Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Ed Finkler's Blog:
So what is the state of secure development in PHP?
Mar 19, 2007 @ 08:23:00

Sometimes, a picture is worth a thousand words - check out the one included with this new post on Ed Finkler's blog today, a graph of the NIST NVD data showing where most of the security-related PHP issues lie.

PHP Applications by themselves account for over 40% of all NIST NVD entries in 2006. We need more than new frameworks. We need new paradigms for PHP development.

These new paradigms of PHP development have been a long time coming (it's all been jokes about it thus far), but there's already forces at work to help make things simpler and better for those developing applications. Frameworks, while not new in themselves, are making writing applications easier than ever before when using their built-in tools.

tagged: secure development framework paradigm application remote file inclusion secure development framework paradigm application remote file inclusion

Link:

Ed Finkler's Blog:
So what is the state of secure development in PHP?
Mar 19, 2007 @ 08:23:00

Sometimes, a picture is worth a thousand words - check out the one included with this new post on Ed Finkler's blog today, a graph of the NIST NVD data showing where most of the security-related PHP issues lie.

PHP Applications by themselves account for over 40% of all NIST NVD entries in 2006. We need more than new frameworks. We need new paradigms for PHP development.

These new paradigms of PHP development have been a long time coming (it's all been jokes about it thus far), but there's already forces at work to help make things simpler and better for those developing applications. Frameworks, while not new in themselves, are making writing applications easier than ever before when using their built-in tools.

tagged: secure development framework paradigm application remote file inclusion secure development framework paradigm application remote file inclusion

Link:

Community News:
DreamStats "rootpath" File Inclusion Vulnerability Identified
Feb 06, 2007 @ 11:37:00

As the International PHP Maagzine reports today there's been a file inclusion vulnerability found (from Secunia) in the DreamStats package:

Secunia's latest advisory points out a vulnerability in DreamStats, which could be exploited by remote attackers to execute arbitrary commands. This issue is due to an input validation error in the "index.php" script that does not validate the "rootpath" parameter, which could be exploited by remote attackers to include malicious PHP scripts and execute arbitrary commands with the privileges of the web server.

Those at risk are systems running versions 4.2 and prior and should update immediately. DreamStats is a package for displaying the statistics for Call of Duty related games on a website.

tagged: dreamstats file inclusion vulnerability secunia dreamstats file inclusion vulnerability secunia

Link:

Community News:
DreamStats "rootpath" File Inclusion Vulnerability Identified
Feb 06, 2007 @ 11:37:00

As the International PHP Maagzine reports today there's been a file inclusion vulnerability found (from Secunia) in the DreamStats package:

Secunia's latest advisory points out a vulnerability in DreamStats, which could be exploited by remote attackers to execute arbitrary commands. This issue is due to an input validation error in the "index.php" script that does not validate the "rootpath" parameter, which could be exploited by remote attackers to include malicious PHP scripts and execute arbitrary commands with the privileges of the web server.

Those at risk are systems running versions 4.2 and prior and should update immediately. DreamStats is a package for displaying the statistics for Call of Duty related games on a website.

tagged: dreamstats file inclusion vulnerability secunia dreamstats file inclusion vulnerability secunia

Link:

LWN.net:
Remote file inclusion vulnerabilities
Oct 12, 2006 @ 10:27:00

According to this article from LWN.net, you might need to be a bit wary of how you use the allow_url_fopen configuration parameter on your server. Apparently there are some remote file inclusion issues that could cause problems for calls to include or require already in your code.

An attacker's fondest wish is to be able to run their code on the target system; an RFI exploit does just that. By exploiting two very dubious 'features' of the PHP language, an attacker can inject their code into a PHP program on the server.

Basically, if the potential hacker can manage to get in on a varaible that's inside of an include and use it (in)correctly, they can get the script to jump out and run the code from their server instead of the local copy. Turning off regiter_globals will provide some protection, put poor programming and not performing any input validation can poke holes in the script's security without the need for globals.

Check out the rest of the article for more information on this (potentially) serious issue and check your code/configuration doubly to make sure you're not at risk.

tagged: remote file inclusion vulnerabilities lwn article report remote file inclusion vulnerabilities lwn article report

Link:

LWN.net:
Remote file inclusion vulnerabilities
Oct 12, 2006 @ 10:27:00

According to this article from LWN.net, you might need to be a bit wary of how you use the allow_url_fopen configuration parameter on your server. Apparently there are some remote file inclusion issues that could cause problems for calls to include or require already in your code.

An attacker's fondest wish is to be able to run their code on the target system; an RFI exploit does just that. By exploiting two very dubious 'features' of the PHP language, an attacker can inject their code into a PHP program on the server.

Basically, if the potential hacker can manage to get in on a varaible that's inside of an include and use it (in)correctly, they can get the script to jump out and run the code from their server instead of the local copy. Turning off regiter_globals will provide some protection, put poor programming and not performing any input validation can poke holes in the script's security without the need for globals.

Check out the rest of the article for more information on this (potentially) serious issue and check your code/configuration doubly to make sure you're not at risk.

tagged: remote file inclusion vulnerabilities lwn article report remote file inclusion vulnerabilities lwn article report

Link:

FrSIRT:
Vivvo Article Management CMS SQL Injection and PHP File Inclusion Vulnerabilities
Sep 18, 2006 @ 14:08:57

The FrSIRT site has posted a new advisory for users of the Vivvo Article Management CMS software about potential holes that could allow for some very large-scale damage to be done.

Multiple vulnerabilities have been identified in Vivvo Article Management CMS, which could be exploited by remote attackers to compromise a vulnerable server.

The first issue is due to an input validation error in the "pdf_version.php" script that does not validate the "id" parameter before being used in SQL statements, which could be exploited by malicious people to conduct SQL injection attacks.

The second vulnerability is due to an input validation error in the "index.php" script that do not validate the "classified_path" parameter, which may be exploited by remote attackers to include local or remote scripts with the privileges of the web server.

Versions 3.2 and higher of the software are effected, and, unfortunately, there has been no patch issued for the issue.

tagged: security issue vivvo article management cms sql injection file inclusion security issue vivvo article management cms sql injection file inclusion

Link:

FrSIRT:
Vivvo Article Management CMS SQL Injection and PHP File Inclusion Vulnerabilities
Sep 18, 2006 @ 14:08:57

The FrSIRT site has posted a new advisory for users of the Vivvo Article Management CMS software about potential holes that could allow for some very large-scale damage to be done.

Multiple vulnerabilities have been identified in Vivvo Article Management CMS, which could be exploited by remote attackers to compromise a vulnerable server.

The first issue is due to an input validation error in the "pdf_version.php" script that does not validate the "id" parameter before being used in SQL statements, which could be exploited by malicious people to conduct SQL injection attacks.

The second vulnerability is due to an input validation error in the "index.php" script that do not validate the "classified_path" parameter, which may be exploited by remote attackers to include local or remote scripts with the privileges of the web server.

Versions 3.2 and higher of the software are effected, and, unfortunately, there has been no patch issued for the issue.

tagged: security issue vivvo article management cms sql injection file inclusion security issue vivvo article management cms sql injection file inclusion

Link:

Justin Silverton's Blog:
PHP Security Mistakes - Part 2
Mar 21, 2006 @ 06:56:49

Justin Silverton continues his "PHP Security Mistakes" series with this new post, looking at issues surrounding system calls, file uploads, and including files into your scripts.

In one of my previous articles, I mentioned the top 5 security mistakes made in PHP. This article is a follow-up, with some more common security mistakes.

For the three topics he describes the functionality PHP offers for them as well as a suggestion or two as to how you can prevent these issues from showing up in your scripts.

tagged: security mistakes part two system calls file uploads inclusion security mistakes part two system calls file uploads inclusion

Link:

Justin Silverton's Blog:
PHP Security Mistakes - Part 2
Mar 21, 2006 @ 06:56:49

Justin Silverton continues his "PHP Security Mistakes" series with this new post, looking at issues surrounding system calls, file uploads, and including files into your scripts.

In one of my previous articles, I mentioned the top 5 security mistakes made in PHP. This article is a follow-up, with some more common security mistakes.

For the three topics he describes the functionality PHP offers for them as well as a suggestion or two as to how you can prevent these issues from showing up in your scripts.

tagged: security mistakes part two system calls file uploads inclusion security mistakes part two system calls file uploads inclusion

Link: