Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

RIPSTech.com:
WordPress Configuration Cheat Sheet
Nov 02, 2018 @ 12:23:19

For the WordPress users out there, the RIPSTech.com blog has posted an invaluable "cheat sheet" sharing details on securing your configuration to prevent exploits and other issues down the line.

WordPress is the most frequently installed web application in the world. The system is operated not only by experienced developers but also by beginners. In this blog post, we summarize what to look out for when configuring your WordPress installation’s security.

In our series about misconfigurations of PHP frameworks, we have investigated Symfony, a very versatile and modular framework. Due to the enormous distribution and the multitude of plugins, WordPress is also a very popular target for attackers. This cheat sheet focuses on the wp-config.php file and highlights important settings to check when configuring your secure WordPress installation.

Suggestions made in the guide cover values involving: debugging, database credentials, keys/salts, database repair, external requests and many more. The post provides examples for each of the settings and a recommended value to make it easy to drop in the changes and harden your WordPress installation.

tagged: security configuration wordpress cheatsheet settings tutorial

Link: https://blog.ripstech.com/2018/wordpress-configuration-cheat-sheet/

Jolicode.com:
How to Mix Security and Form with Symfony
Sep 21, 2018 @ 12:37:39

On the Jolicode.com blog, there's a tutorial they've posted showing how to "mix security and forms" in a Symfony application to show only certain form fields based on a user's roles.

In some applications, it could be required to disable some form fields depending on user’s roles.

In this article, we will see how to implement this feature thanks to a simple example: a blog engine.

For their example, they use a Symfony 4 application with the MakerBundle and create a basic blog with "article" entities and an "admin" entity for the user list. From there, the post includes the code needed to update the buildForm method in the ArticleType class to check the current user and be sure they have the "admin" role. To make this work, they also build out a SecurityExtension form extension class that performs the actual check. This is then hooked into the pre-submit event on the form to prevent other issues where an attacker might delete the "allowed" element and submit the data anyway. The post wraps up with an example of performing a similar check but hiding the field instead of just disabling it in the form.

tagged: security symfony symfony4 tutorial form builder admin check

Link: https://jolicode.com/blog/how-to-mix-security-and-form-with-symfony

TutsPlus.com:
How to Do User Authentication With the Symfony Security Component
Aug 17, 2018 @ 13:13:03

On the TutsPlus.com site they've posted a new tutorial showing you how to use the Symfony Security component to authenticate users in your system and use role-based access checks.

In this article, you'll learn how to set up user authentication in PHP using the Symfony Security component. As well as authentication, I'll show you how to use its role-based authorization, which you can extend according to your needs.

The tutorial starts with a summary of the Symfony Security component and what subcomponents it includes. It then walks you through the installation of the component via Composer (of version 4.1). They then walk through a more real-world example that uses user credentials and role information pulled from a MySQL database. They provide the code for the User class, a DatabaseProvider class, a DatabaseAuthenticationProvider, and how they all work together. Code is provided to complete the authentication process and to create the database table for the user credential and role details.

tagged: tutorial authenticate authorize symfony security component security

Link: https://code.tutsplus.com/tutorials/how-to-set-up-user-authentication-by-using-the-symfony-security-component--cms-31643

TutsPlus.com:
How to Do User Authentication With the Symfony Security Component
Aug 17, 2018 @ 13:13:03

On the TutsPlus.com site they've posted a new tutorial showing you how to use the Symfony Security component to authenticate users in your system and use role-based access checks.

In this article, you'll learn how to set up user authentication in PHP using the Symfony Security component. As well as authentication, I'll show you how to use its role-based authorization, which you can extend according to your needs.

The tutorial starts with a summary of the Symfony Security component and what subcomponents it includes. It then walks you through the installation of the component via Composer (of version 4.1). They then walk through a more real-world example that uses user credentials and role information pulled from a MySQL database. They provide the code for the User class, a DatabaseProvider class, a DatabaseAuthenticationProvider, and how they all work together. Code is provided to complete the authentication process and to create the database table for the user credential and role details.

tagged: tutorial authenticate authorize symfony security component security

Link: https://code.tutsplus.com/tutorials/how-to-set-up-user-authentication-by-using-the-symfony-security-component--cms-31643

Laravel News:
Security Release - Laravel v5.6.30 and v5.5.42 have been released
Aug 09, 2018 @ 09:34:59

On the Laravel News site they've posted an announcement recommending all Laravel 5.6.x and 5.5.x users upgrade to the latest release (5.6.30 & 5.5.42) due to a security issue dealing with the APP_KEY value.

Laravel 5.6.30 and Laravel 5.5.42 have both been released to fix a security issue and is recommended that all users upgrade as soon as possible.

This update also includes changes to cookie encryption and serialization logic. In addition to the upgrade, they also recommend rotating the key if you believe any malicious user (or former developer/employee) had access to it. The upgrade guide has the information you need to make the update to your application.

tagged: laravel security release appkey cookie update framework

Link: https://laravel-news.com/laravel-5-6-30

TutsPlus.com:
Secure, Passwordless Authentication Using Auth0
Jul 10, 2018 @ 11:23:17

On the TutsPlus.com site they've posted a tutorial showing you how to use the Auth0 service to create a passwordless authentication system for your application.

In this article, you'll learn how to set up passwordless authentication using the Auth0 service. Auth0 allows you to outsource authentication features for your app.

Auth0 is an authentication-as-a-service tool that makes implementation of authentication-related features for your app or site a breeze. If you've built an app and you want to just outsource the authentication and authorization features, a service like Auth0 is something you should consider.

The tutorial walks you through the installation and configuration process of their example PHP application including the setup of the .env file to contain the Auth0 secrets. It then provides the code needed to create two kinds of logins:

  • Using email as the identifier
  • Sending the approval via SMS

Both make use of (the Auth0 PHP SDK) to do most of the heavy lifting but there's still a bit of code you'll need to get it up and running.

tagged: passwordless security login auth0 tutorial setup configure

Link: https://code.tutsplus.com/tutorials/secure-passwordless-authentication-using-auth0--cms-31195

Websec.io:
Keeping Credentials Secure in PHP
Jun 27, 2018 @ 13:35:17

On the Websec.io site there's a new tutorial posted showing a potential method for keeping secrets safe in PHP-based applications.

One of the most difficult things in any kind of application (not just web applications) is how to protect "secret" values. These values might be API keys, database passwords or even special bypass codes. Ideally, you're not having to define these directly in the application and can have them loaded from another source.

While a lot of the issues around protecting secrets can be removed by better secret handling, it seems like there's still always a need for some kind of secret value to exist in an application. Using this sort of pattern is, obviously, recommended against. The Common Weakness Enumeration database even has an entry specifically about it: CWE-798. Hard-coding credentials, especially plain-text ones, can be a huge risk if an attacker were able to somehow access the code and read them directly.

The post then goes on to talk about specific issues with secrets/credentials handling in PHP and some of the common approaches (mostly using a .env file). It covers some of the basics of using the phpdotenv package before getting into the encryption of the secrets it contains. It makes the recommendation of using an "Apache pull" method to pull in the encryption key when Apache starts, putting it into an environment variable and using the psecio/secure_dotenv library to work with the encrypted values.

tagged: security encryption secret tutorial package phpdotenv

Link: https://websec.io/2018/06/14/Keep-Credentials-Secure.html

RIPSTech.com:
WARNING: WordPress File Delete to Code Execution
Jun 27, 2018 @ 10:29:26

On the RIPSTech.com site they've posted a warning to the WordPress users out there about a vulnerability that would allow a malicious user to delete any file in the WordPress installation, not just file uploads.

At the time of writing no patch preventing this vulnerability is available. Any WordPress version, including the current 4.9.6 version, is susceptible to the vulnerability described in this blogpost.

For exploiting the vulnerability discussed in the following an attacker would need to gain the privileges to edit and delete media files beforehand. Thus, the vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author, or through the exploitation of another vulnerability/misconfiguration.

The post includes more details around the impact of the issue and where in the code the problem lies. It also offers a temporary "hotfix" as a way around the issue by adding a new filter that uses the basename function to reset the thumbnail data.

tagged: security wordpress delete file vulnerability code execution

Link: https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/

Community News:
Composer v1.6.4 Release (with Security Fix)
Apr 16, 2018 @ 10:50:02

Composer, the de-facto standard way to install PHP packages, has published a new release that includes a major security update. Jordi Boggiano made this comment about the release on Twitter:

After triaging/merging/fixing almost 200 issues in the last couple days, Composer v1.6.4 is out! ???? It contains a security fix and is therefore a much recommended update for all.

Other changes include fixes for:

  • a regression in version guessing of path repositories
  • the updating of package URLs for GitLab
  • init command not respecting the current php version when selecting package versions
  • exclude-from-classmap symlink handling

You can grab the latest version from the Composer site or you can use it's own self-update command.

tagged: composer release v164 security fix bugfix package

Link: https://twitter.com/seldaek/status/984744594566008832

Checkpoint Research Blog:
Uncovering Drupalgeddon 2
Apr 13, 2018 @ 10:22:46

On the Checkpoint Research blog there's a recent post covering the recent critical Drupal bug, a.k.a. Drupalgeddon 2, and providing a deeper look into the bug and how the exploit worked.

Two weeks ago, a highly critical (21/25 NIST rank) vulnerability, nicknamed Drupalgeddon 2 (SA-CORE-2018-002 / CVE-2018-7600), was disclosed by the Drupal security team. This vulnerability allowed an unauthenticated attacker to perform remote code execution on default or common Drupal installations.

[...] Until now details of the vulnerability were not available to the public, however, Check Point Research can now expand upon this vulnerability and reveal exactly how it works.

The post covers the basic issue, a lack of input sanitization on Form API requests, and what versions it existed in. It then dives into the technical details, showing a proof of concept for the exploit and how an attacker might locate a place in the application to use it. It also looks behind the scenes at the code that handles the request and shows where the issue lies. The post ends with a look at "weaponizing" the exploit and executing whatever code you'd like on the server.

tagged: drupal security issue drupalgeddon2 indepth technical detail

Link: https://research.checkpoint.com/uncovering-drupalgeddon-2/