News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady:
Composer Downloading Random Code Is Not A Security Vulnerability?
February 21, 2014 @ 10:04:52

In his latest post Pádraic Bradyhas posted a response to a recent post stating that in issue in Composer where the wrong package could be installed is not a security issue. Pádraic disagrees, here's why:

The problem here is quite simple. A user defines a composer.json file that requires the package bloggs/framework. Someone else creates a package on Packagist.org called evil/framework whose own composer.json states that it replaces bloggs/framework. Next, a group of poor random victims, potentially thousands, use composer to install applications with a dependency on bloggs/framework. Composer does some internal wizardry and installs evil/framework when certain conditions are met. The victims didn't request evil/framework but they get it anyway.

He suggests that this is a kind of remote file inclusion and possibly a remote code execution vulnerabilities. He points out that the manual steps suggested in the post aren't listed in the Composer documentation and fixes for it are still pending work.

Saying one thing, but acting like it's the other thing you don't want people to call it, makes me think it really is the other thing. Probably because it is. Users can fall victim to a replace and it's called "unintuitive", but if a package states that it replaces something that might lead to the unintuitive behaviour, it's an abuse.
0 comments voice your opinion now!
composer random code vulnerability security package

Link: http://blog.astrumfutura.com/2014/02/composer-downloading-random-code-is-not-a-security-vulnerability/

Timoh's Blog:
Secure random numbers for PHP developers
November 06, 2013 @ 09:20:55

Timoh has posted a look at random number generation to his site, focusing on one of the many methods to produce truly random number - using /dev/(u)random (available on Unix-based filesystems).

How would you gather cryptographically secure random bytes in your PHP application? This is actually quite a good question. It used to be, and seems, it still is not that uncommon to just simply call mt_rand() function to get the job done creating user's "initial password", for example. A bit more experienced reader will notice there is a security bug. [...] But actually only a few [functions to get random values] can be recommended for security sensitive purposes. And now I'm not talking about openssl_random_pseudo_bytes().

He starts with a look at openssl_random_pseudo_bytes and why there might be something wrong with its use - mainly that OpenSSL has had its own share of security issues in the past. Of the two random resources he recommends /dev/urandom as it's less blocking and more useful for web applications. He recommends the RandomCompat library if you need to take this random data and transform it into integers (with one caveat).

0 comments voice your opinion now!
secure random number generation devurandom urandom openssl

Link: http://timoh6.github.io/2013/11/05/Secure-random-numbers-for-PHP-developers.html

Pádraic Brady:
Stateful vs Stateless CSRF Defences Know The Difference
August 13, 2013 @ 09:49:00

In this new post to his site, Pádraic Brady looks at two methods for generating CSRF (cross-site request forgery) tokens to help protect your application. It's not a tutorial, per se...more of a comparison of two methods: stateful and stateless CSRF tokens.

The difference between Stateful and Stateless CSRF defences is that the former requires storing the CSRF token on the server (i.e. session data) while the latter does not, i.e. the server has zero record of any CSRF tokens. As far as the server is concerned, the number of parties with persistent knowledge of a valid token is reduced to just one - the client. [...] Let's compare both types of CSRF protections.

He introduces the concepts behind both types of token generation, pointing out that most of the PHP frameworks out there rely on the stateful option (the "synchronizer" method). The other method ("double submit") actually involves two tokens, one in the POST content and the other as a cookie value. He also dissects this other stateless concept article he found and how its method of generation may not be ideal.

Like most attacks, CSRF does not exist in isolation so developing a good defence requires mitigating other attacks. [...] Any good CSRF token implementation, whether stateful or stateless, should reflect those requirements with features for limiting tokens by scope and time.
0 comments voice your opinion now!
csrf token stateless stateful difference doublesubmit random synchronizer

Link: http://blog.astrumfutura.com/2013/08/stateful-vs-stateless-csrf-defences-know-the-difference

PHPMaster.com:
Better Understanding Random
April 26, 2013 @ 11:52:49

On PHPMaster.com there's a new tutorial talking about randomness in PHP, what it is and some of the things it can be used for.

Use of random values is very important in the computer security field. It is crucial in computer programming for development of secure systems that are not vulnerable to malicious subversion. Cryptography relies on random value's generation and their reproducibility for unpredictable output that is core for security of any system. Random values are fundamental for secure coding practices and PHP highly makes use of them for security. You will find them used in all libraries and frameworks and almost all codes rely on them for the generation of tokens, salts and as inputs for further functions.

He talks about the important of good random numbers and some of the common uses for it including generating salts and unique identifiers. He mentions the "pseudorandomness" of PHP's generators and how they're seeded to help increase this randomness. He finishes up the tutorial with some suggestions and language features for creating "as random as possible" values like using "/dev/urandom" on Linux-based systems.

0 comments voice your opinion now!
random language feature pseudorandom uses tutorial

Link: http://phpmaster.com/better-understanding-random

Anthony Ferrara:
Seven Ways To Screw Up BCrypt
December 21, 2012 @ 12:20:04

If you're going to be rolling your own user handling in your application, no doubt you've heard that something like bcrypt-ing your passwords is a good idea. Well, Anthony Ferrara has some suggestions for you and shows you seven ways you can "screw up" when trying ti implement it.

There are numerous articles on the web about how to properly use bcrypt in PHP. So this time, rather than write yet-another-how-to-use-bcrypt article, I'm going to focus on the mistakes that are commonly made when implementing bcrypt.

Here's the list of seven ways (each has its own description in the post):

  • Using A Non-Random Salt
  • Using An Incorrect Random Source for Salt Generation
  • Using Too Weak Of A Cost Parameter
  • Using The Wrong PHP Version
  • Using The Wrong Prefix
  • Not Checking For Errors
  • Not Using A Library

He also includes two "bonus" things to consider: "Not Using A Timing Safe Comparison" and "Not Encoding The Salt Correctly".

0 comments voice your opinion now!
bcrypt screwup implementation suggestion salt random prefix library


Derick Rethans' Blog:
Random Bugs and Testing RCs
February 27, 2012 @ 11:48:29

In a new post to his blog Derick Rethans mirrors the call made by Rasmus Lerdorf at this year's PHP UK Conference - get involved (and help test PHP)!

At the PHP UK Conference Rasmus mentioned that he wants more people contributing to PHP. There are plenty of ways how you can do that.

Derick points out two more immediate ways you can help, one not even requiring any C knowledge:

  • Help test the Release Candidates (like the current PHP 5.4.0 RC8) with a call to "make test" just after your compile.
  • The recently added "random PHP bug" functionality that's been added to the bugs.php.net site
0 comments voice your opinion now!
releasecandidate test involvement bugs random c


SitePoint.com:
How to Create Your Own Random Number Generator in PHP
February 09, 2012 @ 10:03:35

On SitePoint.com today there's a new tutorial showing how to create a random number generator in PHP (with the help of methods like mt_rand and mt_srand).

Computers cannot generate random numbers. A machine which works in ones and zeros is unable to magically invent its own stream of random data. However, computers can implement mathematical algorithms which produce pseudo-random numbers. They look like random numbers. They feel like random distributions. But they're fake; the same sequence of digits is generated if you run the algorithm twice.

Included in the post is code showing how to use the random functions and how to create a class (Random) that provides a few methods to help make generation easier - "seed" and "num". It first calls "seed" with a number to start the random generator off with and then "num" in a loop to pull out random values based on that.

0 comments voice your opinion now!
random number generator tutorial introduction mtrand


Anthony Ferrara's Blog:
Random Number Generation In PHP
July 21, 2011 @ 10:03:28

Anthony Ferrara has a new post to his blog today looking at true random number generation as it relates to predictability and bias. He also talks about a method/tool you can use (based on RFC 4086) to generate truly random numbers - PHP-CryptLib.

When we talk about "random" numbers, we generally talk about two fundamental properties: Predictability and Bias. Both are closely related, but are subtly different. Predictability in reference to random numbers is the statistical problem of predicting the next value when knowing any number of previous values. Bias on the other hand is the statistical problem of predicting the next value when knowing the distribution of previous values.

He looks at how predictability can effect true random number generation and a common mistake in generation related to bias in the calculation method. He talks about some of the functions PHP includes to work with randomness, but notes that they all have their flaws. He points to the PHP-CryptLib package as a solution (adhering to the guidelines in RFC 4086 for randomness). He includes some sample code of how to use it to generate random numbers, tokens and sets of bytes. You can find the full source over on github.

0 comments voice your opinion now!
random number generation library phpcryptlib library predictability bias


MySQL Performance Blog:
Sample datasets for benchmarking and testing
February 09, 2011 @ 13:19:28

In a recent post to the MySQL Performance Blog, there's a pointer to a few resources you can use if you need some sample datasets to run your application against - everything from airline flight information to energy usage data.

Sometimes you just need some data to test and stress things. But randomly generated data is awful - it doesn't have realistic distributions, and it isn't easy to understand whether your results are meaningful and correct. Real or quasi-real data is best. Whether you're looking for a couple of megabytes or many terabytes, the following sources of data might help you benchmark and test under more realistic conditions.

The sample data sets vary from fake movie information to sample site traffic data to the large data sets that Amazon provides (including the Human Genome and US Census data). Some of the comments also link to other sources.

0 comments voice your opinion now!
sample dataset application random source


Sameer Borate's Blog:
How not to create a Random string
November 26, 2010 @ 10:18:48

In this latest post to his blog, Samer Borate talks about how not to create random strings and how, if you're not careful, it could backfire on you.

It is surprising to see how after all the code floating around people still find it hard to create random numbers. In a recent piece of code I encountered, the following was used to generate a string of random numbers. The code was written to provide a random string to be passed to a email verifier system - the type wherein a new user when he subscribes to a website needs to verify his email by clicking on a provided link.

He includes a snippet of the code that uses a call to str_shuffle on the set of numbers 1-10 to generate a random number. The only problem with the method is that, when the number gets large enough, PHP would automatically kick it into exponential format - not exactly ideal for an email link. Let this serve as a reminder for any scripts you might make that are similar.

0 comments voice your opinion now!
random string hownotto example email link



Community Events





Don't see your event here?
Let us know!


introduction framework opinion laravel symfony podcast application security release package library interview tool voicesoftheelephpant series version composer update language community

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework