News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Zend Developer Zone:
The ZendCon Sessions Episode 25 (In)secure Ajax-y Websites with PHP
August 07, 2009 @ 09:55:14

The Zend Developer Zone has posted a new episode of their "ZendCon Sessions" podcast series as recorded at last year's Zend/PHP Conference in Santa Clara, CA. This time it's a recording of Christian Wenz's "(In)secure Ajax-y Websites with PHP" talk.

Welcome to the ZendCon 2008 edition of the ZendCon Sessions. The ZendCon Sessions are live recordings of sessions that have been given at previous Zend Conferences. Combined with the slides, they can be the next best thing to having attended the conference itself. [...] This episode of The ZendCon Sessions was recorded live at ZendCon 2008 in Santa Clara, CA and features Christian Wenz giving his talk: "(In)secure Ajax-y Websites with PHP"

You can grab the mp3 of the episode, use the in-page player to listen or subscribe to the podcast feed to get this and other great episodes.

0 comments voice your opinion now!
zendcon session podcast insecure ajax christianwenz


Mikko Koppanen's Blog:
Fake uploading files
March 06, 2009 @ 08:44:39

Mikko Koppanen has posted about an extension he's written up that has only one real purpose - to help with unit testing a script with a file upload involved (making a "fake upload" possible).

The extension is doing things that shouldn't be done, it probably doesn't even run anywhere else than on CLI, it is insecure, it might behave incorrectly but in this scenario it worked fine so I decided to share it.

This "use at your own risk" extension gives you a new function to use instead of the normal move_uploaded_file, appropriately named "fakeupload_file". It creates the fake file so that even calls to is_uploaded_file will see it as if it was correctly on the file system. An unlink is all that's needed to remove the "file".

0 comments voice your opinion now!
fake file upload extension insecure fakeuploadfile isuploadedfile


Ed Finkler's Blog:
The PHP App Insecurity Top 20
April 19, 2007 @ 07:01:02

In a new post today, Ed Finkler shares some interesting stats he's generated based on some NIST NVD data and graphed out. It shows PHP as being in the top 20 list for more insecure applications.

What follows is a breakdown of the 20 PHP-based applications that had the highest aggregate vulnerability scores (NIST assigns a score from 1-10 for the severity of each entry), and the highest total number of vulnerabilities, over the past 12 months. Of the two, I feel that the aggregate score is a better indicator of security issues.

The Excel charts show the total NVD score and the total number of NVD entries for several popular PHP applications (like phpBB, phpMyAdmin, TikiWiki, and Joomla). He also notes that there are some other extenuating circumstances surrounding these numbers (not a level line) and that the trend seems to be more on the side of issues with forums than any other type of PHP application.

10 comments voice your opinion now!
insecure application top20 forum issue reported score entries graph insecure application top20 forum issue reported score entries graph


Pádraic Brady's Blog:
One insecure PHP app too many?
April 04, 2007 @ 10:02:00

In a new post, Pádraic Brady wonders something that has bothered many a PHP community member at one time or another - "is one insecure PHP application too many?"

Unfortunately the nature of PHP as a programming language is that it's easy to foul up. And this has inevitably left the responsibility of security completely up to the individual programmer. The results have been less than comforting, leaving an internet populated by God know how many insecure PHP scripts and application written by well meaning but woefully under educated programmers and casual users.

He continues on talking about the education of programmers, PHP security resources, how the community reacts to the pressures of a wider audience hearing about the insecurities surrounding PHP apps, and some of the efforts the PHP development group is doing to help things (like the filter extension).

0 comments voice your opinion now!
security insecure application resource community filter security insecure application resource community filter


Stuart Herbert's Blog:
Missing The Business Case For PHP
January 18, 2007 @ 08:40:00

In this new post to his blog today, Stuart Herbert suggests something that the PHP community really is in dire need of - a site/resource providing a place developers can point at to help refute some of the PHP rumors floating around and provide examples and test cases for one of the most stubborn PHP markets out there - business.

At work, we make and sell software written in a number of languages; our flagship product is written in PHP.

But one of the unfortunate side-effects of Stefan Esser's much-publicized departure from the PHP Security Team has been an increase in the number of IT staff we're coming across who "believe" both that open-source is inherently insecure, and that PHP in particular has incurable problems. These "beliefs" hurt ISVs trying to sell PHP-based applications into skeptical organizations.

He asks why there is no "Why PHP?" resource out there that clients/businesses in general can be referred to for better information. He also suggests one of the most logical fits for this kind of information and is surprised they don't really have something already - Zend. Check out the comments to see how much of the community is already behind the effort.

0 comments voice your opinion now!
business case whyphp insecure problems refute claim business case whyphp insecure problems refute claim


Tobias Schlitt's Blog:
Taint mode for PHP?
December 19, 2006 @ 11:03:00

Tobias Schlitt has a great (long) post responding to a proposal made on the php.internals mailing list for the inclusion of "taint mode" in upcoming PHP versions.

Tobias starts with an overview of what "taint mode" is so that everyone's on the same page. His example involves the incoming and outgoing data usually involved in an application and how the incoming can be the most problematic when it comes to the values inside. This is where taint mode can come to the rescue. At its most basic level, it's a method for, assuming everything coming in is "tainted", creating a mechanism to automatically clean the data before it's even touched.

With the basics down, Tobias looks back to the proposal for a few additional comments. He considers the proposal a great way to introduce the functionality to the language. There are some draw backs he mentions, though, including the additional overhead of working through every inputted value.

Overall, I think this whole thing would be a great addition to PHP and I hope this could come for 6.0. What do you think?

You can also check out some other opinions on the matter:

0 comments voice your opinion now!
taint mode proposal basic insecure data opinion response taint mode proposal basic insecure data opinion response


(IN)Secure Magazine:
Issue #8 Released
September 01, 2006 @ 03:54:52

Issue #8 of the (IN)Secure Magazine has been posted today and includes articles like:
  • Payment Card Industry demystified
  • Computer forensics vs. electronic evidence
  • SSH port forwarding - security from two perspectives, part two
  • Airscanner vulnerability summary: Windows Mobile security software fails the test
  • Introducing the MySQL Sandbox

Check out insecuremag.com for more or just download the issue directly.

0 comments voice your opinion now!
insecure magazine released issue8 pdf download insecure magazine released issue8 pdf download


Jemjabella.co.uk:
Spotting Insecure Scripts
August 19, 2006 @ 15:36:59

On Jemjabella.co.uk, there's a quick post with a few helpful hints of spotting the insecurity inside of some scripts.

With the current surge in "hackings" (or rather: script kiddies exploiting known holes to deface websites that don't support their view on the war) I've been going through a lot of scripts to find common and easy to fix vulnerabilities. With my fingers crossed, and perhaps a naive hope that people don't release scripts with massive holes anymore, I've been sorely disappointed.

They list out a few different things to watch out for, including potential SQL injection points and the unchecked inclusion of files via include(). It's some pretty basic stuff, so don't expect much new from the post, but it's a good reminder of some of the simple things we all, as developers, need to watch out for.

1 comment voice your opinion now!
insecure scripts sql injection include filter input insecure scripts sql injection include filter input



Community Events





Don't see your event here?
Let us know!


library community series symfony package podcast opinion install framework zendserver tips deployment update language laravel interview release api introduction list

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework