Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

RIPS Technologies:
PHP Security Advent Calendar 2017 Wrap-Up
Jan 05, 2018 @ 11:52:08

On their blog, RIPS Technologies have shared a wrap-up of their security advent calendar shared at the end of last year. The calendar provided a daily challenge related to a PHP security issue that may or may not be commonly known.

In this years PHP Security Advent Calendar we published 24 challenges for the PHP community where security issues were hidden in code snippets for fun and training. The challenges are based on real-world security vulnerabilities that we found with the help of RIPS over the last year in popular PHP applications. In this blog post we are going to discuss the main take-aways from our advent calendar regarding PHP security.

The calendar covered several different types of challenges but they fell into a few overall categories: issues with user input, weak typing, odd behavior of built-in features and the overall diversity of possible bugs.

The root cause for the security issues presented in our challenges are not new. But the diversity and combination of these pitfalls are sheer endless that trick even skilled developers. What looks secure at first sight quickly turns into an exploitable security bug. [...] We would like to thank everyone who participated, discussed, and provided great feedback and we hope our challenges helped in sharpening your security skills in a fun way!
tagged: security advent calendar wrapup 2017 ripstech

Link: https://blog.ripstech.com/2018/php-security-advent-calendar-wrap-up/

PHP.net:
Multiple Versions Released - 5.6.33, 7.1.13, 7.2.1 and 7.0.27
Jan 05, 2018 @ 10:16:17

On the [main PHP.net site]http://php.net/() today they've announced the release of new released of all currently supported versions of the language:

All of these releases contain similar bugfixes correcting security issues reported in the language including problems in the CLI server, Phar handling, Zip functionality and the Opcache feature. It is suggested to update to these latest versions as soon as possible to prevent issues with these bugs.

As always you can download the source versions of these latest releases from the main downloads page or the Windows binaries from windows.php.net. If you're interested in the changes made, check out the Changelogs for PHP 7 and PHP 5.6.

tagged: version release language php56 php71 php72 security bugfix

Link: http://php.net/downloads

RIPSTech:
PHP Security Advent Calendar 2017 Announcement
Dec 01, 2017 @ 12:10:38

The RIPSTech group has a post to their site with the announcement of the return of their security-related advent calendar. This year, however, it comes in the form of the PHP Security Advent Calendar with more of a "common security problems in PHP" approach than a list of vulnerabilities.

The end of the year is coming closer and the cheery advent time begins. We are looking back at a spectacular year and it is time to thank and give back to the great PHP, infosec, and RIPS community. Thank you for developing, auditing, and securing your PHP applications with us in 2017!

Similar to last years advent of PHP application vulnerabilities where we released a new application vulnerability each day, we will release a new calendar gift from December 1st to 24th this year again. This time, we will focus on nifty PHP pitfalls and release a daily code challenge for you to solve. Can you spot the daily security bug?

As today is December 1st, the first item has been posted to the calendar covering the use of whitelists versus blacklists. Keep checking back daily for new updates to the calendar and the daily code challenges.

tagged: ripstech security advent calendar common issues

Link: https://blog.ripstech.com/2017/php-security-advent-calendar/

WordPress Blog:
WordPress 4.8.2 Security and Maintenance Release
Sep 22, 2017 @ 12:51:20

The WordPress project has posted a new release that includes some security fixes and general maintenance changes.

WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.8.1 and earlier are affected by [several] security issues.

Issues include problems with prepared statements in SQL statements, XSS issues in several features, path traversal vulnerabilities as well as open redirect flaws. It's recommended that all WordPress users upgrade to this release to prevent exploit of these vulnerabilities either by downloading the latest release or by upgrading via the internal dashboard.

tagged: wordpress security maintenance release update

Link: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/

php[architect]:
Single Sign On - You’re Probably Doing It Wrong
Aug 15, 2017 @ 13:28:32

The php[architect] site has a new post today sharing an article from their August 2017 issue by author (and member of thePHP.cc) Arne Blankerts: "Single Sign On - You’re Probably Doing It Wrong ".

Requiring users to log in individually to all the websites they need for their work is more than merely annoying: It wastes a lot of time and turns maintaining log-in credentials and permissions into a nightmare for the administrative staff. Let’s see if we can fix that with a single sign-on service.

The article talks about the basics of single sign on and what kind of benefits it brings to the table. They also talk about the single point of failure it introduces and some of the problems that can cause. The article then discusses the choices involved in implementing it: Should it support authentication, authorization or both? Should OAuth be involved? What about SAML? Other alternatives are also offered including JWTs, tokens/callbacks and client side certificates. The article ends with the suggestion that a proxied approach, one that authenticates on the first request but the session is then trusted by other services, is one of the better ways to go (but isn't without its own issues either).

tagged: singlesignon article phparchitect magazine arneblankerts security

Link: https://www.phparch.com/2017/08/single-sign-on-youre-probably-doing-it-wrong/

php[architect]:
August 2017 Issue Released - Who Goes There
Aug 09, 2017 @ 11:56:33

php[architect] magazine has released their latest issue with a focus on security, authentication and authorization for August 2017 - Who Goes There:

You’ve no doubt heard HTTP is stateless, meaning a web server doesn’t know anything from one request to the next for the same client. Beyond news and information sites, however, a web application typically will need to know who you are and what you can do with it to be useful. In this issue, we look at effectively handling authentication and authorization.

The issue also includes articles like:

Many of the usual columns are back this month including the Education Station, Security Corner and the Community corner. Head over to the php[architect] website for more information about this latest issue and to pick up a copy of your very own!

tagged: phparchitect magazine august2017 security whogoesthere issue release

Link: https://www.phparch.com/magazine/2017-2/august/

php[architect]:
June 2016 Issue Released - Secure By Design
Jun 02, 2017 @ 13:36:27

php[architect] magazine has announced the release of the latest issue for June 2017: Secure By Design:

In this issue, focused on security and secure development, articles include:

  • Analyzing for security in "Nuclear Powered Software Security" by Chris Riley.
  • Mark Niebergall surveys the "Cybersecurity State of the Union".
  • "Make your site anonymous via Tor in The Digital Speakeasy: Secure and Anonymous Access to Your Website" by Dustin Younse.
  • "High performance data exchanges using Googles Protocol Buffers" by Christopher Mancini.

There's also the usual set of columns returning this month covering topics like image manipulation, burnout and spurring community involvement. If you're interested in the magazine but want a "try before you buy", check out the free article for this month (the "State of the Union"). If you enjoy the article or just want to pick up a copy of the issue to call your own, you can order a print or digital copy directly from the php[architect] site.

tagged: phparchitect magazine june2016 security securebydesign issue release

Link: https://www.phparch.com/magazine/2017-2/june/

SitePoint PHP Blog:
How to Search on Securely Encrypted Database Fields
Jun 02, 2017 @ 12:53:59

On the SitePoint PHP blog today they've reposted an article that was originally posted on the ParagonIE blog about searching encrypted information in database fields from author Scott Arciszewski.

This question shows up from time to time in open source encryption libraries’ bug trackers. This was one of the “weird problems” covered in my talk at B-Sides Orlando (titled Building Defensible Solutions to Weird Problems), and we’ve previously dedicated a small section to it in one of our white papers.

You know how to search database fields, but the question is, How do we securely encrypt database fields but still use these fields in search queries?

Our secure solution is rather straightforward, but the path between most teams asking that question and discovering our straightforward solution is fraught with peril: bad designs, academic research projects, misleading marketing, and poor threat modeling.

They start off with some of the examples of bad ways to perform the searching of encrypted information, mostly around either using poor encryption levels or custom created encryption solutions. With those out of the way, the tutorial moves on to their recommended method: using an authenticated encryption scheme (libsodium) and blind indexing. The key to the method is to use a secondary column for the actual searching process, encrypting the value provided and running the search against that, not the encrypted value itself. The article then covers two questions that need to be asked before putting this method to use. The article ends with a method to enhance the previous searching to allow for "fuzzier" searching through the generation of some additional index values in a joined table.

tagged: search security encryption database field tutorial libsodium

Link: https://www.sitepoint.com/how-to-search-on-securely-encrypted-database-fields/

Laravel News:
Packagist and the PHP ecosystem
Jun 01, 2017 @ 12:48:48

On the Laravel News site there's a new post that continues their series about building applications with Composer. In this latest post they talk about the "other half" of the Composer ecosystem - Packagist.

In our last blog post, we saw the basics of Composer but skipped over where it actually finds its packages, and how to publish packages of your own. In this blog post, we will be looking at exactly this, plus some security considerations when using composer in your application.

Packagist is the primary package repository for Composer. This is where you can publish your packages, and also where you can view other people’s packages. Composer will use Packagist to look for packages by default, however, more advanced users can customize this if they wish.

With the basic description out of the way, they then get into how to add your package to Packagist for others to use. The post also talks about package licensing, development versions, branch aliases, security considerations and how to keep on top of new versions of the packages you have installed.

tagged: packagist composer license development alias branch security

Link: https://laravel-news.com/packagist-and-the-php-ecosystem

Building Your Startup:
Securing an API
May 22, 2017 @ 13:16:19

The TutsPlus.com site has continued their "Building Your Startup" tutorial series with a new post about APIs and security. In this series, they've been using the Yii2 framework to create a calendaring "startup" site. Now they're to the point of adding a "RESTful" API to the system and want to be sure it's secure.

Recently, I introduced you to Yii's simple REST API generation and Meeting Planner's new "RESTful" service API. At that time, I mentioned that these APIs were only loosely secured. Sure, there was a shared secret between the client and the server, but there were a couple of problems.

First, the secret key and user tokens were repeatedly transmitted in query parameters of SSL calls. And there was no other authenticity check for the data, allowing a middle-person attack. In today's episode, I'll guide you through how I secured the API against these weaknesses for a more robust API.

They start off looking at the API security that was previously put in place using an "app ID" and "app secret" values to identify the user. To improve on this, the system is updated to use the "app secret" value to sign the outgoing data via a HMAC hash that is sent along with the request.

tagged: api security tutorial yii2 build startup series hmac rest

Link: https://code.tutsplus.com/tutorials/building-your-startup-securing-an-api--cms-27867