Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHP.net:
PHP 7.0.8, 5.6.23 & 5.5.37 Released
Jun 24, 2016 @ 12:15:55

The PHP development group has released the latest updates to all currently supported versions of PHP including several security fixes discovered. These latest versions are:

The PHP development team announces the immediate availability of PHP [5.5.37, 5.6.23 and 7.0.8]. This is a security release, several security bugs were fixed. All PHP [...] users are encouraged to upgrade to this version.

As always, you can get the latest source release as linked to from the main downloads page and the Windows binaries from the windows.php.net site. The full list of files can be found in the version's related Changelog.

tagged: language release bugfix security php55 php56 php7

Link: http://php.net/archive/2016.php#id2016-06-23-3

PHP.net:
PHP 5.5.36 & 7.0.7 Released
May 26, 2016 @ 11:16:14

The PHP project has officially released the latest versions of the language in the PHP 5.5.x and PHP 7.0.x series: PHP 5.5.36 and PHP 7.0.7:

The PHP development team announces the immediate availability of PHP 5.5.36. This is a security release. Several security bugs were fixed in this release. All PHP 5.5 users are encouraged to upgrade to this version.

As always, you can download these latest releases from either the main downloads page (source) or from the windows.php.net site for the Windows binaries. For a full list of the changes, you can check out the Changelogs for each release.

tagged: language release bugfix security php55 php70

Link: http://php.net/archive/2016.php#id2016-05-26-2

Free the Geek Podcast:
Episode 17 - Talking Conferences and Security with Chris Cornutt
May 03, 2016 @ 09:45:26

The Free the Geek podcast, hosted by PHP community member Matthew Setter, has posted their latest episode - an interview with Chris Cornutt about conferences and security topics.

In this episode I chat with Chris Cornutt, founder of PHPDeveloper.org, websec.io, and Lone Star PHP about conferences and all things security.

It’s a rousing chat about the state of security within the PHP and wider development community. He also gives me an inside look at what it’s like to run the long-running Lone Star PHP conference in Texas. Grab your favourite beverage and your comfy chair, and get ready for a rousing fireside chat with Chris and I.

You can listen to this latest episode either through the in-page audio player or by downloading the mp3 of the show for listening at your leisure. If you enjoy the episode be sure to subscribe to their feed and follow them on Twitter for updates when the latest episodes are released.

tagged: freethegeek ep17 chriscornutt episode conference security

Link: http://freethegeek.fm/episode/episode-0017

PHP.net:
PHP 5.5.35, 5.6.21 and 7.0.6 Released
Apr 29, 2016 @ 08:29:36

On the main PHP.net site they've announced the latest releases of all currently supported versions of the language: PHP 5.5.35, 5.6.21 and 7.0.6. These are bugfix released with, among several others, security related corrections.

The PHP development team announces the immediate availability of PHP [5.5.35, 5.6.21 and 7.0.6]. This is a security release. Several security bugs were fixed in this release.

The PHP 7 release fixes two newly identified vulnerabilities: CVE-2016-3078 (Zip handling) and CVE-2016-3074 (GD functionality). As these are security releases it is highly recommended that you upgrade your current installations as soon as possible. You can get these latest versions from the main PHP.net downloads page or from windows.php.net for the Windows binaries.

tagged: language release bugfix security php55 php56 php7

Link: http://php.net

Jelle Raaijmakers:
Dissecting a spammer’s spam script
Apr 19, 2016 @ 13:48:37

In this post to his site Jelle Raaijmakers dives into a script that's commonly injected into vulnerable sites and used by spammers to send messages without the knowledge of the site owner.

Let’s take a look at a PHP script used to send spam. These types of scripts run on servers all over the world and might give you some insight into a spammer’s dedication to annoy the hell out of you. Spammers abuse known flaws in unsecured websites and applications to break into a server and install scripts that are able to send loads of spam.

[...] Everyone running a mildly popular WordPress site knows that exploits can be really easily introduced by installing plugins from a less than reputable source – or by not keeping your plugins up to date. Sometimes, a zero-day exploit for a popular WordPress plugins becomes known and thousands of installations worldwide are infected at once.

He then goes through a script he found in an infected WordPress instance of his own on a shared hosting provider. He talks about what these kinds of scripts usually look like (an encoded eval injected into current scripts) and the process he followed to dissect it:

  • Step 1: determine method of obfuscation
  • Step 2: introduce newlines
  • Step 3: replace the $j10 values
  • Step 4: concatenate constant strings
  • Step 5: replace function invocations
  • Step 6: prettify the PHP code
  • Step 7: remove default $j10 argument
  • Step 8: decode the $pate payload
  • Step 9: replace $_POST references
  • Step 10: map function and variable names

It's not a super simple process, but in the end he's left with the complete PHP script that loads a remotely defined configuration, tries to send the emails and even retries if there's a failure. He includes a few noteworthy things about the script including STMP connection auto-detection and DNS lookups over UDP.

tagged: spammer script dissection reverse engineer email spam security

Link: https://jelleraaijmakers.nl/2016/04/dissecting-spammers-spam-script

Paragon Initiative:
Securely Implementing (De)Serialization in PHP
Apr 18, 2016 @ 11:58:22

The Paragon Initiative site has a new tutorial posted aiming to help you more securely use the serialize and unserialize handling in PHP to prevent security issues. In this tutorial they offer some advice - mainly don't unserialize unless you're on PHP7 - and some other solutions you could use.

A frequent problem that developers encounter when building web applications in PHP is, "How should I represent this data structure as a string?" Two common examples include:
  • Caching a complex data structure (to reduce database load)
  • Communicating API requests and responses between HTTP-aware applications
This seems like the sort of problem that you could expect would have pre-existing, straightforward solutions built into every major programming language that aren't accompanied by significant security risk. Sadly, this isn't the case.

He starts with a look at the serialization handling and how it could allow remote code execution if an attacker were to modify the serialized data. He includes an example of using the new "allowed classes" parameter in PHP 7 too, though, preventing the issue. He also walks through two other ways you could replace serialized data: JSON structure and XML handling. Each of these have their own issues too but they're very different than the code execution with serialization.

tagged: serialize unserialize security json xml tutorial example vulnerability

Link: https://paragonie.com/blog/2016/04/securely-implementing-de-serialization-in-php

PHP.net:
PHP 5.6.20 & 5.5.34 Released
Apr 01, 2016 @ 09:22:01

The main PHP.net site has officially announced the release of the latest versions in the PHP 5.5.x and 5.6.x series: PHP 5.6.20 and PHP 5.5.34.

The PHP development team announces the immediate availability of PHP [5.6.20 and 5.5.34]. This is a security release. Several security bugs were fixed in this release. All PHP [5.6 and 5.5] users are encouraged to upgrade to this version.

These releases fix issues in several parts of the language including Curl handing, Fileinfo, Mbstring and ODBC. You can get these latest versions from the main downloads page or windows.php.net for the Windows binaries.

tagged: language release php56 php55 bugfix security update download

Link: http://php.net/archive/2016.php#id2016-03-31-4

AppDynamics PHP Blog:
Predicting the Future of PHP Security – Part 3
Mar 24, 2016 @ 09:30:15

On the AppDynamics blog there's a post from Omed Habib where he looks at the current state of security in the PHP language and makes predictions about the future of it in PHP and where the language might be heading.

In some ways security is an infinite game of chess on a board the size of the world. For every move you make, the hackers have a countermove ready. They are highly motivated to take what you have, so the game never ends; it just switches players once in awhile. In this final blog in the series, we are going to review the game board, with a look at the most recent changes to security in PHP 7 and earlier supported versions. Then, we’ll try to look a few moves ahead with predictions for the future of PHP security.

In the article he talks about PHP's popularity and how it has somewhat worked against it and its reputation when it comes to secure development. He covers PHP 7 and some of the security-related updates that came with it including:

  • whitelisting classes on unserialize
  • the cryptographically secure random number generator
  • patches for buffer overflows and memory leaks

He ends the post looking at a possible future of the language based on comments made in this other article., suggesting that one possible place for the language to head is into the IoT (Internet of Things) space and interacting with the devices on the other end.

tagged: predictions security language php7 features patches iot direction

Link: https://blog.appdynamics.com/php/predicting-the-future-of-php-security/

PHP.net:
PHP 5.5.33, 5.6.19 & 7.0.4 Released
Mar 04, 2016 @ 12:38:49

The latest releases of all major (and minor versions) of the PHP language have been released with several bugfixes including correcting a few security issues: 5.5.33, 5.6.19 and 7.0.4.

The PHP development team announces the immediate availability of PHP [5.5.33, 5.6.19 and 7.0.4]. This is a security release in which two security bugs were fixed. All PHP users are encouraged to upgrade to this version.

You can find out more information about what changes were made in these releases in the PHP 5 Changlog and PHP 7 Changelog along with references to the related bug information. As always, you can download these latest releases from the main PHP.net site or your favorite mirror linked from the main downloads page. Windows users can get the latest binaries from windows.php.net.

tagged: language release php5 php7 bugfix security issue

Link: http://php.net/downloads

Aaron Saray:
Two Quick Tips for Securing PHP Sessions
Feb 15, 2016 @ 09:41:47

In a new post to his site Aaron Saray has shared two tips that can help you protect the information in your PHP sessions - two configuration options to enable that can enforce stricter standards and options enhancing their overall security.

Let’s talk a little bit about session fixation in PHP. Such a fun topic, right? Tons to get into here. But, let’s just touch the surface on two VERY SIMPLE things you can be doing now to make sure that your website is safe.

The two configuration options he mentions are ones that:

  • force the session identifier to use cookies (versus also allowing it from the URL)
  • enforce "strict mode" on the sessions

Each comes with a bit of description as to what the setting does and the recommended setting is to provide the most protection. One note, though: strict mode is only included in PHP 5.5.2 or greater.

tagged: session security tip strict mode cookies useonly phpini configuration setting

Link: http://aaronsaray.com/2016/two-quick-tips-for-securing-php-sessions