Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

WordPress Blog:
WordPress 4.8.2 Security and Maintenance Release
Sep 22, 2017 @ 12:51:20

The WordPress project has posted a new release that includes some security fixes and general maintenance changes.

WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.8.1 and earlier are affected by [several] security issues.

Issues include problems with prepared statements in SQL statements, XSS issues in several features, path traversal vulnerabilities as well as open redirect flaws. It's recommended that all WordPress users upgrade to this release to prevent exploit of these vulnerabilities either by downloading the latest release or by upgrading via the internal dashboard.

tagged: wordpress security maintenance release update

Link: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/

php[architect]:
Single Sign On - You’re Probably Doing It Wrong
Aug 15, 2017 @ 13:28:32

The php[architect] site has a new post today sharing an article from their August 2017 issue by author (and member of thePHP.cc) Arne Blankerts: "Single Sign On - You’re Probably Doing It Wrong ".

Requiring users to log in individually to all the websites they need for their work is more than merely annoying: It wastes a lot of time and turns maintaining log-in credentials and permissions into a nightmare for the administrative staff. Let’s see if we can fix that with a single sign-on service.

The article talks about the basics of single sign on and what kind of benefits it brings to the table. They also talk about the single point of failure it introduces and some of the problems that can cause. The article then discusses the choices involved in implementing it: Should it support authentication, authorization or both? Should OAuth be involved? What about SAML? Other alternatives are also offered including JWTs, tokens/callbacks and client side certificates. The article ends with the suggestion that a proxied approach, one that authenticates on the first request but the session is then trusted by other services, is one of the better ways to go (but isn't without its own issues either).

tagged: singlesignon article phparchitect magazine arneblankerts security

Link: https://www.phparch.com/2017/08/single-sign-on-youre-probably-doing-it-wrong/

php[architect]:
August 2017 Issue Released - Who Goes There
Aug 09, 2017 @ 11:56:33

php[architect] magazine has released their latest issue with a focus on security, authentication and authorization for August 2017 - Who Goes There:

You’ve no doubt heard HTTP is stateless, meaning a web server doesn’t know anything from one request to the next for the same client. Beyond news and information sites, however, a web application typically will need to know who you are and what you can do with it to be useful. In this issue, we look at effectively handling authentication and authorization.

The issue also includes articles like:

Many of the usual columns are back this month including the Education Station, Security Corner and the Community corner. Head over to the php[architect] website for more information about this latest issue and to pick up a copy of your very own!

tagged: phparchitect magazine august2017 security whogoesthere issue release

Link: https://www.phparch.com/magazine/2017-2/august/

php[architect]:
June 2016 Issue Released - Secure By Design
Jun 02, 2017 @ 13:36:27

php[architect] magazine has announced the release of the latest issue for June 2017: Secure By Design:

In this issue, focused on security and secure development, articles include:

  • Analyzing for security in "Nuclear Powered Software Security" by Chris Riley.
  • Mark Niebergall surveys the "Cybersecurity State of the Union".
  • "Make your site anonymous via Tor in The Digital Speakeasy: Secure and Anonymous Access to Your Website" by Dustin Younse.
  • "High performance data exchanges using Googles Protocol Buffers" by Christopher Mancini.

There's also the usual set of columns returning this month covering topics like image manipulation, burnout and spurring community involvement. If you're interested in the magazine but want a "try before you buy", check out the free article for this month (the "State of the Union"). If you enjoy the article or just want to pick up a copy of the issue to call your own, you can order a print or digital copy directly from the php[architect] site.

tagged: phparchitect magazine june2016 security securebydesign issue release

Link: https://www.phparch.com/magazine/2017-2/june/

SitePoint PHP Blog:
How to Search on Securely Encrypted Database Fields
Jun 02, 2017 @ 12:53:59

On the SitePoint PHP blog today they've reposted an article that was originally posted on the ParagonIE blog about searching encrypted information in database fields from author Scott Arciszewski.

This question shows up from time to time in open source encryption libraries’ bug trackers. This was one of the “weird problems” covered in my talk at B-Sides Orlando (titled Building Defensible Solutions to Weird Problems), and we’ve previously dedicated a small section to it in one of our white papers.

You know how to search database fields, but the question is, How do we securely encrypt database fields but still use these fields in search queries?

Our secure solution is rather straightforward, but the path between most teams asking that question and discovering our straightforward solution is fraught with peril: bad designs, academic research projects, misleading marketing, and poor threat modeling.

They start off with some of the examples of bad ways to perform the searching of encrypted information, mostly around either using poor encryption levels or custom created encryption solutions. With those out of the way, the tutorial moves on to their recommended method: using an authenticated encryption scheme (libsodium) and blind indexing. The key to the method is to use a secondary column for the actual searching process, encrypting the value provided and running the search against that, not the encrypted value itself. The article then covers two questions that need to be asked before putting this method to use. The article ends with a method to enhance the previous searching to allow for "fuzzier" searching through the generation of some additional index values in a joined table.

tagged: search security encryption database field tutorial libsodium

Link: https://www.sitepoint.com/how-to-search-on-securely-encrypted-database-fields/

Laravel News:
Packagist and the PHP ecosystem
Jun 01, 2017 @ 12:48:48

On the Laravel News site there's a new post that continues their series about building applications with Composer. In this latest post they talk about the "other half" of the Composer ecosystem - Packagist.

In our last blog post, we saw the basics of Composer but skipped over where it actually finds its packages, and how to publish packages of your own. In this blog post, we will be looking at exactly this, plus some security considerations when using composer in your application.

Packagist is the primary package repository for Composer. This is where you can publish your packages, and also where you can view other people’s packages. Composer will use Packagist to look for packages by default, however, more advanced users can customize this if they wish.

With the basic description out of the way, they then get into how to add your package to Packagist for others to use. The post also talks about package licensing, development versions, branch aliases, security considerations and how to keep on top of new versions of the packages you have installed.

tagged: packagist composer license development alias branch security

Link: https://laravel-news.com/packagist-and-the-php-ecosystem

Building Your Startup:
Securing an API
May 22, 2017 @ 13:16:19

The TutsPlus.com site has continued their "Building Your Startup" tutorial series with a new post about APIs and security. In this series, they've been using the Yii2 framework to create a calendaring "startup" site. Now they're to the point of adding a "RESTful" API to the system and want to be sure it's secure.

Recently, I introduced you to Yii's simple REST API generation and Meeting Planner's new "RESTful" service API. At that time, I mentioned that these APIs were only loosely secured. Sure, there was a shared secret between the client and the server, but there were a couple of problems.

First, the secret key and user tokens were repeatedly transmitted in query parameters of SSL calls. And there was no other authenticity check for the data, allowing a middle-person attack. In today's episode, I'll guide you through how I secured the API against these weaknesses for a more robust API.

They start off looking at the API security that was previously put in place using an "app ID" and "app secret" values to identify the user. To improve on this, the system is updated to use the "app secret" value to sign the outgoing data via a HMAC hash that is sent along with the request.

tagged: api security tutorial yii2 build startup series hmac rest

Link: https://code.tutsplus.com/tutorials/building-your-startup-securing-an-api--cms-27867

SenseDeep Security:
Web Developer Security Checklist
May 17, 2017 @ 10:22:34

On the SenseDeep Security site Michael O'Brien has posted a web developer security checklist you can use as a starting place towards securing your application (and developing secure applications from the start).

Developing secure, robust web applications in the cloud is hard, very hard. If you think it is easy, you are either a higher form of life or you have a painful awakening ahead of you.

[...] After you review the checklist below, acknowledge that you are skipping many of these critical security issues. At the very minimum, be honest with your potential users and let them know that you don’t have a complete product yet and are offering a prototype without full security. This checklist is simple, and by no means complete. It is a list of some of the more important issues you should consider when creating a web application.

He breaks it down into different sections with items to check off for each:

  • Database integration and data storage
  • Development environments and security scanning
  • Authentication
  • Denial of Service protection
  • Securing the Web Traffic
  • APIs
  • Validation (input and whitelisting)
  • Cloud service and Infrastructure configurations
  • General Operations and Testing

He ends with two points that are easy to forget when developing any application: determining what you're protecting against (threat modeling) and having a practiced security plan in place. Remember, checklists are a good place to start but by checking off each item it doesn't mean you're 100% secure.

tagged: developer security checklist issues suggestion

Link: https://simplesecurity.sensedeep.com/web-developer-security-checklist-f2e4f43c9c56

BugSnag:
Packagist and the PHP ecosystem
May 11, 2017 @ 10:49:17

The BugSnag blog has posted a tutorial from a guest author, Graham Campbell, introducing you to Packagist and the PHP ecosystem continuing on from the previous post introducing the Composer tool.

In our last blog post we saw the basics of Composer, but skipped over where it actually finds its packages, and how to publish packages of your own. In this blog post, we will be looking at exactly this, plus some security considerations when using composer in your application.

The post starts off by introducing Packagist and how you can distribute your package there. There's a section that covers Open Source licenses, a few of the different types and how to list licenses of your currently installed packages. Following this the post talks about using branches and aliases to pull in the code you need (not just the latest release). The tutorial wraps up with a look at some of the security concerns around using packages and how to keep on top of new versions with new bugfixes.

tagged: packagist ecosystem introduction package license security

Link: https://blog.bugsnag.com/packagist-and-the-php-ecosystem/

DotDev.co:
Exploitbox: WordPress Unauthorized Password Reset Vulnerability
May 05, 2017 @ 11:14:48

On the DotDev.co site Eric Barnes has written up a post talking about a recently announced vulnerability (and 0-day exploit) for WordPress allowing for password reset emails to be delivered to a user-specified address instead of the correct one on the account:

On the Exploitbox site Dawid Golunski shares a 0 day vulnerability in the WordPress core affecting all versions:

The vulnerability stems from WordPress using untrusted data by default when creating a password reset e-mail that is supposed to be delivered only to the e-mail associated with the owner’s account.

The post includes a snippet of code from the WordPress core where the issue lies, relying on the value from PHP's $_SERVER['SERVER_NAME'] variable for the domain in the address the reset email is sent to. Unfortunately this value is pulled from the Host header in the request and is user-controllable. There's a solution offered using an Apache setting and it's noted that this exploit only seems to work against the default VirtualHost as it will act as a fallback if the Host does not reference a configured domain.

tagged: exploit wordpress password reset vulnerability zeroday security

Link: https://dotdev.co/exploitbox-wordpress-unauthorized-password-reset-vulnerability/