If you are running php-cgi, there is a major vulnerability that will allow attackers to view and run PHP source code on your site.

Resources on the vulnerability:
http://blog.spiderlabs.com/2012/05/honeypot-alert-active-exploit-attempts-for-php-cgi-vuln.html
http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-wild.html
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ 

• Many nginx setups use php-cgi, so it is critical to patch PHP to the latest version or apply the recommended fixes through Apache Rewrite.
• Mod_php and php-fpm systems are not vulnerable to this attack. Most Apache web server setups use the mod_php method for PHP.

There is an important Debian update for PHP today to fix a number of vulnerabilities such as regression and buffer overflows. The crypt_blowfish function also had a bug that did not properly handle 8-bit characters, which could lead to passwords being cracked easier. This is one of the larger security fixes for PHP in the past year, so you should update your PHP package immediately.

Package        : php5

Vulnerability  : several

Problem type   : remote

Debian-specific: no

CVE ID         : CVE-2011-1938 CVE-2011-2483 CVE-2011-4566 CVE-2011-4885

CVE-2012-0057

 

A regression was found in the fix for PHP’s XSLT transformations (CVE-2012-0057). Updated packages are now available to address this regression. …

I’ve looked at a number of cURL PHP tutorials on the web and noticed “curl_setopt($RESTsession, CURLOPT_SSL_VERIFYPEER, false);” is often used for accessing secure websites via cURL. This is often seen when people ask “I cannot connect to HTTPS site using cURL” or have the “SSL certificate problem, verify that the CA cert is OK” error with cURL.

Ideally, you should set the SSL_VERIFYPEER value to true unless the server you are connecting to does not have a signed certificate. If you are sending confidential data, wouldn’t you want to make sure you are connecting to the correct server?

This guide will help you get the CA certificate from the remote server using Mozilla Firefox 6 and then use PHP with cURL to retrieve the information from the remote https server.

After about a month of using NetBeans (www.netbeans.org), I’m making it my main code editor/IDE. I’m writing code on both Mac OSX and Windows, so its nice to have one editor to use for both. The built-in CVS, Subversion, Mercurial, and file transfer tools is really good. The built-in syntax validation works decently as it will catch any missing semi-colons and brackets. Code completion works good with all the PHP functions listed and it will pull all matching functions in your namespace. Performance is a bit slower since its running on Java, but it should run ok on newer computers. Its also free, which is probably the #1 selling point.

Here’s a quick guide to enabling the CAPTCHA plugin in Squirrelmail. Its generally a good idea for adding a way to limit the automation of login attempts.