Today's PHP security tip is short, sweet and easily actionable. It fits in well with the theme of the last one, to stay vigilant. Here's another resource for you to consider: If you are not already subscribed, you should subscribe to the Security Focus newsletter.

He links to their signup page and points out the most useful of their offerings - the BugTraq list.

BugTraq is a full disclosure moderated mailing list for the detailed discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them.

Federico Biancuzzi discussed with him how the PHP Security Response Team works, why he resigned from it, what features he plans to add to his own hardening patch, the interaction between Apache and PHP, the upcoming "Month of PHP bugs" initiative, and common mistakes in the design of well-known applications such as WordPress.

Some of the topics discussed include

• the Hardened-PHP Project
• Suhosin
• the PHP Security Response Team (his role in it and why he left)
• PHP5's security focus versus PHP4's
• and more...

Included in this issue are vulnerabilities for:

• SecurityImages Component Multiple Remote File Include Vulnerabilities
• Ajax Chat Multiple Remote Vulnerabilities
• ATutor Multiple SQL Injection Vulnerabilities
• Coppermine Photo Gallery Theme.PHP Remote File Include Vulnerability
• PHPAuction PHPAds_Path Variable Remote File Include Vulnerability
• myEvent Myevent.PHP Remote File Include Vulnerability

This is just a sampling of the issues reported, so head over to the full listing for the complete information.

Software mentioned in this edition includes:

• PHPWebGallery
• JetPhoto
• PHPList
• ShopWeezle
• XBrite
• PHPKIT

There are several more mentioned besides those above, so be sure to check out the full report to see if any scripts you use are effected.]]> Mon, 17 Apr 2006 07:05:21 -0500 http://www.phpdeveloper.org/news/5055 http://www.phpdeveloper.org/news/5055 PHP Security Consortium has posted four new SecurityFocus Summaries today.

• Issue #341 - including issues for WordPress, DSCounter/DSNewsletter/DSPoll PollID, and MyBB
• Issue #342 - including issues for PHPMyAdmin, SoftBB, CutePHP, and PHPWebSite
• Issue #334 - including issues for Noah's Classifieds, VBulletin, and PEHEPE Membership Management System
• Issue #340 - including issues for Navboard, PHPChamber, MyPhPim, and PHPNuke

As always, the latest issues are available from the Consortium's website under the Projects > SecurityFocus Summaries portion of the site. Check out the latest so you and your applications are protected.]]> Mon, 27 Mar 2006 08:41:27 -0600 http://www.phpdeveloper.org/news/4993 http://www.phpdeveloper.org/news/4993 PHP Security Consortium has posted several SecurityFocus summaries on its site today dealing with a variety of applications and issues:

• Issue #340 - including apps like VBilletin, Noah's Classifieds, VBZoom, and Limbo
• Issue #339 - including apps like PHP-Nuke, PHPWebSite, PEAR::Archive_Tar, and Mambo
• Issue #338 - including apps like SquirrelMail, ADOdb, PostNuke, and MyBB
• Issue #337 - including apps like PHP Event Calendar, RunCMS, Invision Power Board, and PHPNuke
• Issue #336
• Issue #335
• Issue #332
• Issue #331
• Issue #330
• Issue #329
• Issue #328

The lists presented here are by no means comprehensive, so please check out the latest SecurityFocus summaries for a complete listing of all affected applications.]]> Wed, 15 Mar 2006 07:05:59 -0600 http://www.phpdeveloper.org/news/4803 http://www.phpdeveloper.org/news/4803 PHP Security Consortium has posted more SecurityFocus Summaries on their site today:

• #327 - includes issues with Drupal, PHPWordPress, WebCalendar, and KBase Express
• #328 - includes issues with PHPMyAdmin, Web4Future, PHPForumPro, and MyBB
• #333 - includes issues with Venom Board, Andromeda, MyPhPim, and PHP Toolkit
• #334 - includes issues with GeoBlog, microBlog, AOblogger, and My Amazon Store

Of course, there are many, many more issues in each of these items than are psoted here, so be sure to check out Mon, 06 Feb 2006 07:38:04 -0600 http://www.phpdeveloper.org/news/4742 http://www.phpdeveloper.org/news/4742 PHP Security Consortium has posted several SecurityFocus Newsletters on their site today, including:

• #332 including apps like Chimera Web Portal, Drupal, TheWebForum, and Navboard
• #331 including apps like SimpBook Guestbook, PHPSurveyor, PHPDocumentor, and PHPBB
• #330 including apps like PHP Fusebox, Esselbach, ContentServ, and AbleDesign
• #329 including apps like Flatnuke, Horde Mnemo, Arab Portal, PHPWebGallery and PHPNuke
• #327 including apps like Drupal, PHPGreetz, PHPWordPress, PHP Web Statistik, and WebCalendar

As always, this list is by far not complete, so be sure to check out the current summaries on the PHP Security Consortium site for the latest... ]]> Fri, 27 Jan 2006 07:19:18 -0600 http://www.phpdeveloper.org/news/4553 http://www.phpdeveloper.org/news/4553 PHP Security Consortium has published more SecurityFocus Newsletters today:

• #320 - issues with phpMyAdmin, PHPWebSite, Complete PHP Counter, and Zeroblog
• #319 - issues with PHP-Fusion, MyBloggie, OSCommerce, and Utopia News
• #327 - issues with Drupal, PHPGreetz, PHPWordPress, NiceCoder iDesk, WebCalendar, and PHPAlbum (large list)
• #328 - issues with phpMyAdmin, Web4Future, PHPForumPro, Cars Portal Index, and MyBB

As always, the items mentioned above are only a small taste of the contents of the newsletters, so be sure to check them out in full to see if one of your applications is listed...]]> Fri, 23 Dec 2005 07:50:55 -0600 http://www.phpdeveloper.org/news/4391 http://www.phpdeveloper.org/news/4391 PHP Security Consortium has posted thier latest SecurityFocus summary today - Issue #325.

PHP Applications covered in this issue include: Horde, PHPNuke, Cyphor Show.PHP, PHPWCMS, Mambo, PHP Easy Download, Interspire ArticleLive NX, PHP-Fusion, and PHPMyFAQ.

Of course, there are tons more that aren't listed here, so be sure to head over and check it out to be sure you and your applications are all safe...]]> Mon, 28 Nov 2005 06:26:42 -0600