Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Multiple Versions Released - 7.1.15, 5.6.34 & 7.2.3
Mar 05, 2018 @ 12:43:35

The main PHP.net site has posted the announcement(s) of the release of updates for the three supported versions of the language: 7.1.15, 5.6.34 & 7.2.3.

The PHP development team announces the immediate availability of PHP 7.1.15, 5.6.34 and 7.2.3. This is a security fix release, containing one security fix and many bug fixes. All [PHP] users are encouraged to upgrade to this version.

Fixes include changes to the DateTime handling, LDAP connectivity, Phar construction, PostgreSQL issues and changes to the SPL. You can get these latest versions either from the main downloads page or on windows.php.net for the Windows binaries.

tagged: multiple version release php71 php72 php56 security bugfix

Link: http://php.net/archive/2018.php#id2018-03-02-1

Three Devs & A Maybe:
Symmetric and Asymmetric Encryption with Scott Arciszewski
Feb 07, 2018 @ 10:58:16

In the latest episode of the Three Devs and a Maybe podcast, hosted by Michael Budd, Fraser Hart, Lewis Cains and Edd Mann, they welcome back a guest for another round of security discussions: Scott Arciszewski around symmetric and asymmetric encryption.

In this weeks episode we are lucky to be joined again by Scott Arciszewski. We start off the show by discussing the difference between Symmetric and Asymmetric Encryption, what Authenticated Encryption is and how secret-keys are exchanged using Diffie-Hellman. From here, we move on to highlight how Elliptic-curve cryptography works, what DNSCrypt is and why prime numbers are so important in cryptography. Finally, we touch upon multi-factor authentication, how one time passwords work, SMS vulnerabilities and how to manage password recovery.

There's a wide range of security and cryptography related topics mentioned and linked in the post. You can listen to this latest show either using the in-page audio player or by downloading the mp3 directly. If you enjoy the episode, be sure to subscribe to their feed and follow them on Twitter to get updates when new shows are released.

tagged: threedevsandamaybe podcast scottarciszewski security cryptography encryption

Link: http://threedevsandamaybe.com/symmetric-and-asymmetric-encryption-with-scott-arciszewski/

Symfony Blog:
New Core Team Member, Security Team Leader
Jan 29, 2018 @ 11:25:03

On the Symfony blog the project has made an announcement about a new addition to the Symfony team to help handle security issues around the framework: Michael Cullum

Handling security issues responsibly and transparently is key to the success of any Open-Source project. Symfony is no exception. We documented the process of our security management policy a long time ago.

[...] Today, I'm very happy and proud to announce that we are getting to the next level. Michael Cullum accepted to join the Symfony Core Team to lead the security team. He will be responsible for managing the security process.

Michael is the secretary of the PHP-FIG group, represents the PHPBB project and is a heavy user of the Symfony framework. Having Michael on the team means that there will be a central point of contact and someone whose primary role is ensuring the safety and security of the overall project and framework.

tagged: core security team member michaelcullum symfony project framework

Link: http://symfony.com/blog/new-core-team-member-security-team-leader

PHP Sessions in Depth
Jan 23, 2018 @ 11:16:33

php[architect] magazine has republished an article from their January 2018 issue by Jeremy Dorn that covers PHP sessions in-depth.

HP Sessions are often taken for granted. A session is a magic array which persists across page loads and holds user-specific data. It’s a fantastic and integral part of most web applications. But when misused, sessions can cause substantial security holes, performance and scalability problems, and data corruption. A deep understanding of sessions is vital to production web development in PHP.

The article covers various topics around PHP sessions and their use including security, performance and scalability. It also covers a few additional topics like serialization of data, session locking and intelligent auto-merging of sessions on the backend. Check out the full article for descriptions of each and some code examples to help show them in action.

tagged: sessions detail security performance scalability additional tutorial

Link: https://www.phparch.com/2018/01/php-sessions-in-depth/

RIPS Technologies:
PHP Security Advent Calendar 2017 Wrap-Up
Jan 05, 2018 @ 11:52:08

On their blog, RIPS Technologies have shared a wrap-up of their security advent calendar shared at the end of last year. The calendar provided a daily challenge related to a PHP security issue that may or may not be commonly known.

In this years PHP Security Advent Calendar we published 24 challenges for the PHP community where security issues were hidden in code snippets for fun and training. The challenges are based on real-world security vulnerabilities that we found with the help of RIPS over the last year in popular PHP applications. In this blog post we are going to discuss the main take-aways from our advent calendar regarding PHP security.

The calendar covered several different types of challenges but they fell into a few overall categories: issues with user input, weak typing, odd behavior of built-in features and the overall diversity of possible bugs.

The root cause for the security issues presented in our challenges are not new. But the diversity and combination of these pitfalls are sheer endless that trick even skilled developers. What looks secure at first sight quickly turns into an exploitable security bug. [...] We would like to thank everyone who participated, discussed, and provided great feedback and we hope our challenges helped in sharpening your security skills in a fun way!
tagged: security advent calendar wrapup 2017 ripstech

Link: https://blog.ripstech.com/2018/php-security-advent-calendar-wrap-up/

Multiple Versions Released - 5.6.33, 7.1.13, 7.2.1 and 7.0.27
Jan 05, 2018 @ 10:16:17

On the [main PHP.net site]http://php.net/() today they've announced the release of new released of all currently supported versions of the language:

All of these releases contain similar bugfixes correcting security issues reported in the language including problems in the CLI server, Phar handling, Zip functionality and the Opcache feature. It is suggested to update to these latest versions as soon as possible to prevent issues with these bugs.

As always you can download the source versions of these latest releases from the main downloads page or the Windows binaries from windows.php.net. If you're interested in the changes made, check out the Changelogs for PHP 7 and PHP 5.6.

tagged: version release language php56 php71 php72 security bugfix

Link: http://php.net/downloads

PHP Security Advent Calendar 2017 Announcement
Dec 01, 2017 @ 12:10:38

The RIPSTech group has a post to their site with the announcement of the return of their security-related advent calendar. This year, however, it comes in the form of the PHP Security Advent Calendar with more of a "common security problems in PHP" approach than a list of vulnerabilities.

The end of the year is coming closer and the cheery advent time begins. We are looking back at a spectacular year and it is time to thank and give back to the great PHP, infosec, and RIPS community. Thank you for developing, auditing, and securing your PHP applications with us in 2017!

Similar to last years advent of PHP application vulnerabilities where we released a new application vulnerability each day, we will release a new calendar gift from December 1st to 24th this year again. This time, we will focus on nifty PHP pitfalls and release a daily code challenge for you to solve. Can you spot the daily security bug?

As today is December 1st, the first item has been posted to the calendar covering the use of whitelists versus blacklists. Keep checking back daily for new updates to the calendar and the daily code challenges.

tagged: ripstech security advent calendar common issues

Link: https://blog.ripstech.com/2017/php-security-advent-calendar/

WordPress Blog:
WordPress 4.8.2 Security and Maintenance Release
Sep 22, 2017 @ 12:51:20

The WordPress project has posted a new release that includes some security fixes and general maintenance changes.

WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.8.1 and earlier are affected by [several] security issues.

Issues include problems with prepared statements in SQL statements, XSS issues in several features, path traversal vulnerabilities as well as open redirect flaws. It's recommended that all WordPress users upgrade to this release to prevent exploit of these vulnerabilities either by downloading the latest release or by upgrading via the internal dashboard.

tagged: wordpress security maintenance release update

Link: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/

Single Sign On - You’re Probably Doing It Wrong
Aug 15, 2017 @ 13:28:32

The php[architect] site has a new post today sharing an article from their August 2017 issue by author (and member of thePHP.cc) Arne Blankerts: "Single Sign On - You’re Probably Doing It Wrong ".

Requiring users to log in individually to all the websites they need for their work is more than merely annoying: It wastes a lot of time and turns maintaining log-in credentials and permissions into a nightmare for the administrative staff. Let’s see if we can fix that with a single sign-on service.

The article talks about the basics of single sign on and what kind of benefits it brings to the table. They also talk about the single point of failure it introduces and some of the problems that can cause. The article then discusses the choices involved in implementing it: Should it support authentication, authorization or both? Should OAuth be involved? What about SAML? Other alternatives are also offered including JWTs, tokens/callbacks and client side certificates. The article ends with the suggestion that a proxied approach, one that authenticates on the first request but the session is then trusted by other services, is one of the better ways to go (but isn't without its own issues either).

tagged: singlesignon article phparchitect magazine arneblankerts security

Link: https://www.phparch.com/2017/08/single-sign-on-youre-probably-doing-it-wrong/

August 2017 Issue Released - Who Goes There
Aug 09, 2017 @ 11:56:33

php[architect] magazine has released their latest issue with a focus on security, authentication and authorization for August 2017 - Who Goes There:

You’ve no doubt heard HTTP is stateless, meaning a web server doesn’t know anything from one request to the next for the same client. Beyond news and information sites, however, a web application typically will need to know who you are and what you can do with it to be useful. In this issue, we look at effectively handling authentication and authorization.

The issue also includes articles like:

Many of the usual columns are back this month including the Education Station, Security Corner and the Community corner. Head over to the php[architect] website for more information about this latest issue and to pick up a copy of your very own!

tagged: phparchitect magazine august2017 security whogoesthere issue release

Link: https://www.phparch.com/magazine/2017-2/august/