Maybe I should not be posting this, but what the heck! I've already notified Yahoo, so they can't say they were not warned.
I was on the phone with Yahoo today about one of my clients, and I got some rather surprising news, so I emailed (one of their wonderful forms) support, and this is what I said:
I am very surprised, disheartened and disappointed to see that Yahoo is still using PHP Version 4.3.11. PHP is now up to version 5.3.0.
When I was talking to someone in support this afternoon, I was told that Yahoo was using 4.3.11 for security reasons.
One of the main reasons most hosting providers upgraded their servers was the issue of Registered Globals. This is VERY dangerous, and problably most Yahoo small business account holders either do not know or care about it. That is not true of hackers – this is something that hackers test for, just as they test for easy sql injection. Please see [http://en.wikibooks.org/wiki/PHP_Programming/Register_Globals] for a full description of the dangers of Registered Globals.
Checking Yahoo Small Business php.ini file, I saw that Registered Globals is ON – that is very dangerous for Yahoo and its customers. What I suggest you do is send a global email out to all account holders that you are going to turn it OFF, and they can consult Google for relavent coding to turn it on if they must on a case by case basis. For this site, I have turned them off.
Of course, the best thing to do would be to upgrade your servers to the latest version of PHP. Let users know that some of their code may not work, but that it is being done for security reasons. [http://www.php.net/manual/en/migration5.php].
I must say, these people are really shnooks. Last time I had to deal with them (same account) they told me that they did not allow htaccess for security reasons. Well, of course not! Not when your whole server is insecure and you're using bandaids to shore it up.
My recommedation to anyone who is using Yahoo Small Business Web Hosting is to get the Hell out of Dodge and use a real web host, like Axishost, Lunar Pages, Start Logic, or even GoDaddy for the true masochist.