diff --git a/chapters/security.xml b/chapters/security.xml
index 063016f61d..b9047c1dbd 100644
--- a/chapters/security.xml
+++ b/chapters/security.xml
@@ -254,6 +254,22 @@ AddHandler php3-script .php3
+
+ Keeping Current
+
+ PHP, like any other large system, is under constant scrutiny and
+ improvement. Each new version will often include both major and
+ minor changes to enhance and repair security flaws, configuration
+ mishaps, and other issues that will affect the overall security
+ and stability of your system.
+
+
+ Like other system-level scripting languages and programs, the best
+ approach is to update often, and maintain awareness of the latest
+ versions and their changes.
+
+
+
Installed as an Apache module
@@ -422,14 +438,18 @@ if (!ereg('^[^./][^/]*$', $userfile))
developer who is trying to debug a script, indicating such things
as the function or file that failed, the PHP file it failed in,
and the line number which the failure occured in. This is all
- information that can be exploited.
+ information that can be exploited. It not uncommon for a php
+ developer to use show_source(), highlight_string(), or
+ highlight_file() as a debugging measure, but in a live site, this
+ can expose hidden variables, unchecked syntax, and other dangerous
+ information.
- For example, the very style of error indicates a system is running
- PHP. If the attacker was looking at an .html page, and wanted to
- probe for the back-end (to look for known weaknesses in the system),
- by feeding it the wrong data they may be able to determine that a
- system was built with PHP.
+ For example, the very style of a generic error indicates a system
+ is running PHP. If the attacker was looking at an .html page, and
+ wanted to probe for the back-end (to look for known weaknesses in
+ the system), by feeding it the wrong data they may be able to
+ determine that a system was built with PHP.
A function error can indicate whether a system may be running a
@@ -444,7 +464,9 @@ if (!ereg('^[^./][^/]*$', $userfile))
A filesystem or general PHP error can indicate what permissions
the webserver has, as well as the structure and organization of
- files on the web server.
+ files on the web server. Developer written error code can aggravate
+ this problem, leading to easy exploitation of formerly "hidden"
+ information.
There are three major solutions to this issue. The first is to
diff --git a/security/index.xml b/security/index.xml
index 063016f61d..b9047c1dbd 100644
--- a/security/index.xml
+++ b/security/index.xml
@@ -254,6 +254,22 @@ AddHandler php3-script .php3
+
+ Keeping Current
+
+ PHP, like any other large system, is under constant scrutiny and
+ improvement. Each new version will often include both major and
+ minor changes to enhance and repair security flaws, configuration
+ mishaps, and other issues that will affect the overall security
+ and stability of your system.
+
+
+ Like other system-level scripting languages and programs, the best
+ approach is to update often, and maintain awareness of the latest
+ versions and their changes.
+
+
+
Installed as an Apache module
@@ -422,14 +438,18 @@ if (!ereg('^[^./][^/]*$', $userfile))
developer who is trying to debug a script, indicating such things
as the function or file that failed, the PHP file it failed in,
and the line number which the failure occured in. This is all
- information that can be exploited.
+ information that can be exploited. It not uncommon for a php
+ developer to use show_source(), highlight_string(), or
+ highlight_file() as a debugging measure, but in a live site, this
+ can expose hidden variables, unchecked syntax, and other dangerous
+ information.
- For example, the very style of error indicates a system is running
- PHP. If the attacker was looking at an .html page, and wanted to
- probe for the back-end (to look for known weaknesses in the system),
- by feeding it the wrong data they may be able to determine that a
- system was built with PHP.
+ For example, the very style of a generic error indicates a system
+ is running PHP. If the attacker was looking at an .html page, and
+ wanted to probe for the back-end (to look for known weaknesses in
+ the system), by feeding it the wrong data they may be able to
+ determine that a system was built with PHP.
A function error can indicate whether a system may be running a
@@ -444,7 +464,9 @@ if (!ereg('^[^./][^/]*$', $userfile))
A filesystem or general PHP error can indicate what permissions
the webserver has, as well as the structure and organization of
- files on the web server.
+ files on the web server. Developer written error code can aggravate
+ this problem, leading to easy exploitation of formerly "hidden"
+ information.
There are three major solutions to this issue. The first is to