News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

ServerGrove Blog:
Security tools for PHP projects
March 23, 2015 @ 12:19:13

On the ServerGrove blog there's a new post looking at some of the currently available PHP security tools you can use to help keep your applications safe.

Security is getting more and more important, and the PHP community has been doing great improvements in this topic during the last few years. From better configuration settings to provide some level of security by default to frameworks providing functionality to avoid common attacks such as XSS, CSRF or SQL injection. [...] Well, any piece of software can have bugs, and obviously open source projects are not an exception. The good point is that security researchers, once they find a vulnerability, it is reported and added to a database of known vulnerabilities. We basically need to find a way to avoid using code with known vulnerabilities, and there are some interesting tools out there to help us.

They list four tools that focus on different areas of the security of your application to help provide good basic coverage:

One thing to note, these are all automated tools so they shouldn't be relied upon exclusively to ensure the security of your application. Testing and evaluation of the codebase with these and other testing tools should always be done as well.

0 comments voice your opinion now!
security tools list checker advisories roave composer iniscan versionscan

Link: http://blog.servergrove.com/2015/03/23/security-tools-php-projects/

PHP.net:
Release of PHP 5.6.7, 5.5.23 and 5.4.39
March 20, 2015 @ 10:45:27

The PHP development group has announced the release of the latest versions in all three major versions of PHP currently supported: PHP 5.6.7, 5.5.23 and 5.4.39. These releases are bugfix only with several security updates included.

The PHP development team announces the immediate availability of [these new versions]. Several bugs have been fixed as well as CVE-2015-0231, CVE-2015-2305 and CVE-2015-2331. All PHP [5.6, 5.5 and 5.4] users are encouraged to upgrade to this version.

As always, you can get the latest released for each of these versions from the main downloads page (for Windows users on windows.php.net) and if you'd like to see the other changes besides the security-related fixes check out the full Changelog.

0 comments voice your opinion now!
version release language php54 php55 php56 security bugfix

Link: http://php.net/index.php#id2015-03-20-2

PHP.net:
PHP 5.6.6 is available
February 20, 2015 @ 09:08:51

Following on the heels of the other latest releases of PHP (5.5.22 and 5.4.38), the PHP development group has release the latest in the 5.6.x series - PHP 5.6.6.

The PHP development team announces the immediate availability of PHP 5.6.6. This release fixes several bugs and addresses CVE-2015-0235 and CVE-2015-0273. All PHP 5.6 users are encouraged to upgrade to this version.

You can get this latest release either directly from the downloads page (well, from a mirror) or if you're a Windows user you can get the binaries here. Upgrading is definitely recommended and you can find all the details of the release and what what fixed in the Changelog.

0 comments voice your opinion now!
language release cve bugfix security php566

Link: http://php.net/archive/2015.php#id2015-02-19-2

PHP.net:
Release of PHP 5.5.22 & 5.4.38
February 19, 2015 @ 11:09:40

The main PHP.net site has an announcement today about the latest released of the language fixing several bugs including a few security-related issues: PHP 5.5.22 and 5.4.38.

The PHP development team announces the immediate availability of PHP 5.5.22 and 5.4.38. This release fixes several bugs and addresses CVE-2015-0235 and CVE-2015-0273. All PHP 5.5 and 5.4 users are encouraged to upgrade to this version.

As always, you can get the latest source downloads from the downloads page or Windows users can get the binaries from windows.php.net. Those interested in the complete list of fixes in these releases can check out the latest entries in the Changelog.

0 comments voice your opinion now!
language release cve bugfix security changelog php55 php54

Link: http://php.net/archive/2015.php#id2015-02-19-1

Pádraic Brady:
A Secure Wrapper For Downloading HTTPS Resources Using file_get_contents()
February 05, 2015 @ 09:57:41

Pádraic Brady has a new post today sharing a tool he's created to enhance the current PHP file_get_contents function with a safer, more secure alternative, the humbug_get_contents library.

With the release of PHP 5.6, there was a significant security improvement in how PHP handled SSL/TLS protections, namely that it enabled a secure set of default options. Previously, SSL/TLS was disabled by default. No peer verification, no certificate checking, and a lack of configuration options had combined to create a serious problem. You can find this problem easily by searching for file_get_contents() on github and locating a call to this function used to retrieve any HTTP resource while also having zero configuration.

An excellent example of this is Composer which uses file_get_contents() instead of curl to ensure maximum compatibility with using systems. Of course, this beggars a question. If all the SSL/TLS protections are off by default in PHP 5.3-5.5…what's stopping some irksome hacker from injecting bad code into our Composer downloads? Answer: Nothing.

The package provides a drop-in solution to the possible man-in-the-middle issues that could be caused by the native functionality. It enhances the current function with additional TLS/SSL checking for HTTPS requests on current PHP versions.

0 comments voice your opinion now!
filegetcontents security wrapper https tls ssl library

Link: http://blog.astrumfutura.com/2015/02/a-secure-wrapper-for-downloading-https-resources-using-file_get_contents/

Resonant Core:
Remember Me Safely - Secure Long-Term Authentication Strategies
February 02, 2015 @ 11:18:42

On the Resonant Core blog there's a new post from Scott Arciszewski looking at some strategies for secure long-term authentication (usually in the form of "Remember Me" functionality).

Let's say you have a web application with a user authentication system, wherein users must provide a username (or email address) and password to access certain resources. Let's also say that it's properly designed (it uses password_hash() and password_verify() and rate-limiting; it doesn't have any SQli or XSS flaws). Everything is going well for a while, but eventually your users would like the convenience of a "Remember me on this computer" button. What do you do?

He proposes a few different solutions including:

  • the storage of credentials from the database in a cookie (a bad idea),
  • generating a unique token when the uses requests the "remember me" to store in a cookie
  • using two pieces of information, a random token and an "authenticator" for validation

He points out why the first two solutions aren't the best approaches and then gets into the details of how to handle the last recommendation. He includes both the SQL and the PHP code to make the token creation and verification work, performing an auto-login when the two values provided match up.

0 comments voice your opinion now!
rememberme security authentication longterm strategy

Link: https://resonantcore.net/blog/2015/02/remember-me-safely-secure-long-term-authentication-strategies

PHP.net:
Release of PHP 5.4.37, 5.5.21 & 5.6.5
January 23, 2015 @ 10:03:03

The PHP.net has posted the latest releases of the language for all of the major series - PHP 5.4, 5.5 and 5.6. Each release fixes several bugs including a few security related issues:

It is strongly encouraged that you upgrade to the latest release for the major version you're using to prevent issues around these vulnerabilities. You can find these latest releases on the main downloads page or windows.php.net for the Windows binaries.

0 comments voice your opinion now!
language release cve bugfix security

Link: http://php.net/archive/2015.php#id2015-01-22-3

Anthony Ferrara:
PHP Install Statistics
December 31, 2014 @ 09:29:43

Anthony Ferrara has a new post to his site sharing the results of some PHP version statistics he's gathered and how it relates back to the security of applications.

After yesterday's post, I decided to do some math to see how many PHP installs had at least 1 known security vulnerability. So I went to grab statistics from W3Techs, and correlated that with known Linux Distribution supported numbers. I then whipped up a spreadsheet and got some interesting numbers out of it. So interesting, that I need to share...

He starts with the versions that currently have no known security issues and matches those up with the linux releases that currently include them. He then looks at the adoption rates for more recent versions and maps those against the security status as well...with some "grim results". He summarizes the totals of all of the version results and comes up with an interesting statistic: over 78 percent of PHP installations (and thus applications) are vulnerable to some kind of security vulnerabilities just because of what they're hosted on.

0 comments voice your opinion now!
install statistics security vulnerability issue percent

Link: http://blog.ircmaxell.com/2014/12/php-install-statistics.html

PHP.net:
Release of PHP 5.4.36, 5.5.20 and 5.6.4 (Includes Security Fix)
December 19, 2014 @ 10:39:54

The PHP.net has announced the releases of several new versions in all of the current major series, all correcting several bugs including a CVE-related (security) related to unserialization. This security issue was reported in CVE-2014-8142 and relates to this bug report. It is highly recommended that you upgrade your versions to correct this potential security vulnerability. The latest versions are:

As always, you can download these latest releases directly from the downloads page or http://windows.php.net/download for the Windows users. If you're interested in the other bugs fixed in these releases, check out the full Changelog.

0 comments voice your opinion now!
language release bugfix php55 php56 php54 security cve20148242

Link: http://php.net/archive/2014.php#id2014-12-18-3

Reddit.com:
Composer files being indexed by Google
December 10, 2014 @ 11:36:55

In an interesting thread on the /r/php subreddit on Reddit.com, a user noticed that Google is indexing Composer files that are in the document root of PHP applications. These files, like "composer.json" and "composer.lock" can provide detailed information about which packages and libraries are in use in the application (information disclosure).

The problem is that these files are placed in the web root of the application and not in a folder one level up, a recommended practice. The post links to a Google search that shows an example of current sites with the issue.

Another comment in the same post also reminds users not to have things like their ".git" files in the document root either as they can provide valuable information to would be attackers about your application's code. Things can be done to prevent direct access to these files in the web server configuration but it's far better to restructure the application to have them in a parent directory of the actual web root.

0 comments voice your opinion now!
composer files composerlock composerjson index google search engine security

Link: http://www.reddit.com/r/PHP/comments/2ourf7/composer_files_being_indexed_by_google/


Community Events

Don't see your event here?
Let us know!


community release framework api series version library voicesoftheelephpant opinion language interview podcast php7 security laravel introduction example laravel5 list extension

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework