Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

TutsPlus.com:
Secure, Passwordless Authentication Using Auth0
Jul 10, 2018 @ 11:23:17

On the TutsPlus.com site they've posted a tutorial showing you how to use the Auth0 service to create a passwordless authentication system for your application.

In this article, you'll learn how to set up passwordless authentication using the Auth0 service. Auth0 allows you to outsource authentication features for your app.

Auth0 is an authentication-as-a-service tool that makes implementation of authentication-related features for your app or site a breeze. If you've built an app and you want to just outsource the authentication and authorization features, a service like Auth0 is something you should consider.

The tutorial walks you through the installation and configuration process of their example PHP application including the setup of the .env file to contain the Auth0 secrets. It then provides the code needed to create two kinds of logins:

  • Using email as the identifier
  • Sending the approval via SMS

Both make use of (the Auth0 PHP SDK) to do most of the heavy lifting but there's still a bit of code you'll need to get it up and running.

tagged: passwordless security login auth0 tutorial setup configure

Link: https://code.tutsplus.com/tutorials/secure-passwordless-authentication-using-auth0--cms-31195

Websec.io:
Keeping Credentials Secure in PHP
Jun 27, 2018 @ 13:35:17

On the Websec.io site there's a new tutorial posted showing a potential method for keeping secrets safe in PHP-based applications.

One of the most difficult things in any kind of application (not just web applications) is how to protect "secret" values. These values might be API keys, database passwords or even special bypass codes. Ideally, you're not having to define these directly in the application and can have them loaded from another source.

While a lot of the issues around protecting secrets can be removed by better secret handling, it seems like there's still always a need for some kind of secret value to exist in an application. Using this sort of pattern is, obviously, recommended against. The Common Weakness Enumeration database even has an entry specifically about it: CWE-798. Hard-coding credentials, especially plain-text ones, can be a huge risk if an attacker were able to somehow access the code and read them directly.

The post then goes on to talk about specific issues with secrets/credentials handling in PHP and some of the common approaches (mostly using a .env file). It covers some of the basics of using the phpdotenv package before getting into the encryption of the secrets it contains. It makes the recommendation of using an "Apache pull" method to pull in the encryption key when Apache starts, putting it into an environment variable and using the psecio/secure_dotenv library to work with the encrypted values.

tagged: security encryption secret tutorial package phpdotenv

Link: https://websec.io/2018/06/14/Keep-Credentials-Secure.html

RIPSTech.com:
WARNING: WordPress File Delete to Code Execution
Jun 27, 2018 @ 10:29:26

On the RIPSTech.com site they've posted a warning to the WordPress users out there about a vulnerability that would allow a malicious user to delete any file in the WordPress installation, not just file uploads.

At the time of writing no patch preventing this vulnerability is available. Any WordPress version, including the current 4.9.6 version, is susceptible to the vulnerability described in this blogpost.

For exploiting the vulnerability discussed in the following an attacker would need to gain the privileges to edit and delete media files beforehand. Thus, the vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author, or through the exploitation of another vulnerability/misconfiguration.

The post includes more details around the impact of the issue and where in the code the problem lies. It also offers a temporary "hotfix" as a way around the issue by adding a new filter that uses the basename function to reset the thumbnail data.

tagged: security wordpress delete file vulnerability code execution

Link: https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/

Community News:
Composer v1.6.4 Release (with Security Fix)
Apr 16, 2018 @ 10:50:02

Composer, the de-facto standard way to install PHP packages, has published a new release that includes a major security update. Jordi Boggiano made this comment about the release on Twitter:

After triaging/merging/fixing almost 200 issues in the last couple days, Composer v1.6.4 is out! ???? It contains a security fix and is therefore a much recommended update for all.

Other changes include fixes for:

  • a regression in version guessing of path repositories
  • the updating of package URLs for GitLab
  • init command not respecting the current php version when selecting package versions
  • exclude-from-classmap symlink handling

You can grab the latest version from the Composer site or you can use it's own self-update command.

tagged: composer release v164 security fix bugfix package

Link: https://twitter.com/seldaek/status/984744594566008832

Checkpoint Research Blog:
Uncovering Drupalgeddon 2
Apr 13, 2018 @ 10:22:46

On the Checkpoint Research blog there's a recent post covering the recent critical Drupal bug, a.k.a. Drupalgeddon 2, and providing a deeper look into the bug and how the exploit worked.

Two weeks ago, a highly critical (21/25 NIST rank) vulnerability, nicknamed Drupalgeddon 2 (SA-CORE-2018-002 / CVE-2018-7600), was disclosed by the Drupal security team. This vulnerability allowed an unauthenticated attacker to perform remote code execution on default or common Drupal installations.

[...] Until now details of the vulnerability were not available to the public, however, Check Point Research can now expand upon this vulnerability and reveal exactly how it works.

The post covers the basic issue, a lack of input sanitization on Form API requests, and what versions it existed in. It then dives into the technical details, showing a proof of concept for the exploit and how an attacker might locate a place in the application to use it. It also looks behind the scenes at the code that handles the request and shows where the issue lies. The post ends with a look at "weaponizing" the exploit and executing whatever code you'd like on the server.

tagged: drupal security issue drupalgeddon2 indepth technical detail

Link: https://research.checkpoint.com/uncovering-drupalgeddon-2/

Fortrabbit Blog:
Your responsibility: App security
Apr 09, 2018 @ 11:45:17

On the Fortrabbit blog there's a post from Oliver Stark about securing your PHP application based on an experience they had with a recent support ticket.

A few days ago, late in the evening, we received a support ticket with the [message asking if their site had been hacked]. The support team started the conversation with the client and checked the domain routing first. It quickly became clear that the redirects to the phishing domain happened on our platform, so they searched the access logs for suspicious requests.

As they searched the logs, other similar requests showed up pointing back to a root.php file that seemed to be taking commands from URL parameters. This kind of script is called a "webshell" and is usually uploaded via a vulnerability with a plugin, poorly guarded upload forms or bad input validation. After some additional tracking, the vulnerability was located in the site's "vendor" folder that was web accessible. The post finishes with some recommendations to keep this from happening to you and your application including keeping dependencies up to date and preventing direct "vendor" folder access.

tagged: application security fortrabbit webshell experience

Link: https://blog.fortrabbit.com/app-sec

PHP.net:
PHP 7.1.16 & 5.6.35 Released
Mar 30, 2018 @ 09:15:55

On the main PHP.net site, they've posted announcements about the release of minor versions of PHP 7.1.x and 5.6.x: 7.1.16 and 5.6.35.

The PHP development team announces the immediate availability of PHP 5.6.35 [and PHP 7.1.16]. This is a security release. One security bug was fixed in this release. All PHP 5.6 [and 7.1] users are encouraged to upgrade to this version.

The bugfixes included in these releases deal with changes in the FPM handling, ODBC functionality, and Phar building. You can download this latest release from the main downloads page (source) or from the windows.php.net site for the Windows binaries.

tagged: language release php7 php56 bugfix security

Link: http://php.net/index.php#id2018-03-29-3

Community News:
Critical Drupal Security Vulnerability Announced
Mar 29, 2018 @ 09:13:19

The Drupal project has announced a critical security vulnerability in the currently supported versions of the popular CMS: Drupal 7 and 8 (as well as v6). The announcement on the main Drupal site details the issues and provides a link to an FAQ with more detail about the issue.

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

[...] Drupal 8, 7, and 6 sites are affected. According to the Drupal project usage information this represents over one million sites or about 9% of sites that are running a known CMS according to Builtwith.

The issue could allow an attacker to take full control of the application and execute whatever code they'd want to on the server. They recommend upgrading immediately to safeguard your Drupal application. They also provide links to a guide on what to do if you are hacked and to the Drupal 6 patch (as well as steps you can take if you can't upgrade).

tagged: drupal cms vulnerability security announcement upgrade

Link: https://www.drupal.org/sa-core-2018-002

PHP.net:
Multiple Versions Released - 7.1.15, 5.6.34 & 7.2.3
Mar 05, 2018 @ 12:43:35

The main PHP.net site has posted the announcement(s) of the release of updates for the three supported versions of the language: 7.1.15, 5.6.34 & 7.2.3.

The PHP development team announces the immediate availability of PHP 7.1.15, 5.6.34 and 7.2.3. This is a security fix release, containing one security fix and many bug fixes. All [PHP] users are encouraged to upgrade to this version.

Fixes include changes to the DateTime handling, LDAP connectivity, Phar construction, PostgreSQL issues and changes to the SPL. You can get these latest versions either from the main downloads page or on windows.php.net for the Windows binaries.

tagged: multiple version release php71 php72 php56 security bugfix

Link: http://php.net/archive/2018.php#id2018-03-02-1

Three Devs & A Maybe:
Symmetric and Asymmetric Encryption with Scott Arciszewski
Feb 07, 2018 @ 10:58:16

In the latest episode of the Three Devs and a Maybe podcast, hosted by Michael Budd, Fraser Hart, Lewis Cains and Edd Mann, they welcome back a guest for another round of security discussions: Scott Arciszewski around symmetric and asymmetric encryption.

In this weeks episode we are lucky to be joined again by Scott Arciszewski. We start off the show by discussing the difference between Symmetric and Asymmetric Encryption, what Authenticated Encryption is and how secret-keys are exchanged using Diffie-Hellman. From here, we move on to highlight how Elliptic-curve cryptography works, what DNSCrypt is and why prime numbers are so important in cryptography. Finally, we touch upon multi-factor authentication, how one time passwords work, SMS vulnerabilities and how to manage password recovery.

There's a wide range of security and cryptography related topics mentioned and linked in the post. You can listen to this latest show either using the in-page audio player or by downloading the mp3 directly. If you enjoy the episode, be sure to subscribe to their feed and follow them on Twitter to get updates when new shows are released.

tagged: threedevsandamaybe podcast scottarciszewski security cryptography encryption

Link: http://threedevsandamaybe.com/symmetric-and-asymmetric-encryption-with-scott-arciszewski/