
> At 9:52 PM -0600 23/1/02, Lindsay Haisley wrote:
> 
> >If you know of specific vulnerabilities and problems, cite
> >references to them.
> 
> I fixed a cross-site scripting vulnerability in PHPLIB last
> October. I'm pretty sure that problem would have been there since
> version 6.1 (although that version pre-dates my use of PHPLIB).
> Consult the source forge bug tracker for more info.

Did it make it into their database?  I don't see it offhand in either the
bugs or patches pages of the phplib section.  What's the Summary and the
submission alias (if it's there)?

> I also re-worked the optional md5 hash login forms. Probably not an
> issue for you since I don't think this was a feature of 6.1, however
> it is an example of another security upgrade to PHPLIB.

Yes, it's in 6.1 and I use it, although it's mostly for private pages that
no one knows about that are for internal company use.  I've reworked the
form many times.  Is there a security problem of some sort in the md5 hash.

> I would be surprised if there hasn't been other security fixes made
> to PHPLIB in the last 3 years. The CVS tree on SourceForge contains
> all the commit comments for the last couple of years... you might
> like to browse that.

I've got the web db open on phplib bugs and patches.  Thanks.  I'll take a
look at it, possibly at the CVS tree too.  My main misson on this list was
to find out about incompatibilities between phplib v6.1 and php4, and it
seems that I struck out on this, but at least a portion of the traffic I've
received from the list has been helpful in other regards.

> If you're going to upgrade to PHP4, I recommend putting in the effort
> to bring your code up to the current release of PHPLIB. Lots of effort
> has been put into making it run cleanly under PHP4. If you want to
> stick with 6.1 under PHP4, you will have to back-port a lot of the
> changes to the old version.

No, as I move sites to a new box I'll migrate them on a site by site basis
and redo the code as necessary to use recent versions of php4 and apache,
making sure everything is cool before I turn on DNS to them.  This is still
a work in the early stages though.

>  ...Richard.

Thanks for your help.  References to your work on phplib would be
appreciated, since I can't find it in the obvious places on sourceforge :-)
I wish everyone on this list were as civil as you are.  Whew!!

-- 
Lindsay Haisley       | "Everything works    |     PGP public key
FMP Computer Services |       if you let it" |      available at
512-259-1190          |    (The Roadie)      | <http://www.fmp.com/pubkeys>
http://www.fmp.com    |                      |