March is the month of PHP bugs.
Everyday, security researcher Stefan Esser will disclose some unfixed PHP vulnerabilities.
Stay tuned, because some of these vulnerabilities are likely to get exploited as soon as they are disclosed.
An important, and remotely exploitable one disclosed yesterday is that phinfo() is still vulnerable to cross-scripting attacks with PHP 4 and PHP 6.
So:
- Don’t expose phpinfo() to the whole wild world.
- If you are still running PHP 4, upgrade. Sorry, but PHP 4 is getting old and although some maintenance versions are still released from time to time, keep in mind that the PHP developpers mainly focus on PHP 5.2 and PHP 6 nowadays.
- Use the suhosin patch. If you are running OpenBSD, you already have a suhosin-enabled PHP.
- If you are still running Apache, mod_security, with wise rules, can help to proactively protect against common XSS and SQL attacks.