PHP version 5.27 was officially released and quickly replaced with 5.28. The regression errors introduced in 5.27 affects configurations where magic_quotes_gpc is enabled. So skip 5.27 and go straight to 5.28.
A new version of WordPress has been released. It is a minor security release related to the Snoopy class, and can be upgraded with just 2 files. Now just waiting for inbuilt threaded comments in WP 2.7.
It has been announced that PHP4 support is to cease with only critical support fixes to be made. The details are that new releases on the PHP 4 line will cease at the end of 2007, and security fixes may be made available until August 8, 2008. They encourage all users to upgrade to PHP5.
PHP6 is on the horizon but no definite timeframe is given.
The other day I had a whinge about WP security updates & releases. This post was written after I had just spent valuable time updated a number of WP sites I maintain.
Now I have that out of my system here are the reasons I use WP more and more:
- Not just a blog tool, but a legitimate small-medium CMS
- Large and knowledgeable support community
- A huge and vibrant community of themes and plugins
- FOSS (Free and Open Source Software) all the way
I have recently moved 2 more sites to WP, and both are better for it:
Girraween Athleticsfrom Joomla devReviewfrom custom code
When I next need to put together a site with content management type capabilities I will likely use WP again over alternatives I have tried.
WordPress has released version 2.2.1. This means another round of updates for sites running older versions that I maintain. This one has security fixes so is a must.
These WordPress updates are starting to get to me. There have been too many in the last 12 months and security fixes have been in most.
And it seems WordPress themes are now a bigger part of the problem.
Ok, whinge over.
From XSS News comes a link to an application called Pixy. It is a java app that takes PHP code and warns of potential cross site scripting and/or SQL injection vulnerabilities.
There is plenty of documentation, with good explanations of what Pixy can and cannot achieve. For example you cannoy throw it a directory of code, and have it find problems. If your PHP code has multiple entry points, then it needs to be run once for each of these.
A web version is available to do XSS test on single pieces of PHP code. There is a requirement to have Perl installed on your system for the download version.
A new PHP version has been released: 5.2.3. The development team states “This release continues to improve the security and the stability of the 5.X branch as well as addressing two regressions introduced by the previous 5.2 releases.” Nothing earth shattering but security updates are always a good thing.
Release notes and change log available.
No upgrade on the 4.4.x line.
You would love to be doing great new and interesting things with all of your working day, but sometimes the boring and mechanical need to be done as well. WordPress release version 2.06 last week, so I upgraded the various sites I have responsibility for. Its not an exciting job, but better than falling prey to security issues. However it is a frustration to do it all again so soon after for 2.07.
Now what was that great idea I was working on.
For a site we developed, a custom guestbook was added by us, to replace a previous 3rd party guestbook, which had been turned off a while ago due to security problems. A relatively simple affair to create, but with effort put in to make it secure against database injection and other nasties. And in this purpose it has been all good.
All entries are moderated, and this is made quite clear. Do you think this would deter the spammers? Not one bit. First week things are pretty quiet, second week about 30 attempted spam entries, and for week 3 almost 200. Wow there are some bored and desperate people. Not one of them got their viagra spam links on, but it didn’t stop repeated attempts. So possible bot activity as well.