By Justin Silverton

I came across this great open source project that allows you to convert your php scripts to a fast/cgi executable that can be executed by any web server that supports it (including apache and IIS).

From the site:

“Roadsend Compiler is an open source, native compiler for the PHP language. It compiles PHP source code to stand alone, native binaries which do not require an interpreter. Roadsend Compiler can build online web applications with Fast/CGI, offline web applications with an embedded web server (MicroServer), desktop GUI applications with PHP-GTK, and console applications. It is known to build on Linux, Windows (using mingw), and FreeBSD.”

Benefits of using the roadsend compiler

• Faster execution time, because your php script is now a native binary and does not have to be interpreted each time it is accessed.
• Better than a solution such as zend encoder or ion cube because it does not require the server to have any extra extensions (besides fast/cgi support installed). It also provides a good obfuscation solution.
• The ability to create stand-alone web applications. These applications include a built-in webserver that allows the execution of php scripts as if they were a local application.

Issues to consider

• Because this is an executable, it needs to be re-compiled for any operating system that you would like to support (freebsd, linux, windows, etc.)

more information can be found at the main roadsend website here

by Justin Silverton

Microsoft has recently released the second technical preview release of FastCGI for IIS, a new component for Microsoft’s Web server platform. This release is available immediately for download to Windows Vista, IIS including IIS 6.0 in Windows 2003 Server and IIS 5.1 in Windows XP.

The FastCGI component is part of the collaboration between Microsoft and Zend to improve performance and stability of PHP on the Windows platform. This effort aims to help PHP developers achieve improved performance on the Windows platform by leveraging the new IIS FastCGI feature together with Zend’s on-going work to improve the PHP engine on Windows.

Installing

This is just a technical release, so it is not recommended that you install this on a production server.

To install this on your server, go through the following steps:

1. Download the beta here
2. Extract the downloaded files
3. within a command prompt, execute the following command in the same directory as the extracted files:

fgisetup.exe /install /add c:\php\php.exe php (This should point to your php installation)

New features of IIS 7

• The IIS7 output cache is a new feature in IIS7 which will make it possible to cache script responses in memory (including dynamic content). It is much smarter than the current caching system IIS offers because it can be configured to cache different copies of responses for the same page based on a query string value
• another interesting feature is kernel mode driver caching, allowing for very fast and improved performance. It will work with any content type, and can significantly speed up performance for applications where the underlying data doesn’t change.

by Justin Silverton

Wordpress 2.1.3 and Wordpress 2.0.10 have been released.

About this release:

“These releases include fixes for several publicly known minor XSS issues, one major XML-RPC issue, and a proactive full sweep of the WordPress codebase to protect against future problems.”

also,

“As an update to the systems issue we had last month, we have taken dozens of additional precautions with the servers and systems that run WordPress.org and they appear to be working well, despite hundreds of hack attempts after we publicly disclosed there had been a problem. We are also now aggressively monitoring all downloads for any changes or modifications, and we are confident the same type of problem won’t happen again”

Downloads

2.1.3 can be found Here
2.0.10 can be found Here

By Justin Silverton

After all the hype, Delphi for PHP is finally available.

Announcement from codegear here

“CodeGear, a leader in developer tools, today announced that Delphi® for PHP – an integrated visual Rapid Application Development (RAD) environment for the popular PHP Web development language – is now shipping worldwide.
Delphi for PHP brings the RAD productivity benefits that Delphi users have enjoyed for years to PHP Web developers. PHP, designed to allow Web developers to write dynamically generated pages quickly, is the most prominent dynamic Web language today and has become one of the top 10 programming languages overall.”

Features

• VCL for PHP,an open-source PHP 5 visual component library with more than 50 reusable components and seamless AJAX integration
• out-of-the-box integration with InterBase®, MySQL, Oracle®, Microsoft SQL Server, and other popular databases
• an integrated PHP debugger; drag-and-drop database application development using the Data Explorer for InterBase and MySQL
• a code editor with Code Insight, Code Explorer, and Code Templates. Deployment options include Windows, Linux, Solaris and other platforms

Pricing

The product is available for an introductory price of $249.

Download Trial

A one-day trial can be downloaded here

By Justin Silverton

March is the month of PHP bugs. The following are five of the latest bugs found within PHP.

• PHP header() Space Trimming Buffer Underflow Vulnerability When the header() function is called with an all whitespace string a buffer underflow can be triggered that allows code execution on big endian systems (e.g. MacOS X on PPC, Solaris on SPARC) MOPB-25-2007.php




• PHP array_user_key_compare() Double DTOR Vulnerability (U) When the userspace key comparison function returns its parameters are destructed even if there are references left. Therefore an exploitable double DTOR can be triggered. MOPB-24-2007.php




• PHP 5 Rejected Session Identifier Double Free Vulnerability (U) When a session storage module rejects a session id the session code fails to clear an already freed pointer before calling an interruptible function. This can lead to an exploitable double free. MOPB-23-2007.php




• PHP session_regenerate_id() Double Free Vulnerability (U) session_regenerate_id() fails to clear an already freed pointer before calling an interruptible function. This can lead to an exploitable double free. MOPB-22-2007.php




• PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass Vulnerability (U) The compress.bzip2:// URL Wrapper does not perform safemode or open_basedir checks and therefore allows access to archives outside the allowed area Not needed.

More security issues can be found here

It is important to update your PHP installation when new versions and bug fixes are released. There is also a project called Suhosin (which is part of hardened PHP), which can help against known and unknown security risks.

More about suhosin:

it is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

Information and download of this can be found here