News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHP.net:
PHP 5.4.34 & 5.6.2 Released
October 17, 2014 @ 10:14:07

On the main PHP.net site an announcement has been posted about the release of the two latest versions in the PHP 5.4.x and 5.6.x series - PHP 5.4.34 and 5.6.2

These releases fix several bugs in both versions including several security-related issues including CVE-2014-3668, CVE-2014-3669 and CVE-2014-3670. In the 5.4.34 release there was also a fix put in to correct a regression issue in the OpenSSL functionality.

As both of these contain security-related fixes, it's strongly recommended that you upgrade as soon as possible. As always, you can find the latest downloads on the main downloads page or windows.php.net for the Windows users. The full list of changes in each of the versions can be found in the Changelog.

0 comments voice your opinion now!
language release bugfix security update openssl

Link: http://php.net/archive/2014.php#id2014-10-16-3

PHPClasses.org:
Lately in PHP Podcast #46 - "Is the Hack Language Going to Replace PHP?"
April 21, 2014 @ 09:12:14

In the latest episode (#46) of the "Lately in PHP" podcast series Manuel Lemos and Arturs Sosins wonder if Hack will ever replace PHP.

The release of the Facebook Hack language has shaken the PHP community since it implements several frequently requested features that were never implemented, many users are considering to drop PHP in favor of Hack. This was one of the main topics discussed by Manuel Lemos and Arturs Sosins on the episode 46 of the Lately in PHP podcast. They also talked about the OpenSSL Heartbleed security bug may affect PHP sites or not, ideas for the PHP 6 engine, the need for an official PHP specification, and an advanced email validation that can provide suggestions for address typos like Google did you mean feature.

You can catch this latest episode either through the in-page audio player, by downloading the mp3 or by watching the video of the live Google Hangout recording.

0 comments voice your opinion now!
phpclasses latelyinphp ep46 hack replace openssl heartbleed podcast

Link: http://www.phpclasses.org/blog/post/232-Is-the-Hack-Language-Going-to-Replace-PHP--Lately-in-PHP-podcast-episode-46.html

PHPClasses.org:
OpenSSL Serious Security Bug Does it Affect Your PHP sites?
April 10, 2014 @ 11:55:37

In the wake of the announcement of the Heartbleed vulnerability in the widely used OpenSSL software, the PHPClasses blog has posted a look at how it relates to PHP applications and how you can see if your application is effected.

Just a few days ago it was publicly announced a serious security bug called Heartbleed that affects secure sites based on the OpenSSL library. Read this article to learn more about this security problem, how to test if your Web server or SSH server is vulnerable, how it may affect your PHP sites, what you should do to fix the problem.

They start with a look at the bug, what it is and why it's such a big problem. It talks about what kinds of applications are vulnerable (hint: it has nothing to do with the PHP) and how you can test to see if your server is secure. The rest of the post talks about how to resolve the issue and how it relates to OpenSSL connections to other servers and SSH.

0 comments voice your opinion now!
openssl bug heartbleed security effect webserver

Link: http://www.phpclasses.org/blog/post/231-OpenSSL-Serious-Security-Bug-Does-it-Affect-Your-PHP-sites.html

PHP.net:
Multiple Releases - PHP 5.4.23, 5.3.28 and 5.5.7
December 13, 2013 @ 09:33:42

The PHP.net site reports three new versions of various revisions of the language being released all at once, all fixing an OpenSSL issue announced in CVE-2013-6420. This includes updates for all three supported versions:

  • PHP 5.4.23
  • PHP 5.3.28 (also fixes CVE-2013-4073)
  • PHP 5.5.7

As this is a security-related issue, it's recommended that you update to the latest version for your installation. You can get these latest downloads from either the main downloads page or for Windows users, windows.php.net.

0 comments voice your opinion now!
language release security update openssl cve20136420 cve20134073

Link: http://php.net/

Timoh's Blog:
Secure random numbers for PHP developers
November 06, 2013 @ 09:20:55

Timoh has posted a look at random number generation to his site, focusing on one of the many methods to produce truly random number - using /dev/(u)random (available on Unix-based filesystems).

How would you gather cryptographically secure random bytes in your PHP application? This is actually quite a good question. It used to be, and seems, it still is not that uncommon to just simply call mt_rand() function to get the job done creating user's "initial password", for example. A bit more experienced reader will notice there is a security bug. [...] But actually only a few [functions to get random values] can be recommended for security sensitive purposes. And now I'm not talking about openssl_random_pseudo_bytes().

He starts with a look at openssl_random_pseudo_bytes and why there might be something wrong with its use - mainly that OpenSSL has had its own share of security issues in the past. Of the two random resources he recommends /dev/urandom as it's less blocking and more useful for web applications. He recommends the RandomCompat library if you need to take this random data and transform it into integers (with one caveat).

0 comments voice your opinion now!
secure random number generation devurandom urandom openssl

Link: http://timoh6.github.io/2013/11/05/Secure-random-numbers-for-PHP-developers.html

PHP.net:
PHP 5.4.19 and PHP 5.5.3 Released!
August 23, 2013 @ 10:57:51

The PHP development group has officially released the latest editions in the PHP 5.5.x and 5.4.x series - PHP 5.5.3 & 5.4.119:

The PHP development team announces the immediate availability of PHP 5.4.19 and PHP 5.5.3. These releases fix a bug in the patch for CVE-2013-4248 in OpenSSL module and compile failure with ZTS enabled in PHP 5.4. All PHP users are encouraged to upgrade to either PHP 5.5.3 or PHP 5.4.19.

As this is a security-related patch, all users are strongly encouraged to update their installations to prevent any potential issues. You can find out more about that flaw here. As always, you can download these latest release from the downloads page (or here for Windows binaries).

0 comments voice your opinion now!
language release bugfix security openssl update

Link: http://php.net/index.php#id2013-08-22-1

Pádraic Brady:
Predicting Random Numbers In PHP - It's Easier Than You Think!
March 26, 2013 @ 09:54:15

Pádraic Brady has a new post to his site about "randomness" in PHP and how, depending on the method used, you might not be as random as you think.

The Zend Framework team recently released versions 2.0.8 and 2.1.4 to address a number of potential security issues including advisory ZF2013-02 "Potential Information Disclosure and Insufficient Entropy vulnerabilities in ZendMathRand and ZendValidateCsrf Components". Quite the mouthful! In short, Zend Framework used the mt_rand() function to generate random numbers in situations where neither openssl_pseudo_random_bytes() nor mcrypt_create_iv() were available. This is possible when the openssl and mcrypt extensions are not installed/compiled with PHP.

He talks some about the mt_rand function and how it generates its "random numbers" (designed for speed, not ultimate randomness). He notes that all of PHP's internal randomization functions use the concept of "seeds" to prime the random number/string generation. Unfortunately, the seeding method is known inside PHP, so it is possible - if the method of generation is weak, as it is with mt_rand - that an attacker could brtute force their way into a correct value. You can find more about randomness in PHP in this chapter of his PHP security handbook including a mention of Anthony Ferrara's randomness library.

0 comments voice your opinion now!
randomness seed mtrand openssl mcrypt randomlib


Kevin Schroeder:
Generating secure cross site request forgery tokens (csrf)
February 11, 2013 @ 11:23:10

In this new post to his site Kevin Schroeder has a new post with his take on generating more secure CSRF tokens for use in your site.

In researching the second edition for the IBM i Programmer's Guide to PHP Jeff and I decided to include a chapter on security since we really didn't talk much about it in the first edition. I'm talking about cross site request forgeries right now and I wanted to make sure that what I was going to suggest would not break the internet in some way. I did some Google searching to see what other people were recommending.

Most of the examples he saw used md5, uniqid and rand to create a randomized hash. He suggests an alternative - a method using the hash_hmac and openssl_random_pseudo_bytes methods to generate a sha256 hash for use in your page's submissions.

0 comments voice your opinion now!
csrf token generation hmac openssl


Ldeveloper Tech Blog:
PHP - Fatal error Uncaught SoapFault exception Could not connect to host...
August 12, 2011 @ 11:38:04

On the Ldeveloper Tech Blog today there's a helpful new post about an error PHP's SOAP extension could throw about not being able to connect to the host despite all settings being correct.

I receive this nasty error yesterday and it took me some time to figure out the problem: "Fatal error: Uncaught SoapFault exception: [HTTP] Could not connect to host in...". This ["new SoapClient"] line passes without any problems and this [var_dump on __getFunctions] shows the function prototypes correctly.

His script connects to the service as its supposed to but the "could not connect" is still thrown. He found a few references to OpenSSL issues that could cause it, but his code was correct so he turned to the other side - the service itself. As it turns out, it wasn't configured correctly.

It was configured to send invalid url and the function calls were using that invalid url. So there are two solutions [...] the first is to configure the server correctly. The other is to give __doReguest the correct location.
0 comments voice your opinion now!
soap connect host openssl service remote error


PHPBuilder.com:
Write an Ajax-driven Login Application in PHP Using SSL/TLS
September 09, 2010 @ 10:29:03

On the PHPBuilder.com site today there's a new tutorial posted from Octavia Anghel about creating a login for your site that's powered by Ajax and uses a bit more security than normal. It includes hooks to use the Ajax Server Secure Layer or an OpenSSL connection.

In this article you will learn how to write a login application in PHP using Ajax and SSL/TLS in two ways either using aSSL (Ajax Server Secure Layer), a library that implements a technology similar to SSL without HTTPS or a simple Ajax and OpenSSL, an open source implementation of the SSL and TLS protocols.

They start with the aSSL method and link you to a download of the tool as well as some sample code to help you get started passing data to it via the session. The second example shows the OpenSSL method, mostly consisting of checking on the server side of the certificate that's passed along with the request.

0 comments voice your opinion now!
ssl tls secure certificate assl openssl ajax



Community Events





Don't see your event here?
Let us know!


api tips library introduction laravel framework install community language package update zendserver podcast unittest series symfony interview release opinion deployment

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework