I need to install PHP on my system for a web app.
The web app can work with either PHP4 or PHP5.
My impression is that PHP has a reputation for weak security.
Which of PHP4 / PHP5 is more secure? Or are both bad news?

Thanks,
Dave Feustel

dave <daf@a64.comcast.net> wrote:
> I need to install PHP on my system for a web app.
> The web app can work with either PHP4 or PHP5.
> My impression is that PHP has a reputation for weak security.
> Which of PHP4 / PHP5 is more secure? Or are both bad news?

Both are probably bad news, but the 5.x series is more regularly updated
in OpenBSD, and also includes some patches that should enhance security
(hardened-php in 4.0's -hardened flavour, suhosin in -current, IIRC).

Joachim

Joachim Schipper <joachim@melpomene.jschipper.dynalias.net> wrote:
> dave <daf@a64.comcast.net> wrote:
>> I need to install PHP on my system for a web app.
>> The web app can work with either PHP4 or PHP5.
>> My impression is that PHP has a reputation for weak security.
>> Which of PHP4 / PHP5 is more secure? Or are both bad news?
>
> Both are probably bad news, but the 5.x series is more regularly updated
> in OpenBSD, and also includes some patches that should enhance security
> (hardened-php in 4.0's -hardened flavour, suhosin in -current, IIRC).
>
> Joachim

Thanks for the info. The web app that I'm interested in is Zoneminder, a
comprehensive video security application. Zoneminder uses both mysql and
php, either 4 or 5. I am not eager to install php. I am considering the
alternative of building my own much simpler video security application
using videod, fwtv and scripting tools.

On Mon, 19 Feb 2007 07:25:20 -0600, dave wrote:

> Thanks for the info. The web app that I'm interested in is Zoneminder, a
> comprehensive video security application. Zoneminder uses both mysql and
> php, either 4 or 5. I am not eager to install php. I am considering the
> alternative of building my own much simpler video security application
> using videod, fwtv and scripting tools.

If php is used only for the application's management interface, you can
reduce your risk by NOT allowing that management interface to be accessed
from the internet.

--
Replying directly will get you locally blacklisted.
Change the address; use my first name in front of the @ if you want to
communicate privately.

dave wrote:
> Joachim Schipper <joachim@melpomene.jschipper.dynalias.net> wrote:
>> dave <daf@a64.comcast.net> wrote:
>>> I need to install PHP on my system for a web app.
>>> The web app can work with either PHP4 or PHP5.
>>> My impression is that PHP has a reputation for weak security.
>>> Which of PHP4 / PHP5 is more secure? Or are both bad news?
>> Both are probably bad news, but the 5.x series is more regularly updated
>> in OpenBSD, and also includes some patches that should enhance security
>> (hardened-php in 4.0's -hardened flavour, suhosin in -current, IIRC).
>>
> Thanks for the info. The web app that I'm interested in is Zoneminder, a
> comprehensive video security application. Zoneminder uses both mysql and
> php, either 4 or 5. I am not eager to install php. I am considering the
> alternative of building my own much simpler video security application
> using videod, fwtv and scripting tools.

This is a serious question: how do you know your home-made solution
would not have holes of its own? The Intertubes are littered with the
dead bodies of home-grown projects that were considered safe before
falling apart. Security is hard to get right.

There are hardened PHP5 packages that go through some source-level
auditing, and include all known security issues of merit. These also
get updated as the package maintainer folds solutions to newly
discovered security problems into the package.

As suggested else-thread, you must assess, first, what your threat
profile is. How available is this service, and to whom?

Clever Monkey <clvrmnky.invalid@hotmail.com.invalid> wrote:
> dave wrote:
>> Joachim Schipper <joachim@melpomene.jschipper.dynalias.net> wrote:
>>> dave <daf@a64.comcast.net> wrote:
>>>> I need to install PHP on my system for a web app.
>>>> The web app can work with either PHP4 or PHP5.
>>>> My impression is that PHP has a reputation for weak security.
>>>> Which of PHP4 / PHP5 is more secure? Or are both bad news?
>>> Both are probably bad news, but the 5.x series is more regularly updated
>>> in OpenBSD, and also includes some patches that should enhance security
>>> (hardened-php in 4.0's -hardened flavour, suhosin in -current, IIRC).
>>>
>> Thanks for the info. The web app that I'm interested in is Zoneminder, a
>> comprehensive video security application. Zoneminder uses both mysql and
>> php, either 4 or 5. I am not eager to install php. I am considering the
>> alternative of building my own much simpler video security application
>> using videod, fwtv and scripting tools.
>
> This is a serious question: how do you know your home-made solution
> would not have holes of its own? The Intertubes are littered with the
> dead bodies of home-grown projects that were considered safe before
> falling apart. Security is hard to get right.
>
> There are hardened PHP5 packages that go through some source-level
> auditing, and include all known security issues of merit. These also
> get updated as the package maintainer folds solutions to newly
> discovered security problems into the package.
>
> As suggested else-thread, you must assess, first, what your threat
> profile is. How available is this service, and to whom?

It's available to me when I activate it.

dave wrote:
> Clever Monkey <clvrmnky.invalid@hotmail.com.invalid> wrote:
>> dave wrote:
>>> Joachim Schipper <joachim@melpomene.jschipper.dynalias.net> wrote:
>>>> dave <daf@a64.comcast.net> wrote:
>>>>> I need to install PHP on my system for a web app.
>>>>> The web app can work with either PHP4 or PHP5.
>>>>> My impression is that PHP has a reputation for weak security.
>>>>> Which of PHP4 / PHP5 is more secure? Or are both bad news?
>>>> Both are probably bad news, but the 5.x series is more regularly updated
>>>> in OpenBSD, and also includes some patches that should enhance security
>>>> (hardened-php in 4.0's -hardened flavour, suhosin in -current, IIRC).
>>>>
>>> Thanks for the info. The web app that I'm interested in is Zoneminder, a
>>> comprehensive video security application. Zoneminder uses both mysql and
>>> php, either 4 or 5. I am not eager to install php. I am considering the
>>> alternative of building my own much simpler video security application
>>> using videod, fwtv and scripting tools.
>> This is a serious question: how do you know your home-made solution
>> would not have holes of its own? The Intertubes are littered with the
>> dead bodies of home-grown projects that were considered safe before
>> falling apart. Security is hard to get right.
>>
>> There are hardened PHP5 packages that go through some source-level
>> auditing, and include all known security issues of merit. These also
>> get updated as the package maintainer folds solutions to newly
>> discovered security problems into the package.
>>
>> As suggested else-thread, you must assess, first, what your threat
>> profile is. How available is this service, and to whom?
>
> It's available to me when I activate it.

Is this who you want it available to, or is it also available to others?

If this service is on your net but is accessible by the internet at
large, then you have made that service "available" to everyone here.

If this is a web service, then you have to consider what other
user-agents, and from where, might have access to the service. This is
the first level of the threat consideration.

i.e., Who has access?

Then you have to determine the vectors of attack those connections can
leverage to subvert your service.

i.e., What can these people do with this access.

The answers to this last question can be many and complicated. Start by
answering the first one _properly_ first to determine the scope of the
second question.

Clever Monkey <clvrmnky.invalid@hotmail.com.invalid> wrote:
> dave wrote:
>> Clever Monkey <clvrmnky.invalid@hotmail.com.invalid> wrote:
>>> dave wrote:
>>>> Joachim Schipper <joachim@melpomene.jschipper.dynalias.net> wrote:
>>>>> dave <daf@a64.comcast.net> wrote:
>>>> The web app that I'm interested in is Zoneminder, a comprehensive
>>>> video security application. Zoneminder uses both mysql and php,
>>>> either 4 or 5. I am not eager to install php. I am considering the
>>>> alternative of building my own much simpler video security
>>>> application using videod, fwtv and scripting tools.
>>> This is a serious question: how do you know your home-made solution
>>> would not have holes of its own? The Intertubes are littered with the
>>> dead bodies of home-grown projects that were considered safe before
>>> falling apart. Security is hard to get right.
>>>
>>> There are hardened PHP5 packages that go through some source-level
>>> auditing, and include all known security issues of merit. These also
>>> get updated as the package maintainer folds solutions to newly
>>> discovered security problems into the package.
>>>
>>> As suggested else-thread, you must assess, first, what your threat
>>> profile is. How available is this service, and to whom?
>>
>> It's available to me when I activate it.
>
> Is this who you want it available to, or is it also available to others?
>
> If this service is on your net but is accessible by the internet at
> large, then you have made that service "available" to everyone here.
>
> If this is a web service, then you have to consider what other
> user-agents, and from where, might have access to the service. This is
> the first level of the threat consideration.
>
> i.e., Who has access?
>
> Then you have to determine the vectors of attack those connections can
> leverage to subvert your service.
>
> i.e., What can these people do with this access.
>
> The answers to this last question can be many and complicated. Start by
> answering the first one _properly_ first to determine the scope of the
> second question.

Just as a suggestion: enable proper, IP-level (pf) security, and don't
use the webserver on the box for anything else (for added paranoia,
don't use any part of the box for anything else, and don't connect it to
any network - this is highly dependent on just how hard it is to get
at all your camera data, and how much you'd care if someone did).

This way, PHP's usual security issues and any bugs in the application
won't matter all that much. Of course, it will be somewhat inconvenient.

Joachim