Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady:
PHP Security: Default Vulnerabilities, Security Omissions & Framing Programmer
Aug 27, 2012 @ 10:05:13

In this new post (and this related article) Pádraic Brady shares some of his opinions about default security languages should provide and the Secure by Design principles.

Odd though it may seem, this principle explains some of PHP’s greatest security weaknesses. PHP does not explicitly use Secure By Design as a guiding principle when executing features. I’m sure its in the back of developers’ minds just as I’m sure it has influenced many if their design decisions, however there are issues when you consider how PHP has influenced the security practices of PHP programmers. The result of not following Secure By Design is that all applications and libraries written in PHP can inherit a number of security vulnerabilities, hereafter referred to as “By-Default Vulnerabilities”.

He focuses on what he sees as a responsibility of those creating the language to either default to a more secure architecture or provide information as to why their choices could cause problems. In the extended version of the post, he talks about some specific issues that the language has including SSL/TLS misconfiguration, openings for XML entity injection attacks and limited native filtering for cross-site scripting.

tagged: security default vulnerabilities responsibility developer securebydesign

Link:

Rochak Chauhan's Blog:
Top Ten Security Vulnerabilities in PHP Code
Aug 04, 2008 @ 12:58:10

Rochak Chauhan has come up with a list of ten things, some security problems that could be lurking in your applications waiting to pop up at the worst time. Here's his list:

  • Unvalidated Parameters
  • Broken Access Control
  • Broken Account and Session Management
  • Cross-Site Scripting (XSS) Flaws
  • Buffer Overflows
  • Command Injection Flaws
  • Error Handling Problems
  • Insecure Use of Cryptography
  • Remote Administration Flaws
  • Web and Application Server Misconfiguration

Each item on the list has a bit of detail (and sometimes some code) to help point out the problem. Some of them even have references to external sources and packages to help you solve the problems.

tagged: security vulnerabilities list example references

Link:

PHPBuilder.com:
Validating PHP User Sessions
Apr 07, 2008 @ 11:12:33

On PHPBuilder.com, there's a new tutorial about validating user sessions - ensuring that data in your user's sessions is valid and isn't an attack trying to sneak in.

In a nutshell, sessions are the way that we "maintain state" from one page to the next, that is, how we identify specific users across multiple page requests. The ability to track users as they go from one page to the next using sessions allows us a number of options, such as tracking where they are going (web statistics) or to verify credentials for a specific section of the site.

First, there's a little mini-intro to sessions for those unsure on their use. It's followed by a look at some session vulnerabilities that could be introduces by malicious users looking to break things on your site (including HTML/Javascript injection, as their example shows).

They recommend a three step plan to get started with the validation of your user's sessions - making it easy for users to log out when they want to, use unique aspects of the remote machine to define the session and to validate all user input, especially things that will be put into a session variable.

tagged: tutorial session security tip vulnerabilities injection validate

Link:

Pierre-Alain Joye's Blog:
PHP Security Conference in Paris, 2007/01/29
Jan 17, 2007 @ 11:54:00

Pierre-Alain Joye has posted a reminder about an event happening on the 29th of January (2007) with Damien Séguy in Paris concerning PHP security.

He will focus on the XSS and CSRF aspects of the web applications: sources of the vulnerabilities, attacks/exploits and the defense techniques. I will sadly not attend but such events are rare enough to be mentioned loudly.

The talk is a part of this meeting and requires a RVSP to attend, so if you'd like to attend, please sign up today.

tagged: security conference paris forum xss csrf vulnerabilities attack exploit defense security conference paris forum xss csrf vulnerabilities attack exploit defense

Link:

Pierre-Alain Joye's Blog:
PHP Security Conference in Paris, 2007/01/29
Jan 17, 2007 @ 11:54:00

Pierre-Alain Joye has posted a reminder about an event happening on the 29th of January (2007) with Damien Séguy in Paris concerning PHP security.

He will focus on the XSS and CSRF aspects of the web applications: sources of the vulnerabilities, attacks/exploits and the defense techniques. I will sadly not attend but such events are rare enough to be mentioned loudly.

The talk is a part of this meeting and requires a RVSP to attend, so if you'd like to attend, please sign up today.

tagged: security conference paris forum xss csrf vulnerabilities attack exploit defense security conference paris forum xss csrf vulnerabilities attack exploit defense

Link:

LWN.net:
Remote file inclusion vulnerabilities
Oct 12, 2006 @ 10:27:00

According to this article from LWN.net, you might need to be a bit wary of how you use the allow_url_fopen configuration parameter on your server. Apparently there are some remote file inclusion issues that could cause problems for calls to include or require already in your code.

An attacker's fondest wish is to be able to run their code on the target system; an RFI exploit does just that. By exploiting two very dubious 'features' of the PHP language, an attacker can inject their code into a PHP program on the server.

Basically, if the potential hacker can manage to get in on a varaible that's inside of an include and use it (in)correctly, they can get the script to jump out and run the code from their server instead of the local copy. Turning off regiter_globals will provide some protection, put poor programming and not performing any input validation can poke holes in the script's security without the need for globals.

Check out the rest of the article for more information on this (potentially) serious issue and check your code/configuration doubly to make sure you're not at risk.

tagged: remote file inclusion vulnerabilities lwn article report remote file inclusion vulnerabilities lwn article report

Link:

LWN.net:
Remote file inclusion vulnerabilities
Oct 12, 2006 @ 10:27:00

According to this article from LWN.net, you might need to be a bit wary of how you use the allow_url_fopen configuration parameter on your server. Apparently there are some remote file inclusion issues that could cause problems for calls to include or require already in your code.

An attacker's fondest wish is to be able to run their code on the target system; an RFI exploit does just that. By exploiting two very dubious 'features' of the PHP language, an attacker can inject their code into a PHP program on the server.

Basically, if the potential hacker can manage to get in on a varaible that's inside of an include and use it (in)correctly, they can get the script to jump out and run the code from their server instead of the local copy. Turning off regiter_globals will provide some protection, put poor programming and not performing any input validation can poke holes in the script's security without the need for globals.

Check out the rest of the article for more information on this (potentially) serious issue and check your code/configuration doubly to make sure you're not at risk.

tagged: remote file inclusion vulnerabilities lwn article report remote file inclusion vulnerabilities lwn article report

Link:

Chris Shiflett's Blog:
Google Code Search for Security Vulnerabilities
Oct 06, 2006 @ 06:49:21

Recently , Google has released a new service for their search engine, the Google Code Search. It allows for developers to look through and locate items in public source code through the simple Google interface we're all used to. Fortunately, there's also a few security problems the site can help with as well, and Chris Shiflett shares some of these in his latest post.

Stephen de Vries sent an email to SecurityFocus's web application security mailing list earlier today to comment on the new Google Code Search: "Google's code search provides an easy way to find obvious software flaws in open source and example applications."

Chris talks about cross-site scripting problems, issues with the superglobals, SQL injection problems, and even a misplaced trust of the $_SERVER superglobal. Each of the items is linked to is search terms on the Code Search to make it easy to locate.

tagged: vulnerabilities search google xss sqlinjection superglobal vulnerabilities search google xss sqlinjection superglobal

Link:

Chris Shiflett's Blog:
Google Code Search for Security Vulnerabilities
Oct 06, 2006 @ 06:49:21

Recently , Google has released a new service for their search engine, the Google Code Search. It allows for developers to look through and locate items in public source code through the simple Google interface we're all used to. Fortunately, there's also a few security problems the site can help with as well, and Chris Shiflett shares some of these in his latest post.

Stephen de Vries sent an email to SecurityFocus's web application security mailing list earlier today to comment on the new Google Code Search: "Google's code search provides an easy way to find obvious software flaws in open source and example applications."

Chris talks about cross-site scripting problems, issues with the superglobals, SQL injection problems, and even a misplaced trust of the $_SERVER superglobal. Each of the items is linked to is search terms on the Code Search to make it easy to locate.

tagged: vulnerabilities search google xss sqlinjection superglobal vulnerabilities search google xss sqlinjection superglobal

Link:

ThinPHP Blog:
Understanding successful tracing of security vulnerabilities
Sep 21, 2006 @ 07:34:33

In this new post on the ThinkPHP blog, there's more talk about their Chorizo! security scanner and how, with a little help from their Morcilla product, you can find problems easily. Now, interpreting them is another matter, so they show you a simple way to determine just what went wrong.

Sometimes it's not very easy to check if a vulnerability occured where Morcilla told you it occured. In order to pinpoint this issue, it is neccessary that you get a deeper look to the callstack of all the functions that were involved calling the SQL abstraction layer.

They include a screenshot of how the functionality will (in the upcoming version) work in the case of a MySQL SQL injection problem.

tagged: vulnerabilities security chorizo morcilla trace screenshot sql injection vulnerabilities security chorizo morcilla trace screenshot sql injection

Link: