News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Evert Pot:
Composer's bug now fixed
February 24, 2014 @ 12:38:06

Evert Pot has posted an update to a previous post around Composer's vulnerability around installing the wrong packages in the case of a conflict. In this latest post he points out, however, that the bug is now fixed.

As an update to my previous post, the composer security problem now appears fixed. Good to see that a quick response was possible after all.

The original issue was caused by the "replace" functionality, allowing the possibility for an incorrect package to be installed instead of the one requested. Other posts with more details include this one from Pádraic Brady and Nils Adermann. if you're a Composer user, it's highly suggested you update your currently installed version (run a "composer self-update").

0 comments voice your opinion now!
composer bug security vulnerability fix selfupdate

Link: http://evertpot.com/composer-bug-fixed

PHP.net:
PHP 5.3.27 Released - PHP 5.3 Reaching End of Life
July 12, 2013 @ 09:17:15

The PHP development group has officially released the latest bugfix release in the PHP 5.3.x series - PHP 5.3.27:

The PHP development team announces the immediate availability of PHP 5.3.27. About 10 bugs were fixed, including a security fix in the XML parser (Bug #65236). Please Note: This will be the last regular release of the PHP 5.3 series. All users of PHP are encouraged to upgrade to PHP 5.4 or PHP 5.5. The PHP 5.3 series will receive only security fixes for the next year.

You can get this latest release from the downloads page (or here for Windows users). As the update fixes a security issue, it's recommended that you upgrade (see this bug).

0 comments voice your opinion now!
release language endoflife security fix update

Link: http://php.net/index.php#id2013-07-11-1

PHPClasses.org:
10 Steps to properly do PHP Bug Tracking and Fixing as Fast as possible
May 30, 2013 @ 11:49:27

On the PHPClasses.org blog today Manuel Lemos has shared some advice on tracking and fixing bugs and some strategies to help prevent them in the future.

No matter how hard you try to test your PHP applications before putting them in production, you will always ship code to your server that has bugs. Some of those bugs will be very serious and need to be fixed before they cause greater damages to your application data that may be too hard to recover. Read this article to learn about a several good practices that you can apply to track bugs in production code, so you can fix them before it is too late.

Suggestions included in his list are things like:

  • Test as Much as Possible Before in your Development Environment
  • Separate your Code from Environment Configuration files
  • Track PHP Errors with Assertion Condition Tests
  • Send PHP Errors to an Error Log File
  • Monitor the PHP Error Log File to Quickly Fix Serious Bugs
  • Fix Your Bugs but Never Edit Code on the Production Server

He also includes a brief look at some things to think about when considering "defensive coding practices" and links to other articles with more information.

0 comments voice your opinion now!
bugs advice fix track testing logging context monitoring

Link: http://www.phpclasses.org/blog/package/1351/post/1-10-Steps-to-properly-do-PHP-Bug-Tracking-and-Fixing-as-Fast-as-possible.html

Greg Freeman:
Steps to Take When you Know your PHP Site has been Hacked
March 07, 2013 @ 09:53:02

Greg Freeman has posted the second part of his "hacked PHP application" series (part one is here). In this new post he looks at the aftermath - what to do and check to do cleanup and fixes so it doesn't happen again.

This is a follow up post from my previous post "How to Tell if Your PHP Site has been Hacked or Compromised". This post will discuss some the first steps you should take when you have identified that your site has been compromised. The first sections discuss a few points that are not relevant to everyone, the later sections will discuss how to fix the exploits.

He includes a list of things to think about including:

  • What kind of hosting you use (and if that contributed)
  • The option to redirect all requests for your site to one page
  • Get a list of all PHP files to locate something malicious
  • Locating "non-PHP PHP files"
  • Finding files with possible malicious content

He also includes a few suggestions to help prevent issues in the future - update to the latest versions, patch your code, rethinking your permissions and monitoring for potential repeat attacks.

0 comments voice your opinion now!
hack compromise steps correction fix upgrade exploit


Davey Shafik's Blog:
The Blowfish Debacle
February 13, 2012 @ 10:02:49

Davey Shafik has a recent post to his blog about what he calls "The Blowfish Debacle" - the issues that came up with the PHP 5.3.7 release to upgrade the crypt_blowfish version that resulted in a larger error being introduced.

This was a great security fix, solving an issue with insecure passwords due to incorrect behavior. HOWEVER, what wasn't made clear, is that this change was actually a backwards compatibility break. If you upgraded to 5.3.7+ data hashed pre-5.3.7 would no longer match data hashed post-5.3.7; this means if you use it for passwords, it will no longer match. So what's the deal here?

He talks about the differences in the two methods of encryption, the newer being the "more correct" way of doing things. If you need the backwards compatibility because of previously hashed values, you can use the "$2x$" prefix instead of the usual "$2a$". He includes a snippet of code that can be used to upgrade all of your previously hashed blowfish passwords up to the new format.

0 comments voice your opinion now!
blowfish upgrade issue backwardscompatibility security fix


PHP.net:
PHP 5.3.10 Released (Security Fix - Recommended Upgrade)
February 03, 2012 @ 08:01:29

The PHP development team has officially announced the release of the latest version of PHP in the 5.3.x series - PHP 5.3.10:

The PHP development team would like to announce the immediate availability of PHP 5.3.10. This release delivers a critical security fix. [...] Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830.

It is highly recommended that users upgrade to this latest version to avoid falling victim to this recently introduced bug relating to the new "max_input_vars" setting added to protect from the overflow issue recently brought up in the PHP community.

0 comments voice your opinion now!
release security fix maxinputvars hashtable collision dos vulnerability


Chris Hartjes' Blog:
PHPUnit Aborted Fix
January 19, 2012 @ 11:16:53

Chris Hartjes ran into an issue with hit unit tests where PHPUnit was throwing an "aborted" error no matter what tests were run. Thankfully, in this new post, he shares a solution.

That was a pretty annoying bug. I never did find out what the problem was as I moved onto other problems and chalked that error up to some undiagnosed weirdness on that particular server. From time to time I would get asked on Twitter if I had ever solved the problem. My answer was always "no, and if you do solve it please let met know how you fixed it." Today, my friends, was the day.

Based on a response from Demian Katz, he was able to get around the issue with flag set on the PHPUnit command line - "-dzend.enable_gc=0". Apparently the issue has to do with garbage collection and has been a known issue since the beginning of 2011.

0 comments voice your opinion now!
phpunit aborted unittest fix garbage collection bug


Symfony Blog:
Symfony2 Security Audit
October 07, 2011 @ 09:04:19

Fabien Potencier (of the Symfony framework project) has posted the results of a security audit that was performed on the framework by SektionEins.

The Symfony2 core team takes security issues very seriously; we have a dedicated procedure to report such issues, and the framework itself tries to give the developer all the features needed to secure his code easily. Thanks to our successful community donation drive, SektionEins performed a security audit on the Symfony2 code earlier this year. The audit is now over and the good news is that the Symfony2 code is pretty solid; only minor problems have been found. They have all been addressed now

Their findings included things like the Request component trusting certain headers, bad regex validation on datetimes, password encoding issues, cookie handling and exception handling issues. Links to the fixes for each are included in the post.

0 comments voice your opinion now!
symfony2 security audit sektioneins framework fix


Tibo Beijen's Blog:
Fixing mysqldump on Zend Server CE on OS X
March 01, 2011 @ 11:50:58

Tibo Beijen has a new post today showing his method for fixing mysqldump on Zend Server CE running on an OS X platform. The default install throws a socket error when you try to dump a database using the command.

Inspecting the mysql configuration contained in /usr/local/zend/mysql/data/my.cnf confirmed that the section [client] showed the socket as returned by executing SHOW VARIABLES; from the mysql client: /usr/local/zend/mysql/tmp/mysql.sock Although it is possible to specify the socket by using mysqldump's --socket switch, that doesn't really seem a 'solution'.

As a real solution to the problem was to copy over the my.cnf file from the custom location Zend Server has it in to the default "/etc/my.cnf" with settings pointing to the correct MySQL socket.

0 comments voice your opinion now!
mysqldump zendserver osx socket error fix


Matt Williams' Blog:
Codeigniter Database session fix
August 24, 2010 @ 12:58:15

Matt Williams has a new post to his blog with his own fix to a problem he was having with his CodeIgniter application - the continuous session logouts.

For weeks I tolerated the annoyance of CodeIgniter's Session library logging my out continuously, saying to myself "I works...kind of...I'll fix it later". Eventually the problem started affecting AJAX method calls, large file uploads and simple CRUD operation forms so I began trawling the internet for a fix. After hours and hours, I found that there was no _reliable_ fix to the database sessions library and that the answer was, DON'T USE DATABASES.

The code for the library he found to help with the problem - CI_Native_Session - is included in the post (as written by Dariusz Debowczyk). It uses the native PHP session handling to keep track of the data rather than using a database table to persist users. You can see a demo of it here.

0 comments voice your opinion now!
codeigniter session fix library database



Community Events





Don't see your event here?
Let us know!


api configure introduction series language application bugfix list wordpress code library interview laravel threedevsandamaybe release community framework project podcast developer

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework