The Month of PHP bugs started off today with not one, but three bugs. Two of them can be protected against by using Suhosin (you might accuse the guy of some grey area marketing – but you can’t since his product is both free and open source) and the third by upgrading to PHP5 (because it is a PHP4 only vulnerability).

The situation currently is: if you are running on a dedicated (virtual) server, you don’t have anything new to worry about (since supposedly your programmers don’t intentionally try to crash your webserver). On the other hand if you are running (or using) shared hosting, be worried, very worried. One malicious user or one easily hackable PHP script can make your server an easy target for DoS attacks with these bugs.

It seems rather curious that the PHP developers were against the fixing of these flaws (if you can believe Stefan Esser, after all you have to take the word if all involved parties with a grain of salt), because it is something that Perl is doing, most probably for many years.

If all the bugs stay in this area, people running / using dedicated hosting will be relatively safe (as safe as were until now). The clients of shared hosting companies should try to migrate anything remotely important or confidential over to dedicated hosting if the given shared hosting company provides PHP (and most of them do, except for the ASP ones) or at least convince them to install Suhosin (which they probably won’t). Don’t even try to convince them to use mod_security, because while Suhosin shouldn’t require many configuration and most probably won’t break anything for anybody, this certainly will.