The Month of PHP bugs is progressing nicely and the counter is up to nine (at this rate – supposing that we have a linear progression – we will have almost 70 vulnerabilities!). The new ones repeat the same patterns as the previous ones: they can be mitigated in environments where a single user controls the server, but in a shared hosting environments they can present serious problems (for example this bug – MOPB-05-2007: PHP unserialize() 64 bit Array Creation Denial of Service Vulnerability allows to very easily DoS the computer if it’s running an older version of PHP on a 64 bit machine).
My advice remains the same: forget shared hosting (both as a client and as a Service Provider) and patch, patch, patch – also consider things like Suhosin and mod_security. I know that (especially the later) can be a pain in the rear end to configure, but the alternative – being owned or DoS-ed out of existence – is by no means better.
PS. This week seems to be a bad one for PHP security since the distribution server for WordPress (a popular blogging platform written in PHP) was compromised – my respect to them for saying cracker, not hacker – and contains a backdoor. Via Slashdot.