vBulletin ImpEx Module Security Alert?

There is an unpatched security alert as seen on Secunia regarding the ImpEx module v. 1.7.4 for vBulletin. Per the alert, "Input passed to the "systempath" parameter in ImpExData.php isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources." However, this mod appears to have been fixed back in October. If you're running this mod, you may want to check out the discussion here.

MySQL Joins Team Eclipse PHP IDE

MySQL AB is the latest to join the growing community of Eclipse's PHP IDE development. According to the press release, "Andi Gutmans, Zend Technologies' co-founder and vice president of technology, said, 'MySQL and PHP have such a natural and historic bond, it's great to have MySQL working with Zend and other PHP community members on the Eclipse PHP IDE project and similar collaborative efforts. This is a good example of how open source cooperation can benefit community developers, software vendors and corporate end-users alike by delivering standard tools and solutions that will further facilitate application development with PHP.' Looks like this move will solidify Eclipse's positive moves forward. You can read the full press release, or learn more about the Eclipse Project.
Microsoft's "Conversation" Includes a PHPer
CNET is reporting that at Microsoft's Mix '06 (marketed as the "72 Hour Conversation" and hosted by them last week), to show that they are expanding their thoughts beyond Redmond, they "enticed an open-source developer who is an expert on the PHP scripting language to come to Mix." Hmm... wonder why CNET's trying to keep his identity under wraps. :) You can read about his presentation and the positive reaction about it through his blog.

Unserialize() Abuse

Ilia Alshanetsky wrote an interesting blog post about how unserialize() can expose sensitive information if ERROR_DISPLAY is set to ON - only affecting PHP5 because of __wakeup(). If a serialized string is passed, and this magic method is called, it will throw an exception. As Ilia states, "since most people do not expect unserialize() to throw exceptions leave it outside of try {} & catch() {} block, the exception is left uncaught. This, in PHP triggers a fatal error promptly terminating the execution of the script. Furthermore, if error displaying is enabled, which it is by default on most installs, all the exception information will be dumped to screen." For a complete explanation of the potential security hole, visit Ilia's Blog.

Comprehensive PHP Frameworks Comparison

Dennis Pallet from phpit.net has posted a great article comparing 10 popular PHP frameworks. He has developed a very nice chart which compares these frameworks, apples-to-apples, in the areas of PHP4 & PHP5 compatibility, MVC usage, compatibility with multiple databases, object-record mapper usage, DB Objects, templates, caching, validation, ajax support, user authentication, and other modules. You can read the full article here.

PEAR/PECL Releases

I would be remiss in my duties if I didn't include what's new at PEAR and PECL. Recent PEAR releases include:

And for PECL, we had:

As always, you can download or learn more about these packages at http://pear.php.net and http://pecl.php.net.

See you next week with more tidbits from the PHP world!