Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72399
Return-Path: <nikita.ppv@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 73365 invoked from network); 8 Feb 2014 12:08:46 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 8 Feb 2014 12:08:46 -0000
Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.219.42 as permitted sender)
X-PHP-List-Original-Sender: nikita.ppv@gmail.com
X-Host-Fingerprint: 209.85.219.42 mail-oa0-f42.google.com  
Received: from [209.85.219.42] ([209.85.219.42:46985] helo=mail-oa0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DF/E0-65299-D4E16F25 for <internals@lists.php.net>; Sat, 08 Feb 2014 07:08:46 -0500
Received: by mail-oa0-f42.google.com with SMTP id i7so5502045oag.15
        for <internals@lists.php.net>; Sat, 08 Feb 2014 04:08:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=s0kFP/P4v6a+VjoO/sPaPLo2O4J4x1q04rE8unT9jP0=;
        b=JUKSwP4flRvpYyGsCVd+QnD7nAq5eyqEjqqoKQOhWBug+5E7y42NAdei4VPEl8C5ZU
         fUTT8Co1FANx5xT/tkwisNFUQ4+fbyUmJ3v2o3tHle2GX504r7g465P3t6taz1xZ+96Q
         wnschvOVojedGL2wdupen7p1pwstj2a8LDOjWjJzor22TUd8CH3Mn2Lcr8XBrny54/fh
         Hdv/y7H4iYKeAd/cI09XJcwg1o8suvBPLzuDNYnSn1af5nHFdK3CqMjj1qop9o9L1TSi
         zRDemlKUshDspd645GMaKKKCMTt/cOJjWqN/Qfci8MnokJz0hw962jEq2apqL7AiFQyx
         ti9Q==
MIME-Version: 1.0
X-Received: by 10.182.250.200 with SMTP id ze8mr96376obc.72.1391861322610;
 Sat, 08 Feb 2014 04:08:42 -0800 (PST)
Received: by 10.182.54.112 with HTTP; Sat, 8 Feb 2014 04:08:42 -0800 (PST)
In-Reply-To: <52F61A78.1020401@lsces.co.uk>
References: <52F61A78.1020401@lsces.co.uk>
Date: Sat, 8 Feb 2014 13:08:42 +0100
Message-ID: <CAF+90c9ZmeysC88ghHk50rpv_8T4jYhGCWEDwZxOR5EmPuDDLg@mail.gmail.com>
To: Lester Caine <lester@lsces.co.uk>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e0160c660b5fcd204f1e3f778
Subject: Re: [PHP-DEV] Security Diligence
From: nikita.ppv@gmail.com (Nikita Popov)

--089e0160c660b5fcd204f1e3f778
Content-Type: text/plain; charset=ISO-8859-1

On Sat, Feb 8, 2014 at 12:52 PM, Lester Caine <lester@lsces.co.uk> wrote:

> I think an explanation of my recent posts is probably due.
>
> The bulk of my income is from council and other local authority customers
> who are required to jump through many often difficult to identify hoops.
> They are currently being put through another round of 'security
> assessments' and I had a second visit to a site which we have yet to
> upgrade from PHP5.2 earlier this week. The system is doing exactly what the
> 'customer' wants ( the client is the customer services team ), and while
> the IT department has been providing network access since it was installed
> in 2007, it has no outside access other that a VPN/VNC link so I can carry
> out maintenance. As a result it has not been necessary or easy to upgraded
> to later 'security patches'.
>
> It's the last of my 'CMS' sites that I have to upgrade to PHP5.4 and that
> was the discussion before Xmas, but the IT department have now realised
> that they should be managing the network better :) Driven by their current
> security assessment, linked to removing Windows XP from it. Since two of
> the CMS machines are running XP, these will need to be replaced, but it is
> the Apache/PHP stack which the 'security consultant' has been targeting
> insisting that only a CURRENT version of both will be acceptable, and
> PHP5.4 is not current in his eyes despite it getting security updates
> independent of PHP5.5.
>
> I am more than happy that within the constraints applied I have maintained
> the PHP5.2 setup as 'safe' as I can and since these sites are all ring
> fenced inside the site network personally I do not see a problem. This view
> is actually supported by the IT staff, it is the independent consultant who
> is now putting up objections to our continuing to supply the CMS service.
> Unpatched reported security problems are one of his objections and timed
> attack was one brought up probably because it's discussion is currently
> happening! We are currently trying to work out how to move forward, and
> since the service provides an essential part of the handling of visitors
> there is a desire by the users to maintain it ;)
>
> Why is this all so futile?
> The system is still using the same 4 digit 'pin number' to identify a
> staff id that was instigated when the system was first designed back in
> 1992, and when many access positions were just numeric pads with small
> displays! No sensitive data is stored ...
>
> ( Firebird's password is still limited to 8 characters for historic
> reasons, so the length is a known and the hash decode is designed to check
> all characters even if an earlier compare fails ... so maintains a fixed
> test time )
>

I'm sorry, but how does this relate to the internals mailing list?

Thanks,
Nikita

--089e0160c660b5fcd204f1e3f778--