[horde] HORDE and PHP security issue(s)

brian@highstream.kicks-ass.org brian at highstream.kicks-ass.org
Wed Nov 2 07:09:29 PST 2005 

On Tue, 1 Nov 2005, Michael M Slusarz wrote:

>Horde makes sure (see lib/core.php) that no globals are defined at the
>beginning of a page load if register_globals is set.  so this should
>not be an issue. (and test.php does make very clear that
>register_globals should not be set)
>
>For any of the other PHP exploits - obviously Horde will be as
>vulnerable as every other PHP application since these are PHP core
>issues, not usercode issues.  Naturally we don't workaround these
>exploits since, up to a short time ago, *nobody* realized these
>exploits existed.
>
>Obviously the solution is to upgrade PHP.  This is not a Horde issue.

understood, the main issue I was asking was really about the globals
issue. I didn't feel qualified enough to determine if HORDE's handling of
them was safe or not.

I was asking to judge how quickly I should be staging this upgrade for the
most part.

>I know the answer is upgrade php but I have some production servers with
>HUGE horde prefs dbs that take a considerable amount of time to dump and
>restore if/when something goes wrong. All you admins know people go nuts
>if their mail is down for any amount of time.
>
>Why do you need to dump/restore DB?  Your DB backend is completely
>independent of PHP.  Upgrading PHP from 4.4.0 to 4.4.1 should be a
>simple matter of recompiling/updating the PHP binaries and associated
>libraries.  You should not need to touch anything in Horde/IMP after
>the update.

because the db would suddenly be on a different machine by mandate of the
boss gods and in non-TCP socket mode, this again is if everything couldn't be
made to work on a live production machine in a very short amount of time.
I just work here, I don't make the rules.

Also I don't have php 4.4.0 on these machines, and these originally didn't
use apxs so I have to recompile everything. 
I followed the original install docs the previous
admin had written during his install with php4.2.2 when I upgraded to to
4.3.8 which did not go that smooth, but eventually worked. I'd definitely 
not follow his directions this time.

I have had considerable trouble getting horde2/php completely working in
the past, in fresh installs too maybe I'm just a dumb ass. The new horde3 
stuff has been pretty smooth though.

My reservations aren't from fear of the unknown here, it's from previous
bad experience.

thanks for the reply.

brian
--
Never be afraid to tell the world who you are.
              -- Anonymous
  09:55:01 up 12 days,  3:06,  3 users,  load average: 0.80, 0.98, 0.48

More information about the horde mailing list