News Feed
Jobs Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHPClasses.org:
OpenSSL Serious Security Bug Does it Affect Your PHP sites?
April 10, 2014 @ 11:55:37

In the wake of the announcement of the Heartbleed vulnerability in the widely used OpenSSL software, the PHPClasses blog has posted a look at how it relates to PHP applications and how you can see if your application is effected.

Just a few days ago it was publicly announced a serious security bug called Heartbleed that affects secure sites based on the OpenSSL library. Read this article to learn more about this security problem, how to test if your Web server or SSH server is vulnerable, how it may affect your PHP sites, what you should do to fix the problem.

They start with a look at the bug, what it is and why it's such a big problem. It talks about what kinds of applications are vulnerable (hint: it has nothing to do with the PHP) and how you can test to see if your server is secure. The rest of the post talks about how to resolve the issue and how it relates to OpenSSL connections to other servers and SSH.

0 comments voice your opinion now!
openssl bug heartbleed security effect webserver

Link: http://www.phpclasses.org/blog/post/231-OpenSSL-Serious-Security-Bug-Does-it-Affect-Your-PHP-sites.html

PHP.net:
PHP 5.4.27 Released
April 04, 2014 @ 09:28:42

The PHP development group has officially posted the latest in the PHP 5.4.x series of the language - PHP 5.4.27, a bugfix release that includes the security fix for CVE-2013-7345.

The PHP development team announces the immediate availability of PHP 5.4.27. 6 bugs were fixed in this release, including CVE-2013-7345. All PHP 5.4 users are encouraged to upgrade to this version.

Other updates include fixes to the GMP, Mail, OpenSSL and MySQLi extensions. As usual, you can download this latest release from the downloads page or on the Windows site for the binaries. For a complete list of changes, see the latest notes in the Changelog.

0 comments voice your opinion now!
language release bugfix security update

Link: http://php.net/index.php#id2014-04-03-1

PHP.net:
PHP 5.5.11 is released
April 03, 2014 @ 13:02:19

PHP.net has announced the latest release in the PHP 5.5.x series today - PHP 5.5.11.

The PHP development team announces the immediate availability of PHP 5.5.11. Several bugs were fixed in this release, some bundled libraries updated and a security issue has been fixed : CVE-2013-7345. We recommend all PHP 5.5 users to upgrade to this version.

Fixes in this release include:

  • Updates to core
  • Fixes in the cURL extension
  • Bugs corrected in the GD extension
  • A fix for the CVE-2013-7345 security issue in Fileinfo

You can download this latest release directly from the downloads page (Windows users here and you can find the full list of changes in the Changelog.

0 comments voice your opinion now!
language release bugfix security update

Link: http://www.php.net/archive/2014.php#id2014-04-02-1

Three Devs and a Maybe Podcast:
Web Application Security - Part 2
March 28, 2014 @ 11:36:18

The Three Devs and a Maybe podcast has release their latest episode today - Web Application Security - Part 2 (Episode #17).

This week we wrap-up the top ten security risks compiled by OWASP, with discussion on topics including CSRF (Cross Site Request Forgery) and Known Component Vulnerabilities. Also included this week is a brief introduction to Hack and are thoughts on the programming language Go.

If you missed the first part of the series, you can find part one here. You can listen to this latest show by downloading the mp3 or you can subscribe to their feed and get this and other episodes as they're released.

0 comments voice your opinion now!
threedevsandamaybe podcast ep17 application security part2

Link: http://threedevsandamaybe.com/posts/web-application-security-part-2/

Three Devs & A Maybe Podcast:
Web Application Security - Part 1
March 24, 2014 @ 09:28:17

The "Three Devs and a Maybe" podcast has released its latest episode, Episode 15 - Web Application Security - Part 1. Listen in as hosts Lewis Cains and Edd Mann talk about secure web development.

With another two man crew this week we decided to make a start our discussion on all things Web Security. Directed at PHP developers, we go over the top five security risks compiled by OWASP (The Open Web Application Security Project).

Topics discussed include the OWASP Top 10 project, Cross-site scripting attacks, secure session management tips and the use of HTML purifier. You can listen to this latest episode by downloading it directly from the episode's page.

0 comments voice your opinion now!
application security threedevsandamaybe podcast ep15

Link: http://threedevsandamaybe.com/posts/web-application-security-part-1/

PHPClasses.org:
Lately in PHP Podcast #45 - "The Security of Future PHP Versions"
March 13, 2014 @ 13:17:41

The latest episode of the "Lately in PHP" podcast series has been released by PHPClasses.org today - Episode 45, "The Security of Future PHP Versions".

As the plans for the upcoming PHP 5.6 and PHP 6 versions are being finalized, some of the proposals are about improving the security of these future PHP versions. That has been one of the main topics discussed by Manuel Lemos and César Rodas on the episode 45 of the Lately in PHP podcast. They also have talked about several other types of proposals and ideas for PHP 6, as well a tutorial on How to Use a Webcam to take Pictures in PHP Application.

You can listen to this latest episode in a few ways - either through the in-page audio player, by downloading the mp3 or you can watch the live recording over on YouTube.

0 comments voice your opinion now!
phpclasses latelyinphp ep45 security version future

Link: http://www.phpclasses.org/blog/post/229-The-Security-of-Future-PHP-Versions--Lately-in-PHP-podcast-episode-45.html

Pádraic Brady:
Thoughts on Composer's Future Security
March 06, 2014 @ 11:09:06

Pádraic Brady has a new "let's watch Paddy think aloud in a completely unstructured manner blog post" about the future of security when it comes to the popular PHP package manager Composer. It's recently come under criticism around its lack of package signing and TLS/SSL support.

The Composer issue, as initially reported by Kevin McArthur, was fairly simple. Since no download connection by Composer was properly secured using SSL/TLS then an attacker could, with the assistance of a Man-In-The-Middle (MITM) attack, substitute the package you wanted to download with a modified version that communicated with the attacker's server. They could, for example, plant a line of code which sends the contents of $_POST to the attacker's server.

He's been working on some updates to the project, one of with is TLS/SSL support as defined in this pull request currently pending. It enables peer verification by default, follows PHP 5.6 TLS recommendations and uses local system certificates in the connection. He talks some about other additional TLS/SSL measures that could be added in the future and how, despite it being safer than nothing, TLS/SSL is not the "cure all" for the problem.

He then moves on to package signing and suggests one method for implementation - signing the "composer.phar" executable and signing "everything else" (packages to be downloaded) to verify their validity.

The flaw in Composer's installer isn't that it's unsigned, it's that it doesn't afford the opportunity for the downloader to read it before it gets piped to PHP. It's a documentation issue. You can go down the route of using a CA, of course, but that's further down the rabbit hole than may be necessary. Signing the composer.phar file is another matter.
0 comments voice your opinion now!
composer package signing tls ssl support security

Link: http://blog.astrumfutura.com/2014/03/thoughts-on-composers-future-security

PHP.net:
PHP 5.5.10 released
March 06, 2014 @ 11:02:55

The PHP development group has announced the release of the latest version of the language in the PHP 5.5.x series today - PHP 5.5.10.

The PHP development team announces the immediate availability of PHP 5.5.10. Several bugs were fixed in this release, including security issues related to CVEs. CVE-2014-1943, CVE-2014-2270 and CVE-2013-7327 have been addressed in this release. We recommend all PHP 5.5 users to upgrade to this version.

Other changes include fixes to date/time handling, JSON serializing and an upgrade to PCRE 8.34 for regular expression handling. As this release has several security-related fixes, it's highly advised that 5.5.x users upgrade. As always, you can get the latest release from the downloads page or for Windows users, windows.php.net.

0 comments voice your opinion now!
language release cve security update

Link: http://php.net/index.php#id2014-03-06-1

Evert Pot:
Composer's bug now fixed
February 24, 2014 @ 12:38:06

Evert Pot has posted an update to a previous post around Composer's vulnerability around installing the wrong packages in the case of a conflict. In this latest post he points out, however, that the bug is now fixed.

As an update to my previous post, the composer security problem now appears fixed. Good to see that a quick response was possible after all.

The original issue was caused by the "replace" functionality, allowing the possibility for an incorrect package to be installed instead of the one requested. Other posts with more details include this one from Pádraic Brady and Nils Adermann. if you're a Composer user, it's highly suggested you update your currently installed version (run a "composer self-update").

0 comments voice your opinion now!
composer bug security vulnerability fix selfupdate

Link: http://evertpot.com/composer-bug-fixed

Pádraic Brady:
Composer Downloading Random Code Is Not A Security Vulnerability?
February 21, 2014 @ 10:04:52

In his latest post Pádraic Bradyhas posted a response to a recent post stating that in issue in Composer where the wrong package could be installed is not a security issue. Pádraic disagrees, here's why:

The problem here is quite simple. A user defines a composer.json file that requires the package bloggs/framework. Someone else creates a package on Packagist.org called evil/framework whose own composer.json states that it replaces bloggs/framework. Next, a group of poor random victims, potentially thousands, use composer to install applications with a dependency on bloggs/framework. Composer does some internal wizardry and installs evil/framework when certain conditions are met. The victims didn't request evil/framework but they get it anyway.

He suggests that this is a kind of remote file inclusion and possibly a remote code execution vulnerabilities. He points out that the manual steps suggested in the post aren't listed in the Composer documentation and fixes for it are still pending work.

Saying one thing, but acting like it's the other thing you don't want people to call it, makes me think it really is the other thing. Probably because it is. Users can fall victim to a replace and it's called "unintuitive", but if a package states that it replaces something that might lead to the unintuitive behaviour, it's an abuse.
0 comments voice your opinion now!
composer random code vulnerability security package

Link: http://blog.astrumfutura.com/2014/02/composer-downloading-random-code-is-not-a-security-vulnerability/


Community Events











Don't see your event here?
Let us know!


hhvm introduction release unittest podcast component symfony2 hack composer performance opinion language facebook framework install application package support database security

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework