Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHP.net:
PHP 5.6.24 & 5.5.38 Released
Jul 22, 2016 @ 11:55:39

The PHP development group has posted the official release announcements for the latest versions in the PHP 5.6.x and 5.5.x series: PHP 5.6.24 and PHP 5.5.38.

The PHP development team announces the immediate availability of PHP [5.6.24 and 5.6.38]. This is a security release. Several security bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version.

They also have a quick note that this release for the PHP 5.5.x series is the last in the branch as laid out by the release schedule. Future updates on this branch will only be made if there are major security issues found. Otherwise developers are encouraged to upgrade to the latest versions (5.6.x at the least but really PHP 7.x would be better). You can get these latest releases either from the main downloads page (source) or from windows.php.net for the Windows binaries.

tagged: language release bugfix security php55 php56

Link: http://php.net/archive/2016.php#id2016-07-21-4

IBM Security Intelligence:
The Webshell Game Continues
Jul 20, 2016 @ 11:50:15

On the IBM Security Intelligence site there's a new article posted talking about webshells. For those not familiar with webshells, they're scripts that can be used to control servers or work as a platform to access other systems put in place by attackers. In this article they introduce some of the basics around webshells and the rise they're seeing in their use.

The IBM X-Force Research team reported an increase in PHP C99 webshell attacks in April 2016. More recently, webshells dubbed b374k made their mark with attacks that the team has been tracking over the past few months.

Although this blog highlights some features of the b374k shell, the main objective is to call your attention to the fact that PHP applications are becoming an increasingly popular choice for attackers aiming to glean your data and deface your website without much hard work. This threat should be pushed to the top of your priority list — primarily because of the power of the tool used for this type of attack, but also because of the startling increase in this attack type this year.

They start off with some of the basics of webshells, more related to the PHP versions: what they are, what kind of functionality they commonly provide and an example of the UI of a shell. They then talk about some of the common delivery methods, potential entry points of these attacks and some of the "indicators of compromise" you can use to detect them. They also include mitigations you can perform to rid yourself of these webshells including adding additional plugins/software and locking down features of PHP itself.

tagged: webshell game introduction example features attack security

Link: https://securityintelligence.com/the-webshell-game-continues/

Codevate.com:
Securing client-side public API access with OAuth 2 and Symfony
Jul 18, 2016 @ 12:30:26

On the Codevate.com blog there's a tutorial posted by Chris Lush showing you how to secure your client-side public API with OAuth 2 (based on the Symfony platform).

Say you’ll be developing a web application for a customer to create and manage restaurant bookings, exposing restaurant information (name, opening times, menu contents etc.) and booking creation as RESTful API endpoints, which are consumed by secure admin backend. You’ll need to authorise access to the API, but there is no end-user involved since the web app is its own resource owner, so the previous flow doesn’t apply.

[...] However, you also need to develop a booking widget that will be embedded in a company or restaurant’s website for visitors to use. In this case, the client-side is no longer trusted enough to share the OAuth client secret that’s required to authenticate with your API. [...] We encountered a similar use-case for a client project recently, and this blog post details the steps taken to address it.

He then shows how to integrate the FOSOAuthServerBundle bundle into your current Symfony-based application and the updates you'll need to make to your security.yml file. He includes the code needed to create a "client" and associating it with a company already in the customer list. Next is the creation of access tokens and linking them to the restaurants in their system (a unique identifier to use externally for the restaurant rather than an ID). He shows an example of handling the token requests and the code/config changes needed to set it up. Finally he talks about scoping API requests down to certain functionality and an example cURL call to the API to show the results of it all combined.

tagged: clientside api access security oauth2 symfony tutorial bundle

Link: https://www.codevate.com/blog/12-securing-client-side-public-api-access-with-oauth-2-and-symfony

PHP.net:
PHP 7.0.8, 5.6.23 & 5.5.37 Released
Jun 24, 2016 @ 12:15:55

The PHP development group has released the latest updates to all currently supported versions of PHP including several security fixes discovered. These latest versions are:

The PHP development team announces the immediate availability of PHP [5.5.37, 5.6.23 and 7.0.8]. This is a security release, several security bugs were fixed. All PHP [...] users are encouraged to upgrade to this version.

As always, you can get the latest source release as linked to from the main downloads page and the Windows binaries from the windows.php.net site. The full list of files can be found in the version's related Changelog.

tagged: language release bugfix security php55 php56 php7

Link: http://php.net/archive/2016.php#id2016-06-23-3

PHP.net:
PHP 5.5.36 & 7.0.7 Released
May 26, 2016 @ 11:16:14

The PHP project has officially released the latest versions of the language in the PHP 5.5.x and PHP 7.0.x series: PHP 5.5.36 and PHP 7.0.7:

The PHP development team announces the immediate availability of PHP 5.5.36. This is a security release. Several security bugs were fixed in this release. All PHP 5.5 users are encouraged to upgrade to this version.

As always, you can download these latest releases from either the main downloads page (source) or from the windows.php.net site for the Windows binaries. For a full list of the changes, you can check out the Changelogs for each release.

tagged: language release bugfix security php55 php70

Link: http://php.net/archive/2016.php#id2016-05-26-2

Free the Geek Podcast:
Episode 17 - Talking Conferences and Security with Chris Cornutt
May 03, 2016 @ 09:45:26

The Free the Geek podcast, hosted by PHP community member Matthew Setter, has posted their latest episode - an interview with Chris Cornutt about conferences and security topics.

In this episode I chat with Chris Cornutt, founder of PHPDeveloper.org, websec.io, and Lone Star PHP about conferences and all things security.

It’s a rousing chat about the state of security within the PHP and wider development community. He also gives me an inside look at what it’s like to run the long-running Lone Star PHP conference in Texas. Grab your favourite beverage and your comfy chair, and get ready for a rousing fireside chat with Chris and I.

You can listen to this latest episode either through the in-page audio player or by downloading the mp3 of the show for listening at your leisure. If you enjoy the episode be sure to subscribe to their feed and follow them on Twitter for updates when the latest episodes are released.

tagged: freethegeek ep17 chriscornutt episode conference security

Link: http://freethegeek.fm/episode/episode-0017

PHP.net:
PHP 5.5.35, 5.6.21 and 7.0.6 Released
Apr 29, 2016 @ 08:29:36

On the main PHP.net site they've announced the latest releases of all currently supported versions of the language: PHP 5.5.35, 5.6.21 and 7.0.6. These are bugfix released with, among several others, security related corrections.

The PHP development team announces the immediate availability of PHP [5.5.35, 5.6.21 and 7.0.6]. This is a security release. Several security bugs were fixed in this release.

The PHP 7 release fixes two newly identified vulnerabilities: CVE-2016-3078 (Zip handling) and CVE-2016-3074 (GD functionality). As these are security releases it is highly recommended that you upgrade your current installations as soon as possible. You can get these latest versions from the main PHP.net downloads page or from windows.php.net for the Windows binaries.

tagged: language release bugfix security php55 php56 php7

Link: http://php.net

Jelle Raaijmakers:
Dissecting a spammer’s spam script
Apr 19, 2016 @ 13:48:37

In this post to his site Jelle Raaijmakers dives into a script that's commonly injected into vulnerable sites and used by spammers to send messages without the knowledge of the site owner.

Let’s take a look at a PHP script used to send spam. These types of scripts run on servers all over the world and might give you some insight into a spammer’s dedication to annoy the hell out of you. Spammers abuse known flaws in unsecured websites and applications to break into a server and install scripts that are able to send loads of spam.

[...] Everyone running a mildly popular WordPress site knows that exploits can be really easily introduced by installing plugins from a less than reputable source – or by not keeping your plugins up to date. Sometimes, a zero-day exploit for a popular WordPress plugins becomes known and thousands of installations worldwide are infected at once.

He then goes through a script he found in an infected WordPress instance of his own on a shared hosting provider. He talks about what these kinds of scripts usually look like (an encoded eval injected into current scripts) and the process he followed to dissect it:

  • Step 1: determine method of obfuscation
  • Step 2: introduce newlines
  • Step 3: replace the $j10 values
  • Step 4: concatenate constant strings
  • Step 5: replace function invocations
  • Step 6: prettify the PHP code
  • Step 7: remove default $j10 argument
  • Step 8: decode the $pate payload
  • Step 9: replace $_POST references
  • Step 10: map function and variable names

It's not a super simple process, but in the end he's left with the complete PHP script that loads a remotely defined configuration, tries to send the emails and even retries if there's a failure. He includes a few noteworthy things about the script including STMP connection auto-detection and DNS lookups over UDP.

tagged: spammer script dissection reverse engineer email spam security

Link: https://jelleraaijmakers.nl/2016/04/dissecting-spammers-spam-script

Paragon Initiative:
Securely Implementing (De)Serialization in PHP
Apr 18, 2016 @ 11:58:22

The Paragon Initiative site has a new tutorial posted aiming to help you more securely use the serialize and unserialize handling in PHP to prevent security issues. In this tutorial they offer some advice - mainly don't unserialize unless you're on PHP7 - and some other solutions you could use.

A frequent problem that developers encounter when building web applications in PHP is, "How should I represent this data structure as a string?" Two common examples include:
  • Caching a complex data structure (to reduce database load)
  • Communicating API requests and responses between HTTP-aware applications
This seems like the sort of problem that you could expect would have pre-existing, straightforward solutions built into every major programming language that aren't accompanied by significant security risk. Sadly, this isn't the case.

He starts with a look at the serialization handling and how it could allow remote code execution if an attacker were to modify the serialized data. He includes an example of using the new "allowed classes" parameter in PHP 7 too, though, preventing the issue. He also walks through two other ways you could replace serialized data: JSON structure and XML handling. Each of these have their own issues too but they're very different than the code execution with serialization.

tagged: serialize unserialize security json xml tutorial example vulnerability

Link: https://paragonie.com/blog/2016/04/securely-implementing-de-serialization-in-php

PHP.net:
PHP 5.6.20 & 5.5.34 Released
Apr 01, 2016 @ 09:22:01

The main PHP.net site has officially announced the release of the latest versions in the PHP 5.5.x and 5.6.x series: PHP 5.6.20 and PHP 5.5.34.

The PHP development team announces the immediate availability of PHP [5.6.20 and 5.5.34]. This is a security release. Several security bugs were fixed in this release. All PHP [5.6 and 5.5] users are encouraged to upgrade to this version.

These releases fix issues in several parts of the language including Curl handing, Fileinfo, Mbstring and ODBC. You can get these latest versions from the main downloads page or windows.php.net for the Windows binaries.

tagged: language release php56 php55 bugfix security update download

Link: http://php.net/archive/2016.php#id2016-03-31-4