Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Security Affairs:
PHP hash comparison flaw is a risk for million users
May 12, 2015 @ 14:15:10

A recent issue has come (back) to light in the security community around how PHP compares hashes. In this post to the Security Affairs site they talk about the problem of hash comparison and how to prevent the issue in your own PHP code.

Because of a security flaw according to which PHP tackles ‘hashed’ strings in specific situation attackers are given the opportunity to try and breach passwords, authentication systems and other functions being run on PHP hash comparisons, WhiteHat security researcher says. VP of WhiteHat, Robert Hansen, declared that any website is vulnerable to the flaw – the only thing is, two specific kinds of PHP hashes the vulnerable site uses for comparing ‘hashes’ in PHP language.

The problem comes with how PHP handles its typing behind the scenes mostly. When a string starts with "0e.." PHP interprets it as scientific notation and sees it as a value equal to zero. As a result, two strings, even if they don't match, that start with "0e..." will evaluate as equal. Fortunately, the answer is relatively simple (though could be time consuming to fix): change == (double equals) to === (triple equals). This prevents PHP from trying to do the type juggling and compare them on the types they are when presented (string to string in the case of hashes).

tagged: hash comparison flaw doubleequals tripleequals

Link: http://securityaffairs.co/wordpress/36732/hacking/php-hash-comparison-flaw.html

Anthony Ferrara:
Framework Fixation - An Anti Pattern
Jul 31, 2012 @ 14:21:59

In a recent post to his blog Anthony Ferrara takes a look at what he calls the "Framework Fixation" anit-pattern - that one of the first inclinations he sees is to use a framework when it may not be needed.

In this day in age, it seems that the community trend is completely and unequivocally trending towards the use of web application frameworks. So much so that the defacto first comment to someone asking how to do something seems to be "Just use a framework, and it'll solve the problem for you." While I completely understand why this is the case, I can't say that I agree with it. And while I do believe that frameworks serve a purpose, I think that they are vastly over-used. Let me explain why...

He starts off by describing what a framework is (its components, goals) and points out a few flaws in their use. These include the removal of emphasis on the setup/configuration/bootstrapping of the application (it's part of the architecture too!), how they can help (and hurt) in prototype situations, the myth of the shorter development time and that looking for "framework developers" that only know how to use the tool could hurt you in the long run.

tagged: framework opinion flaw misconception

Link:

PHP.net:
PHP 5.3.12 and 5.4.2 and the CGI flaw (CVE-2012-1823)
May 07, 2012 @ 14:03:59

The PHP.net site as new post with some supplemental information for those users of the PHP CGI that might be effected by the recently announced bug, the reason for the most recent release. Unfortunately, this patch only fixes some of the cases of the problem, so they've amended their instructions to included a more effective mod_rewrite rule to help protect your applications.

PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of "$@" to pass parameters to php-cgi which causes a number of issues. Again, people using mod_php or php-fpm are not affected.

The rewrite rule is there in the post, ready for copy and pasting into your config. Even if you're running the latest PHP 5.3.12 and 5.4.2., be sure to use this rule as a stop-gap measure for now. Another release is planned for tomorrow to fully correct the CGI flaw.

tagged: cgi flaw bug rewrite rule protect release

Link:

Hari KT's Blog:
Is there a design flaw for the Components or Packages made by Symfony2 and ZF2
Mar 09, 2012 @ 15:03:36

Hari K T has a new post to his blog that shares his concern about a "design flaw" in the component/package methods promoted by Symfony2 and Zend Framework 2:

Looking from outside both Symfony2 and ZF2 is full of standalone components. But the reality is not the same. Though Symfony2 components are split into each components in github, you cannot give a pull request to that component. The tests for all the components still resides in the core.

He points to the Aura framework project as a good example of how to make a truly component-centric set of tools complete with tests bundled into the component's download right next to the source.

tagged: design flaw component symfony2 zendframework2 aura framework tests source

Link:

Developer.com:
PHP Remains Strong Despite Security Flaws
Jun 04, 2010 @ 17:48:20

On Developer.com today there's a new article (from Sean Michael Kerner) that talks about the Month of PHP Security effort that's been going on and how, despite over 60 issues being reported, PHP remains strong.

Over the course of May, the PHP community was hit with a barrage of more than 60 security issues. The security assault was all part of the Month of PHP Security (MOPS) effort, which disclosed the flaws. But even after so many identified security issues in MOPS, PHP experts argue that the language is not necessarily insecure.

There's several quotes from Andi Gutmans (of Zend) with his thoughts on the bugs that were reported and how important he sees them as being (hint: nothing zero-day) and how developers are still, ultimately, the ones responsible for the security of their applications.

tagged: security flaw monthofphpsecurity mops andigutmans

Link:

Misko Hevery's Blog:
Guide: Writing Testable Code
Jan 07, 2009 @ 16:29:39

In this slightly older (Nov 2008) but useful post to Misko's blog, he takes a look at a few common flaws that you should avoid in writing up your code (in any language really).

To keep our code at Google in the best possible shape we provided our software engineers with these constant reminders. Now, we are happy to share them with the world.

Here's the list of the flaws:

  • Flaw #1: Constructor does Real Work
  • Flaw #2: Digging into Collaborators
  • Flaw #3: Brittle Global State & Singletons
  • Flaw #4: Class Does Too Much

Each includes some warning signs to keep an eye out for to see if you and your code might be straying the wrong way.

tagged: testable guide hint flaw avoid warning sign

Link:

Community News:
PHP 5.2.8 Released
Dec 09, 2008 @ 12:39:35

The PHP Group has officially released the next version in the PHP 5.2.x series (as an update to the flaw in PHP 5.2.7) - version 5.2.8:

The PHP development team would like to announce the immediate availability of PHP 5.2.8. This release addresses a regression introduced by 5.2.7 in regard to the magic_quotes functionality, that was broken by an incorrect fix to the filter extension. All users who have upgraded to 5.2.7 are encouraged to upgrade to this release, alternatively you can apply a work-around for the bug by changing "filter.default_flags=0" in php.ini.

You can download this latest release from the downloads page on the main php.net website or from your favorite local mirror.

tagged: php5 release security flaw update phpini

Link:


Trending Topics: