News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Paragon Initiative:
Everything [About] Preventing Cross-Site Scripting Vulnerabilities in PHP
June 17, 2015 @ 12:19:29

The Paragon Initiative has posted a new tutorial that wants to provide you with everything you need to know about preventing cross-site scripting in PHP applications.

Cross-Site Scripting (abbreviated as XSS) is a class of security vulnerability whereby an attacker manages to use a website to deliver a potentially malicious JavaScript payload to an end user. XSS vulnerabilities are very common in web applications. They're a special case of code injection attack; except where SQL injection, local/remote file inclusion, and OS command injection target the server, XSS exclusively targets the users of a website.

[...] Cross-Site Scripting represents an asymmetric in the security landscape. They're incredibly easy for attackers to exploit, but XSS mitigation can become a rabbit hole of complexity depending on your project's requirements.

He introduces the concept of cross-site scripting (XSS) for those new to the term and provides a brief "mitigation guide" for those wanting to jump to the end. He then gets into some examples of what a XSS vulnerability could look like, both stored and reflected and provides the "quick and dirty" method for preventing them. He also mentions some tips in implementing your solution including avoiding HTML in your data if at all possible. He goes on to talk about the use of HTMLPurifier to prevent attacks, context-sensitive escaping (HTML vs JS vs CSS) and some of the browser-level features that help prevent XSS for the user.

0 comments voice your opinion now!
prevent xss crosssitescripting security prevent vulnerability context browser

Link: https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know

PHP.net:
Release of PHP 5.4.42, 5.6.10 & 5.5.26
June 15, 2015 @ 14:04:37

The PHP.net site has announced the latest releases for all current major language versions with fixes including several security-related issues:

The PHP development team announces the immediate availability of [these versions]. Six security-related issues in PHP were fixed in this release, as well as several security issues in bundled sqlite library (CVE-2015-3414, CVE-2015-3415, CVE-2015-3416). All PHP users are encouraged to upgrade to [the latest version for their current installation].

As always, you can get these latest downloads from the main downloads site or windows.php.net for the Windows binaries. Other fixes can be found in the release related list in the Changelog.

0 comments voice your opinion now!
language release security bugfix php54 php55 php56 upgrade

Link: http://php.net/

PHP.net:
Release of PHP 5.4.41 & 5.5.25
May 15, 2015 @ 11:46:34

The latest versions of the PHP language in the 5.4.x and 5.5.x series have been released - PHP 5.4.41 and PHP 5.5.25.

These releases both fix several bugs including seven security related issues around the character in a pathname, a DoS vulnerability in the multi-part form data handling and an integer overflow in ftp_genlist.

As always, upgrading to these latest versions is always recommended (especially when there's security updates involved). You can grab the latest from the downloads page or the windows.php.net site if you're on a Windows platform. For the full list of changes, see the Changelog for the matching version.

0 comments voice your opinion now!
language release security bugfix php54 php55 upgrade

Link: http://php.net/downloads

Pádraic Brady:
TLS/SSL Security In PHP Avoiding The Lowest Common Insecure Denominator Trap
April 24, 2015 @ 10:30:50

In his latest post Pádraic Brady shares his thoughts about the state of TLS/SSL functionality in PHP and how he thinks developers should avoid the trap of "lowest common denominator" and opt for insecurity.

A few weeks back I wrote a piece about updating PHARs in-situ, what we've taken to calling "self-updating". In that article, I touched on making Transport Layer Security (TLS, formerly SSL) enforcement one of the central objectives of a self-updating process. In several other discussions, I started using the phrase "Lowest Common Insecure Denominator" as a label for when a process, which should be subject to TLS verification, has that verification omitted or disabled to serve a category of user with poorly configured PHP installations.

This is not a novel or even TLS-only concept. All that the phrase means is that, to maximise users and minimise friction, programmers will be forever motivated to do away with security features that a significant minority cannot support by default.

He goes on to talk about how, in some places, targeting the lowest common denominator is okay, security isn't one of them. He also includes four basic concepts developers can adhere to to prevent this targeting:

  • You should never knowingly distribute insecure code.
  • You should accept responsibility for reported vulnerabilities.
  • You should make every effort to fix vulnerabilities within a reasonable time.
  • You should responsibly disclose vulnerabilities and fixes to the public.

He follows these up with three steps you can follow to migrate an insecure architecture into something much more robust. This includes identifying the consequences of the update and documenting the solutions you've chosen, be those configuration updates or library changes.

0 comments voice your opinion now!
tls ssl security lowest common insecure denominator trap avoid

Link: http://blog.astrumfutura.com/2015/04/tlsssl-security-in-php-avoiding-the-lowest-common-insecure-denominator-trap/

PHP.net:
PHP 5.6.8, 5.5.24 & 5.4.40 Released (Security Fixes)
April 17, 2015 @ 09:38:18

The PHP development group has released several different versions of PHP for the 5.5.x, 5.6.x and 5.4.x series with a long list of security issues fixed in each one (fourteen in total):

The PHP development team announces the immediate availability of PHP [5.4.40, 5.6.8, 5.5.24]. 14 security-related bugs were fixed in this release, including CVE-2014-9709, CVE-2015-2301, CVE-2015-2783, CVE-2015-1352. All PHP 5.4 users are encouraged to upgrade to this version.

Other items were fixed besides the security issues, so check out the Changelog to see those few other fixes. It's highly recommended that you update your installations to these latest versions. You can grab the latest either from the downloads page (source) or Windows users can go to winodws.php.net.

0 comments voice your opinion now!
language release multiple security fix changelog upgrade

Link: http://php.net/archive/2015.php#id2015-04-16-3

IBM developerWorks:
PHP renewed Password security in modern PHP
April 17, 2015 @ 08:53:15

The IBM developerWorks site has a new tutorial posted talking about how PHP has been "renewed" in recent versions, more specifically in the password security department.

When PHP was first crafted in the mid-1990s, the term web application didn't even exist yet. Password protection, then, wasn't one of the features that the PHP creators devoted resources to. After all, you didn't need to worry about passwords when you used PHP just to put a site-visit counter or a date-modified stamp on your web page. But 20 years have passed, and now it's almost unthinkable to create a web application that doesn't involve password-protected user accounts. It's of the utmost importance that PHP programmers safeguard account passwords by using the latest and most secure methods.

The article goes on to talk about the importance of using secure hashing methods for password storage, the speed at which "cracking" programs can run and the use of "rainbow tables". It then gets into some of the older methods commonly used for password storage and protection and shows how to refactor them into the new password hashing functionality introduced in PHP 5.5.

0 comments voice your opinion now!
password security hashing renewed modern language release

Link: http://www.ibm.com/developerworks/web/library/wa-php-renewed_2/index.html

ServerGrove Blog:
Security tools for PHP projects
March 23, 2015 @ 12:19:13

On the ServerGrove blog there's a new post looking at some of the currently available PHP security tools you can use to help keep your applications safe.

Security is getting more and more important, and the PHP community has been doing great improvements in this topic during the last few years. From better configuration settings to provide some level of security by default to frameworks providing functionality to avoid common attacks such as XSS, CSRF or SQL injection. [...] Well, any piece of software can have bugs, and obviously open source projects are not an exception. The good point is that security researchers, once they find a vulnerability, it is reported and added to a database of known vulnerabilities. We basically need to find a way to avoid using code with known vulnerabilities, and there are some interesting tools out there to help us.

They list four tools that focus on different areas of the security of your application to help provide good basic coverage:

One thing to note, these are all automated tools so they shouldn't be relied upon exclusively to ensure the security of your application. Testing and evaluation of the codebase with these and other testing tools should always be done as well.

0 comments voice your opinion now!
security tools list checker advisories roave composer iniscan versionscan

Link: http://blog.servergrove.com/2015/03/23/security-tools-php-projects/

PHP.net:
Release of PHP 5.6.7, 5.5.23 and 5.4.39
March 20, 2015 @ 10:45:27

The PHP development group has announced the release of the latest versions in all three major versions of PHP currently supported: PHP 5.6.7, 5.5.23 and 5.4.39. These releases are bugfix only with several security updates included.

The PHP development team announces the immediate availability of [these new versions]. Several bugs have been fixed as well as CVE-2015-0231, CVE-2015-2305 and CVE-2015-2331. All PHP [5.6, 5.5 and 5.4] users are encouraged to upgrade to this version.

As always, you can get the latest released for each of these versions from the main downloads page (for Windows users on windows.php.net) and if you'd like to see the other changes besides the security-related fixes check out the full Changelog.

0 comments voice your opinion now!
version release language php54 php55 php56 security bugfix

Link: http://php.net/index.php#id2015-03-20-2

PHP.net:
PHP 5.6.6 is available
February 20, 2015 @ 09:08:51

Following on the heels of the other latest releases of PHP (5.5.22 and 5.4.38), the PHP development group has release the latest in the 5.6.x series - PHP 5.6.6.

The PHP development team announces the immediate availability of PHP 5.6.6. This release fixes several bugs and addresses CVE-2015-0235 and CVE-2015-0273. All PHP 5.6 users are encouraged to upgrade to this version.

You can get this latest release either directly from the downloads page (well, from a mirror) or if you're a Windows user you can get the binaries here. Upgrading is definitely recommended and you can find all the details of the release and what what fixed in the Changelog.

0 comments voice your opinion now!
language release cve bugfix security php566

Link: http://php.net/archive/2015.php#id2015-02-19-2

PHP.net:
Release of PHP 5.5.22 & 5.4.38
February 19, 2015 @ 11:09:40

The main PHP.net site has an announcement today about the latest released of the language fixing several bugs including a few security-related issues: PHP 5.5.22 and 5.4.38.

The PHP development team announces the immediate availability of PHP 5.5.22 and 5.4.38. This release fixes several bugs and addresses CVE-2015-0235 and CVE-2015-0273. All PHP 5.5 and 5.4 users are encouraged to upgrade to this version.

As always, you can get the latest source downloads from the downloads page or Windows users can get the binaries from windows.php.net. Those interested in the complete list of fixes in these releases can check out the latest entries in the Changelog.

0 comments voice your opinion now!
language release cve bugfix security changelog php55 php54

Link: http://php.net/archive/2015.php#id2015-02-19-1


Community Events

Don't see your event here?
Let us know!


symfony laravel example series introduction community list part2 framework composer programming api project opinion php7 application podcast language yii2 interview

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework