Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Check Point Blog:
Finding Vulnerabilities in Core WordPress: A Bug Hunter’s Trilogy, Part I
Aug 06, 2015 @ 11:44:14

The Check Point blog has posted the first part of a series from one of their vulnerability researchers about finding security vulnerabilities in the core WordPress code (and some of the results along with CVE numbers).

In this series of blog posts, Check Point vulnerability researcher Netanel Rubin tells a story in three acts – describing his long path of discovered flaws and vulnerabilities in core WordPress, leading him from a read-only ‘Subscriber’ user, through creating, editing and deleting posts, and all the way to performing SQL injection and persistent XSS attacks on 20% of the popular web.

In this first part he focuses on the concept of "identity" in a WordPress application. He focused on the "roles and capabilities" functionality to find bypass methods in operations like editing and adding new posts. As he works through his process, code is included from the WordPress core showing where the issue(s) lie and what would be needed to exploit the issue.

tagged: bug hunt wordpress vulnerability core code part1 series checkpoint

Link: http://blog.checkpoint.com/2015/08/04/wordpress-vulnerabilities-1/

PHPClasses.org:
OpenSSL Serious Security Bug: Does it Affect Your PHP sites?
Apr 10, 2014 @ 11:55:37

In the wake of the announcement of the Heartbleed vulnerability in the widely used OpenSSL software, the PHPClasses blog has posted a look at how it relates to PHP applications and how you can see if your application is effected.

Just a few days ago it was publicly announced a serious security bug called Heartbleed that affects secure sites based on the OpenSSL library. Read this article to learn more about this security problem, how to test if your Web server or SSH server is vulnerable, how it may affect your PHP sites, what you should do to fix the problem.

They start with a look at the bug, what it is and why it's such a big problem. It talks about what kinds of applications are vulnerable (hint: it has nothing to do with the PHP) and how you can test to see if your server is secure. The rest of the post talks about how to resolve the issue and how it relates to OpenSSL connections to other servers and SSH.

tagged: openssl bug heartbleed security effect webserver

Link: http://www.phpclasses.org/blog/post/231-OpenSSL-Serious-Security-Bug-Does-it-Affect-Your-PHP-sites.html

Evert Pot:
Composer's bug now fixed
Feb 24, 2014 @ 12:38:06

Evert Pot has posted an update to a previous post around Composer's vulnerability around installing the wrong packages in the case of a conflict. In this latest post he points out, however, that the bug is now fixed.

As an update to my previous post, the composer security problem now appears fixed. Good to see that a quick response was possible after all.

The original issue was caused by the "replace" functionality, allowing the possibility for an incorrect package to be installed instead of the one requested. Other posts with more details include this one from Pádraic Brady and Nils Adermann. if you're a Composer user, it's highly suggested you update your currently installed version (run a "composer self-update").

tagged: composer bug security vulnerability fix selfupdate

Link: http://evertpot.com/composer-bug-fixed

Christian Weiske:
PHP 5.6: Large file upload support
Dec 11, 2013 @ 11:09:47

Christian Weiske has posted information about a feature in the upcoming PHP 5.6 version of the language - large file upload support. This new feature allows files over 4GB to be uploaded correctly.

PHP version 5.6 brings support for file uploads larger than 2GiB. We can say "thank you" to Ralf Lang for the initial patch that fixes bug #44522 , which was open since 2008. During testing uploads of files with a size of 4 - 11GiB on my PHP-CGI setup, I noticed that files above 4GiB did not get uploaded correctly. Michael Wallner was quick to fix that bug, and now 5.6 has fully working support for big files.

PHP 5.6 is still in development and some other new features are slated to be added to it. You can find some of them listed in the RFC section of the PHP wiki.

tagged: php56 large file upload bug patch

Link: http://cweiske.de/tagebuch/php-large-file-uploads.htm

Joshua Thijssen:
PHP’s Resources and garbage collection
Jul 12, 2013 @ 10:54:34

Joshua Thijssen has put together a new post with details about garbage collection in PHP and a "nice bug/feature/whatsmathing" he found related to it and its performance.

I was playing around with writing a daemon and if you have any experience writing daemons (in any language), there are a few rules you have to live by. For instance, setting your effective uid and gid to a non-privileged user (in case you needed to do some privileged initialization, like opening a socket on a tcp port < 1024), setting the process as a group leader with posix_setsid(), and redirecting stdio file descriptions. And here something went wrong which took a while to find and fix..

He was creating a daemon and the script would just exit without a warning and not continue running. He narrowed down the issue to a few lines (with fopen and fclose) and went to debug it with strace to really see what was happening. He found some unexpected calls in the stack trace and, after some more digging, finally figured out it was a problem of both scope and cleanup that was resulting in the extra calls.

tagged: garbage collection resource stdin stdout stderr bug

Link: http://www.adayinthelifeof.nl/2013/07/10/phps-resources-and-garbage-collection

PHP.net:
PHP 5.5.0 Alpha2 released
Dec 27, 2012 @ 10:22:13

If you'd like to help with testing for the upcoming PHP 5.5.0 version, they've announced the release of the latest alpha on the PHP.net site, ready for download and test execution.

The PHP development team announces the immediate availability of PHP 5.5.0alpha2. This release adds new features and fix some bugs from alpha1. All users of PHP are encouraged to test this version carefully, and report any bugs in the bug tracking system.

You can see the full list of the changes in 5.5.0 (so far) in the NEWS file including things like using empty on return values, enabling systemtap by default for dtrace probes and optimized variable accessing. They need your help to make this upcoming release even better, so if you'd like to help out and test, go grab the download (Windows builds).

tagged: alpha release test language bug tracking

Link:

Matt Frost:
TDD For the Unconverted
Nov 20, 2012 @ 12:45:46

Matt Frost has a new post today helping to explain test-driven development (TDD) for the unconverted and some of the things that come with it in practice.

You've heard of Test Driven Development, but you think; "I've got a horrifying monstrosity for a codebase, it's not testable so I can't do TDD". Let me be the first to tell you that you're wrong. I'm not into writing really controversial pieces, castigating people for not doing things a certain way. If you've considered TDD at any point in time, it's because you understand (at least in the theoretical sense) that having predictable software is beneficial. So this is for you, unconverted developer...

He talks about how using TDD can help you build confidence in your code, make debugging issues easier in the project simpler and how - despite the initial time it takes to implement it in the process - it's worth it in the end. He also includes a few helpful suggestions when your team doesn't want to follow the method.

tagged: tdd testdriven development opinion bug confidence process

Link:

MaltBlue.com:
4 Keys to a Great Software Development Methodology
Jun 28, 2012 @ 09:26:00

On the MaltBlue.com blog Matt has posted four different keys he sees to making a good software development environment and make for happier developers (and managers).

A lot of the time when we’re developing applications they’re likely to be based around customizing or extending an existing application, such as WordPress, Joomla, Oxid eSales et al. In these cases, there’s a clear set of rules and guidelines to work with. [...] But what about when we’re building our own applications, bespoke ones, from scratch. [...] What do we do then? How do we set up a great software development methodology or set of processes to ensure that we develop cleanly, clearly and efficiently? In today’s post, I’m going to go through 4 areas which can serve as a solid and reliable basis for us to do just this.

The four key elements he sees are:

  • Organized Development Environment
  • Organized Deployment Approach
  • Organized Testing Approach
  • Have a Professional Bug/Issues Database

For each of these elements, he describes some of the methods and tools that can help make them possible.

tagged: software development method environment deployment testing bug issue

Link:

Gonzalo Ayuso's Blog:
Strange behavior in PHP with method visibility
May 28, 2012 @ 18:09:08

In his recent post Gonzalo Ayuso shares some "strange behavior" he found with method visibility in his recent development:

Normally I feel very comfortable with PHP, but not all is good. There’s some things I don’t like. One is the lack of real annotations and another one is this rare behaviour with visibility within the OO. Let me explain this a little bit.

The problem came up as a part of a recent refactor where a protected method, when called from an object injected into another class, threw an "access" error that it was called from the wrong context. He reported it as a bug but was reminded of how PHP handles exposure - on the class level, not the instance of a class level.

tagged: behavior method visibility bug refactor

Link:

PHP.net:
PHP 5.3.12 and 5.4.2 and the CGI flaw (CVE-2012-1823)
May 07, 2012 @ 09:03:59

The PHP.net site as new post with some supplemental information for those users of the PHP CGI that might be effected by the recently announced bug, the reason for the most recent release. Unfortunately, this patch only fixes some of the cases of the problem, so they've amended their instructions to included a more effective mod_rewrite rule to help protect your applications.

PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of "$@" to pass parameters to php-cgi which causes a number of issues. Again, people using mod_php or php-fpm are not affected.

The rewrite rule is there in the post, ready for copy and pasting into your config. Even if you're running the latest PHP 5.3.12 and 5.4.2., be sure to use this rule as a stop-gap measure for now. Another release is planned for tomorrow to fully correct the CGI flaw.

tagged: cgi flaw bug rewrite rule protect release

Link: