Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

TutsPlus.com:
How to Do User Authentication With the Symfony Security Component
Aug 17, 2018 @ 13:13:03

On the TutsPlus.com site they've posted a new tutorial showing you how to use the Symfony Security component to authenticate users in your system and use role-based access checks.

In this article, you'll learn how to set up user authentication in PHP using the Symfony Security component. As well as authentication, I'll show you how to use its role-based authorization, which you can extend according to your needs.

The tutorial starts with a summary of the Symfony Security component and what subcomponents it includes. It then walks you through the installation of the component via Composer (of version 4.1). They then walk through a more real-world example that uses user credentials and role information pulled from a MySQL database. They provide the code for the User class, a DatabaseProvider class, a DatabaseAuthenticationProvider, and how they all work together. Code is provided to complete the authentication process and to create the database table for the user credential and role details.

tagged: tutorial authenticate authorize symfony security component security

Link: https://code.tutsplus.com/tutorials/how-to-set-up-user-authentication-by-using-the-symfony-security-component--cms-31643

TutsPlus.com:
How to Do User Authentication With the Symfony Security Component
Aug 17, 2018 @ 13:13:03

On the TutsPlus.com site they've posted a new tutorial showing you how to use the Symfony Security component to authenticate users in your system and use role-based access checks.

In this article, you'll learn how to set up user authentication in PHP using the Symfony Security component. As well as authentication, I'll show you how to use its role-based authorization, which you can extend according to your needs.

The tutorial starts with a summary of the Symfony Security component and what subcomponents it includes. It then walks you through the installation of the component via Composer (of version 4.1). They then walk through a more real-world example that uses user credentials and role information pulled from a MySQL database. They provide the code for the User class, a DatabaseProvider class, a DatabaseAuthenticationProvider, and how they all work together. Code is provided to complete the authentication process and to create the database table for the user credential and role details.

tagged: tutorial authenticate authorize symfony security component security

Link: https://code.tutsplus.com/tutorials/how-to-set-up-user-authentication-by-using-the-symfony-security-component--cms-31643

Laravel News:
Security Release - Laravel v5.6.30 and v5.5.42 have been released
Aug 09, 2018 @ 09:34:59

On the Laravel News site they've posted an announcement recommending all Laravel 5.6.x and 5.5.x users upgrade to the latest release (5.6.30 & 5.5.42) due to a security issue dealing with the APP_KEY value.

Laravel 5.6.30 and Laravel 5.5.42 have both been released to fix a security issue and is recommended that all users upgrade as soon as possible.

This update also includes changes to cookie encryption and serialization logic. In addition to the upgrade, they also recommend rotating the key if you believe any malicious user (or former developer/employee) had access to it. The upgrade guide has the information you need to make the update to your application.

tagged: laravel security release appkey cookie update framework

Link: https://laravel-news.com/laravel-5-6-30

TutsPlus.com:
Secure, Passwordless Authentication Using Auth0
Jul 10, 2018 @ 11:23:17

On the TutsPlus.com site they've posted a tutorial showing you how to use the Auth0 service to create a passwordless authentication system for your application.

In this article, you'll learn how to set up passwordless authentication using the Auth0 service. Auth0 allows you to outsource authentication features for your app.

Auth0 is an authentication-as-a-service tool that makes implementation of authentication-related features for your app or site a breeze. If you've built an app and you want to just outsource the authentication and authorization features, a service like Auth0 is something you should consider.

The tutorial walks you through the installation and configuration process of their example PHP application including the setup of the .env file to contain the Auth0 secrets. It then provides the code needed to create two kinds of logins:

  • Using email as the identifier
  • Sending the approval via SMS

Both make use of (the Auth0 PHP SDK) to do most of the heavy lifting but there's still a bit of code you'll need to get it up and running.

tagged: passwordless security login auth0 tutorial setup configure

Link: https://code.tutsplus.com/tutorials/secure-passwordless-authentication-using-auth0--cms-31195

Websec.io:
Keeping Credentials Secure in PHP
Jun 27, 2018 @ 13:35:17

On the Websec.io site there's a new tutorial posted showing a potential method for keeping secrets safe in PHP-based applications.

One of the most difficult things in any kind of application (not just web applications) is how to protect "secret" values. These values might be API keys, database passwords or even special bypass codes. Ideally, you're not having to define these directly in the application and can have them loaded from another source.

While a lot of the issues around protecting secrets can be removed by better secret handling, it seems like there's still always a need for some kind of secret value to exist in an application. Using this sort of pattern is, obviously, recommended against. The Common Weakness Enumeration database even has an entry specifically about it: CWE-798. Hard-coding credentials, especially plain-text ones, can be a huge risk if an attacker were able to somehow access the code and read them directly.

The post then goes on to talk about specific issues with secrets/credentials handling in PHP and some of the common approaches (mostly using a .env file). It covers some of the basics of using the phpdotenv package before getting into the encryption of the secrets it contains. It makes the recommendation of using an "Apache pull" method to pull in the encryption key when Apache starts, putting it into an environment variable and using the psecio/secure_dotenv library to work with the encrypted values.

tagged: security encryption secret tutorial package phpdotenv

Link: https://websec.io/2018/06/14/Keep-Credentials-Secure.html

RIPSTech.com:
WARNING: WordPress File Delete to Code Execution
Jun 27, 2018 @ 10:29:26

On the RIPSTech.com site they've posted a warning to the WordPress users out there about a vulnerability that would allow a malicious user to delete any file in the WordPress installation, not just file uploads.

At the time of writing no patch preventing this vulnerability is available. Any WordPress version, including the current 4.9.6 version, is susceptible to the vulnerability described in this blogpost.

For exploiting the vulnerability discussed in the following an attacker would need to gain the privileges to edit and delete media files beforehand. Thus, the vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author, or through the exploitation of another vulnerability/misconfiguration.

The post includes more details around the impact of the issue and where in the code the problem lies. It also offers a temporary "hotfix" as a way around the issue by adding a new filter that uses the basename function to reset the thumbnail data.

tagged: security wordpress delete file vulnerability code execution

Link: https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/

Community News:
Composer v1.6.4 Release (with Security Fix)
Apr 16, 2018 @ 10:50:02

Composer, the de-facto standard way to install PHP packages, has published a new release that includes a major security update. Jordi Boggiano made this comment about the release on Twitter:

After triaging/merging/fixing almost 200 issues in the last couple days, Composer v1.6.4 is out! ???? It contains a security fix and is therefore a much recommended update for all.

Other changes include fixes for:

  • a regression in version guessing of path repositories
  • the updating of package URLs for GitLab
  • init command not respecting the current php version when selecting package versions
  • exclude-from-classmap symlink handling

You can grab the latest version from the Composer site or you can use it's own self-update command.

tagged: composer release v164 security fix bugfix package

Link: https://twitter.com/seldaek/status/984744594566008832

Checkpoint Research Blog:
Uncovering Drupalgeddon 2
Apr 13, 2018 @ 10:22:46

On the Checkpoint Research blog there's a recent post covering the recent critical Drupal bug, a.k.a. Drupalgeddon 2, and providing a deeper look into the bug and how the exploit worked.

Two weeks ago, a highly critical (21/25 NIST rank) vulnerability, nicknamed Drupalgeddon 2 (SA-CORE-2018-002 / CVE-2018-7600), was disclosed by the Drupal security team. This vulnerability allowed an unauthenticated attacker to perform remote code execution on default or common Drupal installations.

[...] Until now details of the vulnerability were not available to the public, however, Check Point Research can now expand upon this vulnerability and reveal exactly how it works.

The post covers the basic issue, a lack of input sanitization on Form API requests, and what versions it existed in. It then dives into the technical details, showing a proof of concept for the exploit and how an attacker might locate a place in the application to use it. It also looks behind the scenes at the code that handles the request and shows where the issue lies. The post ends with a look at "weaponizing" the exploit and executing whatever code you'd like on the server.

tagged: drupal security issue drupalgeddon2 indepth technical detail

Link: https://research.checkpoint.com/uncovering-drupalgeddon-2/

Fortrabbit Blog:
Your responsibility: App security
Apr 09, 2018 @ 11:45:17

On the Fortrabbit blog there's a post from Oliver Stark about securing your PHP application based on an experience they had with a recent support ticket.

A few days ago, late in the evening, we received a support ticket with the [message asking if their site had been hacked]. The support team started the conversation with the client and checked the domain routing first. It quickly became clear that the redirects to the phishing domain happened on our platform, so they searched the access logs for suspicious requests.

As they searched the logs, other similar requests showed up pointing back to a root.php file that seemed to be taking commands from URL parameters. This kind of script is called a "webshell" and is usually uploaded via a vulnerability with a plugin, poorly guarded upload forms or bad input validation. After some additional tracking, the vulnerability was located in the site's "vendor" folder that was web accessible. The post finishes with some recommendations to keep this from happening to you and your application including keeping dependencies up to date and preventing direct "vendor" folder access.

tagged: application security fortrabbit webshell experience

Link: https://blog.fortrabbit.com/app-sec

PHP.net:
PHP 7.1.16 & 5.6.35 Released
Mar 30, 2018 @ 09:15:55

On the main PHP.net site, they've posted announcements about the release of minor versions of PHP 7.1.x and 5.6.x: 7.1.16 and 5.6.35.

The PHP development team announces the immediate availability of PHP 5.6.35 [and PHP 7.1.16]. This is a security release. One security bug was fixed in this release. All PHP 5.6 [and 7.1] users are encouraged to upgrade to this version.

The bugfixes included in these releases deal with changes in the FPM handling, ODBC functionality, and Phar building. You can download this latest release from the main downloads page (source) or from the windows.php.net site for the Windows binaries.

tagged: language release php7 php56 bugfix security

Link: http://php.net/index.php#id2018-03-29-3