Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Community News:
Composer v1.6.4 Release (with Security Fix)
Apr 16, 2018 @ 10:50:02

Composer, the de-facto standard way to install PHP packages, has published a new release that includes a major security update. Jordi Boggiano made this comment about the release on Twitter:

After triaging/merging/fixing almost 200 issues in the last couple days, Composer v1.6.4 is out! ???? It contains a security fix and is therefore a much recommended update for all.

Other changes include fixes for:

  • a regression in version guessing of path repositories
  • the updating of package URLs for GitLab
  • init command not respecting the current php version when selecting package versions
  • exclude-from-classmap symlink handling

You can grab the latest version from the Composer site or you can use it's own self-update command.

tagged: composer release v164 security fix bugfix package

Link: https://twitter.com/seldaek/status/984744594566008832

Checkpoint Research Blog:
Uncovering Drupalgeddon 2
Apr 13, 2018 @ 10:22:46

On the Checkpoint Research blog there's a recent post covering the recent critical Drupal bug, a.k.a. Drupalgeddon 2, and providing a deeper look into the bug and how the exploit worked.

Two weeks ago, a highly critical (21/25 NIST rank) vulnerability, nicknamed Drupalgeddon 2 (SA-CORE-2018-002 / CVE-2018-7600), was disclosed by the Drupal security team. This vulnerability allowed an unauthenticated attacker to perform remote code execution on default or common Drupal installations.

[...] Until now details of the vulnerability were not available to the public, however, Check Point Research can now expand upon this vulnerability and reveal exactly how it works.

The post covers the basic issue, a lack of input sanitization on Form API requests, and what versions it existed in. It then dives into the technical details, showing a proof of concept for the exploit and how an attacker might locate a place in the application to use it. It also looks behind the scenes at the code that handles the request and shows where the issue lies. The post ends with a look at "weaponizing" the exploit and executing whatever code you'd like on the server.

tagged: drupal security issue drupalgeddon2 indepth technical detail

Link: https://research.checkpoint.com/uncovering-drupalgeddon-2/

Fortrabbit Blog:
Your responsibility: App security
Apr 09, 2018 @ 11:45:17

On the Fortrabbit blog there's a post from Oliver Stark about securing your PHP application based on an experience they had with a recent support ticket.

A few days ago, late in the evening, we received a support ticket with the [message asking if their site had been hacked]. The support team started the conversation with the client and checked the domain routing first. It quickly became clear that the redirects to the phishing domain happened on our platform, so they searched the access logs for suspicious requests.

As they searched the logs, other similar requests showed up pointing back to a root.php file that seemed to be taking commands from URL parameters. This kind of script is called a "webshell" and is usually uploaded via a vulnerability with a plugin, poorly guarded upload forms or bad input validation. After some additional tracking, the vulnerability was located in the site's "vendor" folder that was web accessible. The post finishes with some recommendations to keep this from happening to you and your application including keeping dependencies up to date and preventing direct "vendor" folder access.

tagged: application security fortrabbit webshell experience

Link: https://blog.fortrabbit.com/app-sec

PHP.net:
PHP 7.1.16 & 5.6.35 Released
Mar 30, 2018 @ 09:15:55

On the main PHP.net site, they've posted announcements about the release of minor versions of PHP 7.1.x and 5.6.x: 7.1.16 and 5.6.35.

The PHP development team announces the immediate availability of PHP 5.6.35 [and PHP 7.1.16]. This is a security release. One security bug was fixed in this release. All PHP 5.6 [and 7.1] users are encouraged to upgrade to this version.

The bugfixes included in these releases deal with changes in the FPM handling, ODBC functionality, and Phar building. You can download this latest release from the main downloads page (source) or from the windows.php.net site for the Windows binaries.

tagged: language release php7 php56 bugfix security

Link: http://php.net/index.php#id2018-03-29-3

Community News:
Critical Drupal Security Vulnerability Announced
Mar 29, 2018 @ 09:13:19

The Drupal project has announced a critical security vulnerability in the currently supported versions of the popular CMS: Drupal 7 and 8 (as well as v6). The announcement on the main Drupal site details the issues and provides a link to an FAQ with more detail about the issue.

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

[...] Drupal 8, 7, and 6 sites are affected. According to the Drupal project usage information this represents over one million sites or about 9% of sites that are running a known CMS according to Builtwith.

The issue could allow an attacker to take full control of the application and execute whatever code they'd want to on the server. They recommend upgrading immediately to safeguard your Drupal application. They also provide links to a guide on what to do if you are hacked and to the Drupal 6 patch (as well as steps you can take if you can't upgrade).

tagged: drupal cms vulnerability security announcement upgrade

Link: https://www.drupal.org/sa-core-2018-002

PHP.net:
Multiple Versions Released - 7.1.15, 5.6.34 & 7.2.3
Mar 05, 2018 @ 12:43:35

The main PHP.net site has posted the announcement(s) of the release of updates for the three supported versions of the language: 7.1.15, 5.6.34 & 7.2.3.

The PHP development team announces the immediate availability of PHP 7.1.15, 5.6.34 and 7.2.3. This is a security fix release, containing one security fix and many bug fixes. All [PHP] users are encouraged to upgrade to this version.

Fixes include changes to the DateTime handling, LDAP connectivity, Phar construction, PostgreSQL issues and changes to the SPL. You can get these latest versions either from the main downloads page or on windows.php.net for the Windows binaries.

tagged: multiple version release php71 php72 php56 security bugfix

Link: http://php.net/archive/2018.php#id2018-03-02-1

Three Devs & A Maybe:
Symmetric and Asymmetric Encryption with Scott Arciszewski
Feb 07, 2018 @ 10:58:16

In the latest episode of the Three Devs and a Maybe podcast, hosted by Michael Budd, Fraser Hart, Lewis Cains and Edd Mann, they welcome back a guest for another round of security discussions: Scott Arciszewski around symmetric and asymmetric encryption.

In this weeks episode we are lucky to be joined again by Scott Arciszewski. We start off the show by discussing the difference between Symmetric and Asymmetric Encryption, what Authenticated Encryption is and how secret-keys are exchanged using Diffie-Hellman. From here, we move on to highlight how Elliptic-curve cryptography works, what DNSCrypt is and why prime numbers are so important in cryptography. Finally, we touch upon multi-factor authentication, how one time passwords work, SMS vulnerabilities and how to manage password recovery.

There's a wide range of security and cryptography related topics mentioned and linked in the post. You can listen to this latest show either using the in-page audio player or by downloading the mp3 directly. If you enjoy the episode, be sure to subscribe to their feed and follow them on Twitter to get updates when new shows are released.

tagged: threedevsandamaybe podcast scottarciszewski security cryptography encryption

Link: http://threedevsandamaybe.com/symmetric-and-asymmetric-encryption-with-scott-arciszewski/

Symfony Blog:
New Core Team Member, Security Team Leader
Jan 29, 2018 @ 11:25:03

On the Symfony blog the project has made an announcement about a new addition to the Symfony team to help handle security issues around the framework: Michael Cullum

Handling security issues responsibly and transparently is key to the success of any Open-Source project. Symfony is no exception. We documented the process of our security management policy a long time ago.

[...] Today, I'm very happy and proud to announce that we are getting to the next level. Michael Cullum accepted to join the Symfony Core Team to lead the security team. He will be responsible for managing the security process.

Michael is the secretary of the PHP-FIG group, represents the PHPBB project and is a heavy user of the Symfony framework. Having Michael on the team means that there will be a central point of contact and someone whose primary role is ensuring the safety and security of the overall project and framework.

tagged: core security team member michaelcullum symfony project framework

Link: http://symfony.com/blog/new-core-team-member-security-team-leader

php[architect]:
PHP Sessions in Depth
Jan 23, 2018 @ 11:16:33

php[architect] magazine has republished an article from their January 2018 issue by Jeremy Dorn that covers PHP sessions in-depth.

HP Sessions are often taken for granted. A session is a magic array which persists across page loads and holds user-specific data. It’s a fantastic and integral part of most web applications. But when misused, sessions can cause substantial security holes, performance and scalability problems, and data corruption. A deep understanding of sessions is vital to production web development in PHP.

The article covers various topics around PHP sessions and their use including security, performance and scalability. It also covers a few additional topics like serialization of data, session locking and intelligent auto-merging of sessions on the backend. Check out the full article for descriptions of each and some code examples to help show them in action.

tagged: sessions detail security performance scalability additional tutorial

Link: https://www.phparch.com/2018/01/php-sessions-in-depth/

RIPS Technologies:
PHP Security Advent Calendar 2017 Wrap-Up
Jan 05, 2018 @ 11:52:08

On their blog, RIPS Technologies have shared a wrap-up of their security advent calendar shared at the end of last year. The calendar provided a daily challenge related to a PHP security issue that may or may not be commonly known.

In this years PHP Security Advent Calendar we published 24 challenges for the PHP community where security issues were hidden in code snippets for fun and training. The challenges are based on real-world security vulnerabilities that we found with the help of RIPS over the last year in popular PHP applications. In this blog post we are going to discuss the main take-aways from our advent calendar regarding PHP security.

The calendar covered several different types of challenges but they fell into a few overall categories: issues with user input, weak typing, odd behavior of built-in features and the overall diversity of possible bugs.

The root cause for the security issues presented in our challenges are not new. But the diversity and combination of these pitfalls are sheer endless that trick even skilled developers. What looks secure at first sight quickly turns into an exploitable security bug. [...] We would like to thank everyone who participated, discussed, and provided great feedback and we hope our challenges helped in sharpening your security skills in a fun way!
tagged: security advent calendar wrapup 2017 ripstech

Link: https://blog.ripstech.com/2018/php-security-advent-calendar-wrap-up/