This is a paste from rafb.net entitled "Differences between PHP 5.2.7 and 5.2.8" and this is a problem. Andy Lester diffed the tarballs for PHP 5.2.7 and 5.2.8 and posted the result on twitter. He also pointed out the whopping huge problem we have here.

diff -urN php-5.2.7/configure php-5.2.8/configure
--- php-5.2.7/configure	2008-12-03 10:07:36.000000000 -0600
+++ php-5.2.8/configure	2008-12-07 13:31:12.000000000 -0600
@@ -2429,7 +2429,7 @@
 
 PHP_MAJOR_VERSION=5
 PHP_MINOR_VERSION=2
-PHP_RELEASE_VERSION=7
+PHP_RELEASE_VERSION=8
 PHP_EXTRA_VERSION=""
 PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
 PHP_VERSION_ID=`expr $PHP_MAJOR_VERSION \* 10000 + $PHP_MINOR_VERSION \* 100 + $PHP_RELEASE_VERSION`
diff -urN php-5.2.7/configure.in php-5.2.8/configure.in
--- php-5.2.7/configure.in	2008-12-03 09:54:02.000000000 -0600
+++ php-5.2.8/configure.in	2008-12-07 13:23:25.000000000 -0600
@@ -1,4 +1,4 @@
-## $Id: configure.in,v 1.579.2.52.2.116 2008/12/03 15:54:02 iliaa Exp $ -*- autoconf -*-
+## $Id: configure.in,v 1.579.2.52.2.119 2008/12/07 19:23:25 iliaa Exp $ -*- autoconf -*-
 dnl ## Process this file with autoconf to produce a configure script.
 
 divert(1)
@@ -41,7 +41,7 @@
 
 PHP_MAJOR_VERSION=5
 PHP_MINOR_VERSION=2
-PHP_RELEASE_VERSION=7
+PHP_RELEASE_VERSION=8
 PHP_EXTRA_VERSION=""
 PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
 PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`
diff -urN php-5.2.7/ext/filter/filter.c php-5.2.8/ext/filter/filter.c
--- php-5.2.7/ext/filter/filter.c	2008-11-02 16:04:40.000000000 -0600
+++ php-5.2.8/ext/filter/filter.c	2008-12-06 11:16:36.000000000 -0600
@@ -19,7 +19,7 @@
   +----------------------------------------------------------------------+
 */
 
-/* $Id: filter.c,v 1.52.2.43 2008/11/02 22:04:40 lbarnaud Exp $ */
+/* $Id: filter.c,v 1.52.2.44 2008/12/06 17:16:36 scottmac Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include "config.h"
@@ -275,7 +275,7 @@
 {
 	php_info_print_table_start();
 	php_info_print_table_row( 2, "Input Validation and Filtering", "enabled" );
-	php_info_print_table_row( 2, "Revision", "$Revision: 1.52.2.43 $");
+	php_info_print_table_row( 2, "Revision", "$Revision: 1.52.2.44 $");
 	php_info_print_table_end();
 
 	DISPLAY_INI_ENTRIES();
@@ -403,7 +403,7 @@
 		Z_STRLEN(new_var) = val_len;
 		Z_TYPE(new_var) = IS_STRING;
 
-		if (IF_G(default_filter) != FILTER_UNSAFE_RAW || IF_G(default_filter_flags) != 0) {
+		if (IF_G(default_filter) != FILTER_UNSAFE_RAW) {
 			zval *tmp_new_var = &new_var;
 			Z_STRVAL(new_var) = estrndup(*val, val_len);
 			INIT_PZVAL(tmp_new_var);
diff -urN php-5.2.7/main/php_version.h php-5.2.8/main/php_version.h
--- php-5.2.7/main/php_version.h	2008-12-03 09:54:03.000000000 -0600
+++ php-5.2.8/main/php_version.h	2008-12-07 13:23:26.000000000 -0600
@@ -2,7 +2,7 @@
 /* edit configure.in to change version number */
 #define PHP_MAJOR_VERSION 5
 #define PHP_MINOR_VERSION 2
-#define PHP_RELEASE_VERSION 7
+#define PHP_RELEASE_VERSION 8
 #define PHP_EXTRA_VERSION ""
-#define PHP_VERSION "5.2.7"
-#define PHP_VERSION_ID 50207
+#define PHP_VERSION "5.2.8"
+#define PHP_VERSION_ID 50208
diff -urN php-5.2.7/NEWS php-5.2.8/NEWS
--- php-5.2.7/NEWS	2008-12-03 09:54:02.000000000 -0600
+++ php-5.2.8/NEWS	2008-12-07 13:23:25.000000000 -0600
@@ -1,5 +1,8 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+08 Dec 2008, PHP 5.2.8
+- Reverted bug fix #42718 that broke magic_quotes_gpc (Scott)
+
 04 Dec 2008, PHP 5.2.7
 - Upgraded PCRE to version 7.8 (Fixes CVE-2008-2371) (Ilia)
 - Updated timezone database to version 2008.9. (Derick)

As explained in a blog entry about the PHP 5.3.7 release, there was a major regression in PHP where they broke a security fix with something called "magic_quotes_gpc". Basically, it's a deprecated feature in PHP, but it helps to prevent against something called SQL injection attacks. These attacks are trivial to execute and are very serious. PHP has long been notorious for security holes, but re-opening an old security hole was so serious that PHP pulled this release and released it with the change above.

Notice anything interesting about that diff? Anything missing, perhaps?

CAN WE HAVE SOME FRIGGIN' TESTS, PLEASE? You re-open an old, serious security hole in one of the most popular programming languages, a hole you re-opened because you evidently don't have tests for it in the first place, and now you close it but don't write any tests? Have you learned nothing? Aargh!

I have some code that I've put out there without complete test coverage, but I mark this code as "experimental" or "alpha". And it's certainly not something which is a core technology that underpins much of the Web.

You ever wish you could fire open-source programmers? The next time your crappy bulletin board software breaks, remember this post.

I've said before (many times) that CCTV doesn't work, but now the British police are saying it, too. We know it doesn't work. It does little to solve crime other than to coddle the feelings of those who don't know better. Of course, the government won't listen. If they were to admit that they've wasted billions of pounds for nothing, people would ... well ... what? They'd grumble and turn back to their pints.

Japan used to require all foreigners entering their country to be fingerprinted. They abandoned this policy due to privacy concerns and, as far as I'm concerned, this is a Good Thing. More and more countries, rather than honestly asking themselves, "what can we do to to make the world a better place?", have simply given up, assumed things are bad, and just assume that violating our privacy is a necessary evil in their fight against reason terrorism.

Giving into terror hysteria, Japan again requires foreigners to be fingerprinted.

Of course, if you're disturbed by the idea of the mounting assaults on our privacy, this probably bothers you. Offhand, short of hiring a plastic surgeon, I am only familiar with one way of changing your fingerprints. You get someone to press their fingerprints into modeling clay. Then you spray the prints with jeweler's oil, apply Nu Skin (they have a clear artificial skin product), and when it sets, carefully peel off the prints. Then you superglue them to your fingertips and carefully pierce the prints with a needle to let your natural oils cover the prints. More Nu Skin will need to be applied to blend the fingerprint edges into your own skin.

Of course, the other person is probably not going to want to be implicated in whatever you do, so it helps if they're unconscious when you borrow their prints. This is probably not a viable route.

Enter "mock". This is the online handle of a rather curious gentleman I've met at a couple of conferences. He's a security researcher and is passionate about privacy. He decided that the trick would be to remove his fingerprints. He researched various methods and actually tried them. Then he posted a blog entry about how to remove your fingerprints. He even has a PDF of slides of his attempts. And yes, he even pressed his fingers into a frying pan with hot, smoking oil (it didn't work but it hurt like hell).

He claims he successfully made it through Japanese customs and he actually had to wait in a line of people who didn't have fingerprints. Curiously, he mentioned they were mostly old Chinese women. I'm wondering how that came about.

The downside of this, as mock points out, is that you probably want to have a plausible reason why you don't have fingerprints. That last bit has me stumped.

You know, I really, really get annoyed at developers who don't even have a basic knowledge of security yet make their applications available to everyone. "Available to everyone" frequently means "web pages".

If you've ever heard of SQL injection, you know that any URL which allows its data to be injected directly into an SQL query is a security hole waiting to be exploited. So consider the basic structure of an SQL SELECT statement:

SELECT [something] FROM [table or tables] WHERE [some condition]

So any URL which has that basic structure potentially has a massive security hole allowing you to search their database and possibly cause plenty of damage. So how would you find those URLs? Enter Google Hacking. Google allows you to add a inurl: term to your query. Whatever you include with that term should be included in the URL. So what you're looking for is any URL which has select, from and where (the %3A is the encoding for a colon ':' character):

inurl:select inurl:from inurl:where

Now as it turns out, that returns a lot of questions about SQL queries in addition to URLs which execute queries. So to make it easier to find our target, let's look for anything which embeds 'cgi' in their URL:

inurl:cgi inurl:select inurl:from inurl:where

Bingo. Lots and lots of hackable Web sites. These people keep me employed.

Update: while playing around with this, I stumbled across the following URL (deliberately not made clickable):

http://140.127.211.214/cgi-bin/nlrdf_publ/update.pl?sql=UPDATE%20language%20set%20valid_from=**********%20where%20id=246

Inspired by the latest horror at the Daily WTF

Now I need to go through and change a couple of passwords. I noticed a few days ago that someone was staring intently at my fingers when I was typing a password. I fumbled the password a couple of times, so they watched my fingers as I typed the same password three times. I am very bothered by this, but I hate saying to someone "could you please be polite and look away while I'm typing my password?" You would think that this would be common courtesy and not require that someone be reminded of basic manners.