News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Ed Finkler's Blog:
So what is the state of secure development in PHP?
March 19, 2007 @ 08:23:00

Sometimes, a picture is worth a thousand words - check out the one included with this new post on Ed Finkler's blog today, a graph of the NIST NVD data showing where most of the security-related PHP issues lie.

PHP Applications by themselves account for over 40% of all NIST NVD entries in 2006. We need more than new frameworks. We need new paradigms for PHP development.

These new paradigms of PHP development have been a long time coming (it's all been jokes about it thus far), but there's already forces at work to help make things simpler and better for those developing applications. Frameworks, while not new in themselves, are making writing applications easier than ever before when using their built-in tools.

0 comments voice your opinion now!
secure development framework paradigm application remote file inclusion secure development framework paradigm application remote file inclusion


Community News:
DreamStats "rootpath" File Inclusion Vulnerability Identified
February 06, 2007 @ 11:37:00

As the International PHP Maagzine reports today there's been a file inclusion vulnerability found (from Secunia) in the DreamStats package:

Secunia's latest advisory points out a vulnerability in DreamStats, which could be exploited by remote attackers to execute arbitrary commands. This issue is due to an input validation error in the "index.php" script that does not validate the "rootpath" parameter, which could be exploited by remote attackers to include malicious PHP scripts and execute arbitrary commands with the privileges of the web server.

Those at risk are systems running versions 4.2 and prior and should update immediately. DreamStats is a package for displaying the statistics for Call of Duty related games on a website.

0 comments voice your opinion now!
dreamstats file inclusion vulnerability secunia dreamstats file inclusion vulnerability secunia


LWN.net:
Remote file inclusion vulnerabilities
October 12, 2006 @ 10:27:00

According to this article from LWN.net, you might need to be a bit wary of how you use the allow_url_fopen configuration parameter on your server. Apparently there are some remote file inclusion issues that could cause problems for calls to include or require already in your code.

An attacker's fondest wish is to be able to run their code on the target system; an RFI exploit does just that. By exploiting two very dubious 'features' of the PHP language, an attacker can inject their code into a PHP program on the server.

Basically, if the potential hacker can manage to get in on a varaible that's inside of an include and use it (in)correctly, they can get the script to jump out and run the code from their server instead of the local copy. Turning off regiter_globals will provide some protection, put poor programming and not performing any input validation can poke holes in the script's security without the need for globals.

Check out the rest of the article for more information on this (potentially) serious issue and check your code/configuration doubly to make sure you're not at risk.

1 comment voice your opinion now!
remote file inclusion vulnerabilities lwn article report remote file inclusion vulnerabilities lwn article report


FrSIRT:
Vivvo Article Management CMS SQL Injection and PHP File Inclusion Vulnerabilities
September 18, 2006 @ 14:08:57

The FrSIRT site has posted a new advisory for users of the Vivvo Article Management CMS software about potential holes that could allow for some very large-scale damage to be done.

Multiple vulnerabilities have been identified in Vivvo Article Management CMS, which could be exploited by remote attackers to compromise a vulnerable server.

The first issue is due to an input validation error in the "pdf_version.php" script that does not validate the "id" parameter before being used in SQL statements, which could be exploited by malicious people to conduct SQL injection attacks.

The second vulnerability is due to an input validation error in the "index.php" script that do not validate the "classified_path" parameter, which may be exploited by remote attackers to include local or remote scripts with the privileges of the web server.

Versions 3.2 and higher of the software are effected, and, unfortunately, there has been no patch issued for the issue.

0 comments voice your opinion now!
security issue vivvo article management cms sql injection file inclusion security issue vivvo article management cms sql injection file inclusion


Justin Silverton's Blog:
PHP Security Mistakes - Part 2
March 21, 2006 @ 06:56:49

Justin Silverton continues his "PHP Security Mistakes" series with this new post, looking at issues surrounding system calls, file uploads, and including files into your scripts.

In one of my previous articles, I mentioned the top 5 security mistakes made in PHP. This article is a follow-up, with some more common security mistakes.

For the three topics he describes the functionality PHP offers for them as well as a suggestion or two as to how you can prevent these issues from showing up in your scripts.

0 comments voice your opinion now!
security mistakes part two system calls file uploads inclusion security mistakes part two system calls file uploads inclusion


Mike Wallner's Blog:
imap_savebody()
January 30, 2006 @ 07:20:47

There's a quick post from Mike Wallner today with a helpful IMAP hint for those working with attachments - and his solution.

If you -like me- were suffering from being unable to load big attachments through ext/imap because of PHPs memory limit, the new imap_savebody() function should be what you were looking for. It adds the ability to save any section (full mail, too) of a mail message to a file or stream.

You can see the proposal for the functionality on this Zend page, including some of the suggestions others made and its inclusion into The PAT direectory. You can view the source here...

0 comments voice your opinion now!
imap_savebody patch PAT inclusion imap_savebody patch PAT inclusion



Community Events





Don't see your event here?
Let us know!


framework interview symfony update release introduction list opinion tips install package language deployment zendserver community series library laravel podcast api

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework