Actually the vurnerability is in a helper file of pnt/unit. pnt/unit is the unit testing tool that is shipped with the phpPeanuts framework. The unit testing tool does not use the framework for its own execution. The framework itself has not been hacked.
Unit testing tools are normally not placed in production and certainly not on line without password-controlled access. The phppeanuts demonstration site was probably the only site that was actually vurnerable to the public.
The Inspect.php file was built as an experiment and not meant to be shipped with the uint testing tool or uploaded to the examples website. That it escaped from my attention when checking the code for possible vurnerabilities is probably due to its position outside of the main framework as well as the main pnt/unit code. To avoid this kind of errors in the future i will add extra tests to the procedure for shipment of production versions, including an automated check of all of the files to be shipped.
Nevertheless, shipping the framework together with a tool that is not meant production may be confusing to inexperienced developers. Furthermore, it may lead to the security reputation of the framework being affected by the tool(s). Therefore eventual tools will from now on be shipped in a separate download (if they are to be released at all).
Finally the experience with the exploit has drawn my attention to the fact that php has operators and functions that need to be treated with the greatest care. Version 1.3 of the framework will be adapted to this notion.
However, it is not practically possible to adapt the framework to work safely with, and/or shield your applications from bugs and exploits in the OS php, mySQL, and other tools and libraries you may be using. This includes known bugs and exploits in older versions. You are therefore advised not to use old versions of the framework, php, mySQL, etc. |