Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Run Geek Radio:
Episode 008 – Escaping PHP Variables Forgotten
Sep 04, 2015 @ 09:50:22

Adam Culp has posted his latest episode of his "Run Geek Radio" podcast series with Episode #8: Escaping PHP Variables Forgotten

Escaping variables in PHP is as important as ever, and developers can sometimes forget about it when using a modern framework. Adam Culp, the host of Run Geek Radio, talks a little about common pitfalls and how to handle them. Also covered is the ZendCon and SunshinePHP preparations and status of Adam speaking at some other upcoming conferences. Plus a brief update on the running front and training.

You can listen to this latest episode either through the in-page audio player or by downloading the mp3 directly. If you enjoy the show, be sure to subscribe to the feed and get information about the latest episodes as they're released.

tagged: rungeekradio ep08 escape variables security conference update

Link: https://rungeekradio.com/episode-008-escaping-php-variables-forgotten/

php[architect]:
September 2015 Issue Released - Security Boot Camp
Sep 02, 2015 @ 12:19:02

The latest issue of the php[architect] magazine has been released for September 2015. In this latest issue they focus on security in PHP along with the same columns you know and love.

In this issue, we have an overview of the various techniques that malicious users can use to attack your application, a deep dive into how passwords can be stored securely and how PHP’s built in password functions make this easier, a look at how to setup a PHP based Intrusion Detection System, and how to use PDO to guard against SQL injection attacks

Elsewhere, there’s a look at how to think like a functional programmer, an introduction to using Sculpin for generating a static site, an interview with Elizabeth Naramore, and more.

This month's issue includes articles like:

  • Basic Intrusion Detection with Expose (Greg Wilson) (read this one free here)
  • Keep Your Passwords Hashed and Salted (Leszek Krupi?ski)
  • Leveling Up: DeLoreans, Data, and Hacking Sites (David Stockton)

...as well as the "Education Station", "Community Corner" and "finally{}" columns from returning authors. You can purchase your copy of this month's issue directly from the php[architect] website either as a single issue or as a part of a subscription.

tagged: phparchitect magazine sept2015 security issue release

Link: https://www.phparch.com/magazine/2015-2/september/

Paragon Initiative:
A Gentle Introduction to Application Security
Aug 17, 2015 @ 10:51:56

The Paragon Initiative blog has posted a gentle introduction to application security for those new to some of the ideas of secure code and wanting to learn more.

If you are a web developer (or are thinking about teaching yourself web programming), you probably don't think of yourself as a security engineer, or a white-hat/blue-team member of an information security assurance team. You might have considered security threats in the context of quality assurance before (e.g. validating input), but perhaps you're no expert on the subject. But the second your code is deployed in production, your code is the front line of defense for that entire system and quite possibly the entire network. Logically, that means the software you produce must be made reasonably secure.

[...] This might seem like a lot of pressure. [...] I'm not going to say you need to become an application security expert. That very notion betrays the (largely untapped) potential for rich diversity in the technology communities. But I will say this: Application Security is Every Developer's Responsibility

They remind developers that there's a lot more than just 10 types of vulnerabilities (or even 25) and proposes a new model for thinking of security weaknesses in your applications. He outlines five points for assessing the security of your apps, not just common vulnerabilities to fix:

  • Failure to Separate Data from Instructions
  • Unsound Application Logic
  • Your Application's Operating Environment
  • Cryptographic Weaknesses

The fifth is a catch-all "miscellaneous" category that would contain things that are either crossing the boundaries of the other categories or are just each in their own category. He suggests we move on to a "more secure tomorrow", evaluate our applications along these criteria.

tagged: gentle introduction security application paragon initiative taxonomy

Link: https://paragonie.com/blog/2015/08/gentle-introduction-application-security

PHP.net:
Release of PHP 5.6.12, 5.4.44 and 5.5.28
Aug 07, 2015 @ 08:49:54

The PHP.net site has announced the release of the latest versions of the current releases of the PHP language: PHP versions 5.6.12, 5.4.44 and 5.5.28.

The PHP development team announces the immediate availability of PHP [versions 5.6.12, 5.4.44 and 5.5.28]. 12 security-related issues were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version.

It's also pointed out that this 5.5.x release marks the first security-only bugfix release according to their release calendar. As always, you can get these latest versions from the downloads page or the windows.php.net site for the Windows binaries. You can view the full list of changes in these releases in the Changelog for each version.

tagged: language release bugfix security schedule php55 php54 php56

Link: http://php.net/archive/2015.php#id2015-08-06-4

AppDynamics PHP Blog:
Introduction to PHP Security – Part 2
Jul 22, 2015 @ 08:33:01

The

AppDynamics PHP blog has posted the second part of their series looking at some of the basics of PHP security. In part one they talked about some of the most common attacks and how to remediate them. In this latest part they "dive deeper" and get into some of the more advanced issues.

Truth be told, there are potentially an infinite number of ways in which a software product can be compromised and have its security breached. [...] New security flaws are regularly found, and routine patches are immediately released for most of the major software applications you utilize in your application stack. No matter whether your web or database server, your operating system, your PHP runtime, or even the MVC framework that your time adopted, your point(s) of exposure may exist anywhere within the various components that make up your application ecosystem.

They start with a few more advanced best practices including using SSL and keeping error messages away from the public eye. They briefly discuss other kinds of injection types (besides just SQL) and offer some tips about securing the data that lives in the application as well.

tagged: security introduction series part2 advanced bestpractice injectiondata

Link: https://blog.appdynamics.com/php/introduction-to-php-security-part-2

Paragon Initiative:
How to Safely Generate Random Strings and Integers in PHP
Jul 08, 2015 @ 12:49:51

The Paragon Initiative blog has posted a guide to what they see as a way to safely generate random strings and integers in PHP applications.

Generating useful random data is a fairly common task for a developer to implement, but also one that developers rarely get right. [...] It's generally not okay to use a weak random number generator unless both of the following two conditions are met: the security of your application does not depend in any way on the value you generate being unpredictable or there is no requirement for each value to be unique (up to a reasonable probability).

He gives some examples of places where it's a must to use a "cryptographically secure pseudo-random number generator" including generating random passwords, encryption keys or IVs for data in CBC mode. The article goes on to talk about some of the problems that could come from using weak generators. It then gets into the process for generating random values and the use of the random_* functions in PHP (or using this polyfill) to more safely generate the numbers. Included is code showing the process and some advice around converting random bytes to both strings and integers.

tagged: safe generation random string integer php7 randomcompat security

Link: https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php

Paragon Initiative:
Everything [About] Preventing Cross-Site Scripting Vulnerabilities in PHP
Jun 17, 2015 @ 12:19:29

The Paragon Initiative has posted a new tutorial that wants to provide you with everything you need to know about preventing cross-site scripting in PHP applications.

Cross-Site Scripting (abbreviated as XSS) is a class of security vulnerability whereby an attacker manages to use a website to deliver a potentially malicious JavaScript payload to an end user. XSS vulnerabilities are very common in web applications. They're a special case of code injection attack; except where SQL injection, local/remote file inclusion, and OS command injection target the server, XSS exclusively targets the users of a website.

[...] Cross-Site Scripting represents an asymmetric in the security landscape. They're incredibly easy for attackers to exploit, but XSS mitigation can become a rabbit hole of complexity depending on your project's requirements.

He introduces the concept of cross-site scripting (XSS) for those new to the term and provides a brief "mitigation guide" for those wanting to jump to the end. He then gets into some examples of what a XSS vulnerability could look like, both stored and reflected and provides the "quick and dirty" method for preventing them. He also mentions some tips in implementing your solution including avoiding HTML in your data if at all possible. He goes on to talk about the use of HTMLPurifier to prevent attacks, context-sensitive escaping (HTML vs JS vs CSS) and some of the browser-level features that help prevent XSS for the user.

tagged: prevent xss crosssitescripting security prevent vulnerability context browser

Link: https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know

PHP.net:
Release of PHP 5.4.42, 5.6.10 & 5.5.26
Jun 15, 2015 @ 14:04:37

The PHP.net site has announced the latest releases for all current major language versions with fixes including several security-related issues:

The PHP development team announces the immediate availability of [these versions]. Six security-related issues in PHP were fixed in this release, as well as several security issues in bundled sqlite library (CVE-2015-3414, CVE-2015-3415, CVE-2015-3416). All PHP users are encouraged to upgrade to [the latest version for their current installation].

As always, you can get these latest downloads from the main downloads site or windows.php.net for the Windows binaries. Other fixes can be found in the release related list in the Changelog.

tagged: language release security bugfix php54 php55 php56 upgrade

Link: http://php.net/

PHP.net:
Release of PHP 5.4.41 & 5.5.25
May 15, 2015 @ 11:46:34

The latest versions of the PHP language in the 5.4.x and 5.5.x series have been released - PHP 5.4.41 and PHP 5.5.25.

These releases both fix several bugs including seven security related issues around the character in a pathname, a DoS vulnerability in the multi-part form data handling and an integer overflow in ftp_genlist.

As always, upgrading to these latest versions is always recommended (especially when there's security updates involved). You can grab the latest from the downloads page or the windows.php.net site if you're on a Windows platform. For the full list of changes, see the Changelog for the matching version.

tagged: language release security bugfix php54 php55 upgrade

Link: http://php.net/downloads

Pádraic Brady:
TLS/SSL Security In PHP: Avoiding The Lowest Common Insecure Denominator Trap
Apr 24, 2015 @ 10:30:50

In his latest post Pádraic Brady shares his thoughts about the state of TLS/SSL functionality in PHP and how he thinks developers should avoid the trap of "lowest common denominator" and opt for insecurity.

A few weeks back I wrote a piece about updating PHARs in-situ, what we’ve taken to calling “self-updating”. In that article, I touched on making Transport Layer Security (TLS, formerly SSL) enforcement one of the central objectives of a self-updating process. In several other discussions, I started using the phrase “Lowest Common Insecure Denominator” as a label for when a process, which should be subject to TLS verification, has that verification omitted or disabled to serve a category of user with poorly configured PHP installations.

This is not a novel or even TLS-only concept. All that the phrase means is that, to maximise users and minimise friction, programmers will be forever motivated to do away with security features that a significant minority cannot support by default.

He goes on to talk about how, in some places, targeting the lowest common denominator is okay, security isn't one of them. He also includes four basic concepts developers can adhere to to prevent this targeting:

  • You should never knowingly distribute insecure code.
  • You should accept responsibility for reported vulnerabilities.
  • You should make every effort to fix vulnerabilities within a reasonable time.
  • You should responsibly disclose vulnerabilities and fixes to the public.

He follows these up with three steps you can follow to migrate an insecure architecture into something much more robust. This includes identifying the consequences of the update and documenting the solutions you've chosen, be those configuration updates or library changes.

tagged: tls ssl security lowest common insecure denominator trap avoid

Link: http://blog.astrumfutura.com/2015/04/tlsssl-security-in-php-avoiding-the-lowest-common-insecure-denominator-trap/