Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHP 5.6.27 Released
Oct 18, 2016 @ 11:48:09

As announced on the main PHP.net site, the latest version in the PHP 5.6.x series has been released: PHP 5.6.27, a bugfix only release.

The PHP development team announces the immediate availability of PHP 5.6.27. This is a security release. Several security bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version.

Bugfix locations include DOM, GD mbstring, OpenSSL and SimpleXML. As always, this latest version can be downloaded from the main downloads page (source) or from windows.php.net (binaries). You can view the full list of updates and fixes in the related Changelog.

tagged: language release bugfix security php56

Link: http://php.net/index.php#id2016-10-14-1

SitePoint PHP Blog:
Phpseclib: Securely Communicating with Remote Servers via PHP
Oct 04, 2016 @ 13:37:33

The SitePoint PHP blog has posted a new tutorial by Viraj Khatavkar showing how to use the phpseclib library to securely communicate with remote servers directly from your PHP code.

PHP has an SSH2 library which provides access to resources (shell, remote exec, tunneling, file transfer) on a remote machine using a secure cryptographic transport. Objectively, it is a tedious and highly frustrating task for a developer to implement it due to its overwhelming configuration options and complex API with little documentation.

The phpseclib (PHP Secure Communications Library) package has a developer friendly API. It uses some optional PHP extensions if they’re available and falls back on an internal PHP implementation otherwise. To use this package, you don’t need any non-default PHP extensions installed.

The first step is getting the library installed (via Composer) and a few example use cases including generating SSH keys dynamically and testing a SSH/SFTP connection. The tutorial then talks about three methods you can use with phpseclib to connect to remote servers: using an RSA key, using a password-protected RSA key and just the normal username/password combination. With the connection made they then show you how to:

  • execute (single and multiple) commands on the remote server
  • exit on the first error
  • gather the output from the commands

There's also a bit included about some other interesting configuration options and a few alternatives to the library if phpseclib doesn't work exactly right for your application.

tagged: phpseclib security communication server library tutorial introduction

Link: https://www.sitepoint.com/phpseclib-securely-communicating-with-remote-servers-via-php/

PHP 5.6.26 is released
Sep 16, 2016 @ 12:16:56

The official PHP.net site has announced the release of PHP 5.6.26, the latest in the v5.6.x series, providing several bugfixes (including security-related issues).

The PHP development team announces the immediate availability of PHP 5.6.26. This is a security release. Several security bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version.

Bugs were fixed in functionality including EXIF handling, FTP functionality, GD image copying, JSON out of bounds error and the "fetch lazy" handling results and empty(). You can download this latest release from the usual places: the main downloads page for the source release or windows.php.net for the Windows binaries.

tagged: language release bugfix security php56

Link: http://php.net/index.php#id2016-09-16-1

How we broke PHP, hacked Pornhub and earned $20,000
Jul 25, 2016 @ 12:31:48

The PornHub.com site (definitely NSFW) is a high profile site that, as it turns out, uses PHP for a lot of its functionality. In this interesting article from the Evondie Security Research Group they show how they "broke PHP and hacked PornHub (and earned a $20k USD bug bounty in the process). Don't worry, the article itself is "safe for work" as it's only descriptions and code examples of how the hack was performed.

Pornhub’s bug bounty program and its relatively high rewards on Hackerone caught our attention. That’s why we have taken the perspective of an advanced attacker with the full intent to get as deep as possible into the system, focusing on one main goal: gaining remote code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is built upon: PHP.

The post then walks you, step-by-step, through the process they followed to discover the exploit. The main entry point was through PornHub's use of the unserialize function that included a flaw allowing for code execution when a specially crafted object was injected. With the help of this they were able to "leak" out of the PHP execution and inject custom C code to be executed in the local environment. This was, in turn, then used to execute a file_get_contents on the local /etc/password file and return its contents.

tagged: pornhub hack evonide serialize code injection security

Link: https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/

PHP 5.6.24 & 5.5.38 Released
Jul 22, 2016 @ 11:55:39

The PHP development group has posted the official release announcements for the latest versions in the PHP 5.6.x and 5.5.x series: PHP 5.6.24 and PHP 5.5.38.

The PHP development team announces the immediate availability of PHP [5.6.24 and 5.6.38]. This is a security release. Several security bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version.

They also have a quick note that this release for the PHP 5.5.x series is the last in the branch as laid out by the release schedule. Future updates on this branch will only be made if there are major security issues found. Otherwise developers are encouraged to upgrade to the latest versions (5.6.x at the least but really PHP 7.x would be better). You can get these latest releases either from the main downloads page (source) or from windows.php.net for the Windows binaries.

tagged: language release bugfix security php55 php56

Link: http://php.net/archive/2016.php#id2016-07-21-4

IBM Security Intelligence:
The Webshell Game Continues
Jul 20, 2016 @ 11:50:15

On the IBM Security Intelligence site there's a new article posted talking about webshells. For those not familiar with webshells, they're scripts that can be used to control servers or work as a platform to access other systems put in place by attackers. In this article they introduce some of the basics around webshells and the rise they're seeing in their use.

The IBM X-Force Research team reported an increase in PHP C99 webshell attacks in April 2016. More recently, webshells dubbed b374k made their mark with attacks that the team has been tracking over the past few months.

Although this blog highlights some features of the b374k shell, the main objective is to call your attention to the fact that PHP applications are becoming an increasingly popular choice for attackers aiming to glean your data and deface your website without much hard work. This threat should be pushed to the top of your priority list — primarily because of the power of the tool used for this type of attack, but also because of the startling increase in this attack type this year.

They start off with some of the basics of webshells, more related to the PHP versions: what they are, what kind of functionality they commonly provide and an example of the UI of a shell. They then talk about some of the common delivery methods, potential entry points of these attacks and some of the "indicators of compromise" you can use to detect them. They also include mitigations you can perform to rid yourself of these webshells including adding additional plugins/software and locking down features of PHP itself.

tagged: webshell game introduction example features attack security

Link: https://securityintelligence.com/the-webshell-game-continues/

Securing client-side public API access with OAuth 2 and Symfony
Jul 18, 2016 @ 12:30:26

On the Codevate.com blog there's a tutorial posted by Chris Lush showing you how to secure your client-side public API with OAuth 2 (based on the Symfony platform).

Say you’ll be developing a web application for a customer to create and manage restaurant bookings, exposing restaurant information (name, opening times, menu contents etc.) and booking creation as RESTful API endpoints, which are consumed by secure admin backend. You’ll need to authorise access to the API, but there is no end-user involved since the web app is its own resource owner, so the previous flow doesn’t apply.

[...] However, you also need to develop a booking widget that will be embedded in a company or restaurant’s website for visitors to use. In this case, the client-side is no longer trusted enough to share the OAuth client secret that’s required to authenticate with your API. [...] We encountered a similar use-case for a client project recently, and this blog post details the steps taken to address it.

He then shows how to integrate the FOSOAuthServerBundle bundle into your current Symfony-based application and the updates you'll need to make to your security.yml file. He includes the code needed to create a "client" and associating it with a company already in the customer list. Next is the creation of access tokens and linking them to the restaurants in their system (a unique identifier to use externally for the restaurant rather than an ID). He shows an example of handling the token requests and the code/config changes needed to set it up. Finally he talks about scoping API requests down to certain functionality and an example cURL call to the API to show the results of it all combined.

tagged: clientside api access security oauth2 symfony tutorial bundle

Link: https://www.codevate.com/blog/12-securing-client-side-public-api-access-with-oauth-2-and-symfony

PHP 7.0.8, 5.6.23 & 5.5.37 Released
Jun 24, 2016 @ 12:15:55

The PHP development group has released the latest updates to all currently supported versions of PHP including several security fixes discovered. These latest versions are:

The PHP development team announces the immediate availability of PHP [5.5.37, 5.6.23 and 7.0.8]. This is a security release, several security bugs were fixed. All PHP [...] users are encouraged to upgrade to this version.

As always, you can get the latest source release as linked to from the main downloads page and the Windows binaries from the windows.php.net site. The full list of files can be found in the version's related Changelog.

tagged: language release bugfix security php55 php56 php7

Link: http://php.net/archive/2016.php#id2016-06-23-3

PHP 5.5.36 & 7.0.7 Released
May 26, 2016 @ 11:16:14

The PHP project has officially released the latest versions of the language in the PHP 5.5.x and PHP 7.0.x series: PHP 5.5.36 and PHP 7.0.7:

The PHP development team announces the immediate availability of PHP 5.5.36. This is a security release. Several security bugs were fixed in this release. All PHP 5.5 users are encouraged to upgrade to this version.

As always, you can download these latest releases from either the main downloads page (source) or from the windows.php.net site for the Windows binaries. For a full list of the changes, you can check out the Changelogs for each release.

tagged: language release bugfix security php55 php70

Link: http://php.net/archive/2016.php#id2016-05-26-2

Free the Geek Podcast:
Episode 17 - Talking Conferences and Security with Chris Cornutt
May 03, 2016 @ 09:45:26

The Free the Geek podcast, hosted by PHP community member Matthew Setter, has posted their latest episode - an interview with Chris Cornutt about conferences and security topics.

In this episode I chat with Chris Cornutt, founder of PHPDeveloper.org, websec.io, and Lone Star PHP about conferences and all things security.

It’s a rousing chat about the state of security within the PHP and wider development community. He also gives me an inside look at what it’s like to run the long-running Lone Star PHP conference in Texas. Grab your favourite beverage and your comfy chair, and get ready for a rousing fireside chat with Chris and I.

You can listen to this latest episode either through the in-page audio player or by downloading the mp3 of the show for listening at your leisure. If you enjoy the episode be sure to subscribe to their feed and follow them on Twitter for updates when the latest episodes are released.

tagged: freethegeek ep17 chriscornutt episode conference security

Link: http://freethegeek.fm/episode/episode-0017