Professional PHP » php-security

Improving Web Application Installation as a Security Imperative

Jeff — Thu, 08 Dec 2005 05:18:13 +0000

It looks there is a Mambo worm out now. I read Hackers Hitting Popular Apps a couple of weeks ago and it mentioned that hackers are targeting PHP apps among other things. Dog bites man for some. More interesting was this quote:

“The bottom line is that security has been set back nearly six years in the past 18 months,” Alan Paller, director of research for the SANS Institute, wrote in an E-mail. “Six years ago, attackers targeted operating systems and the operating system vendors didn’t do automated patching. In the intervening years, automated patching protected everyone from government to grandma. Now the attackers are targeting popular applications, and the vendors of those applications do not do automated patching.”

I’ve advocated better web application installation for a while, but as a usability issue. Increasingly, it is also a security issue. Just another example of why I think the PEAR installer is important. (and why I hope Zend PHP Framework is released on a PEAR channel.)

PHP Application Security

Jeff — Sun, 20 Feb 2005 23:33:56 +0000

I went through today and reorganized the PHP Application Security pages on the WACT Wiki. This mini wiki within a wiki is one of the most popular pages there. While the page has been popular, it hasn’t attracted much contribution.

I broke the existing entries up into four main categories. There is alot of structure here and thin content. Hopefully this will form an attractive nuisance for a collaborative effort to fill in some of the entries.

A Catalog of Security Vulnerabilities – Bad Security Smells.
A Catalog of Security Attacks – Attacks against PHP Applications and how to foil them.
A Catalog of Security Sensitive Functions – A List of PHP functions and their security implications.
A Catalog of Secure Practices – Best practices for secure applications.

I’ll probably start filling in the information the next time I go out of town and have internet access. I find it soothing when I am away from my standard development environment to google for security articles and summarize the information on the wiki. Thats how these pages were born.

Yes, I’m a geek.

PHP Security Ramblings

Jeff — Mon, 17 May 2004 13:55:17 +0000

I really haven’t had much time to work on the WACT PHP Application Security wiki page. Here is a roundup of some of the PHP security articles that I have collected since the page went up.

The Google Hackers Guide (PDF) has a nice summary of the search features of google. It also has a information on how hackers might use these features to find vulnerabilities on your site.

I’ve always been a bit uncomfortable with putting “Powered By” links on pages. That said, there is one at the bottom of this page. If a security problem is discovered in Wordpress, google will happily provide a list of vulnerable sites. If I were a comment spammer, I know the phrase “Powered by Wordpress” would be my friend.

Slashdot had a link to Hardened PHP, a version php built with some extra security checks and logging. Slashdot also had a PHP Security Article a few weeks ago. I wasn’t impressed by the site they were linking to, but some of the comments aren’t bad. Here is another short PHP Security article.

The summary:
If it comes in, check it.
If it goes out, escape it.

A usability note:
Double buffer your input so that your security filters don’t change the user’s input on validation round trips and make sure that special characters like <> ” ‘ still work in places where they make sense. (Unlike sourceforge which cannot correctly display < or > in bug reports or feature requests.)