Php-security - php-security.net - Yet Another PHP Security Blog
General Information:
Latest News:
Piwik sourcecode backdoored 28 Nov 2012 | 03:25 pm
It appears that between 15:43 UTC to 23:59 UTC on November 26th, the piwik.org web server was serving a backdoored version of the popular open-source web analytics tool. This version contained some PH...
About "calculation" CAPTCHAs 31 Oct 2012 | 01:42 pm
During one of my PHP security sessions, I was asked about “calculation captchas”. These look like this: and the Turing test (if you want to call it that) is solving the task in the picture. But wait,...
The current state of CSP implementations? 24 Oct 2012 | 06:22 pm
OK, so I was playing around with Content security policies for a bit. I hacked up a very, very basic example page (you can switch the CSP headers off by ommitting the query string) that sets the follo...
PHP 5.4.3 and 5.3.13 released - security issues fixed 9 May 2012 | 07:44 am
Two versions of PHP were just released and fix different security issues. With that, I think the problems that caused a stir last week are now fixed. Read more here: PHP 5.4.3 and 5.3.13 fix several s...
Mitigation for CVE-2012-1823 / CVE-2012-2311? 4 May 2012 | 06:23 pm
So PHP 5.4.2 and 5.3.12 do not fix the security issue reported in CVE-2012-1823 and discussed here earlier. The original advisory has a number of mitigation opportunities and an additional patch, and ...
New PHP-CGI exploit: CVE-2012-1823, PoC exploit 3 May 2012 | 11:46 pm
This article contains various edits to account for recent developments. Stay tuned. Some folks found an interesting bug while playing CTF at Nullcon 2012. If you run PHP as a plain CGI or via mod_cgi...
Suhosin 0.9.34-dev installation howto 3 May 2012 | 07:44 pm
With the recently released PHP 5.4, the Suhosin patch and extension were removed from many Linux distribution packages (i.e., Debian et al.) and until three weeks ago, there was no possibility to comp...
SSL CA Trust relationships and the future 12 Apr 2011 | 07:59 pm
There’s a very good writeup by fellow security analyst Moxie Marlinspike in the ThreatPost blog that details the current issues with SSL and trust roots - and although a little short on actual mitigat...
Month of PHP Security 28 Feb 2010 | 07:44 am
The folks at SektionEins security consulting are starting a new Month of PHP Security. They are currently collecting interesting entries via a public CfP on php-security.org and will publish the most ...
Geode, Loki and the implications 10 Oct 2008 | 02:24 am
(Preface: Most of the scenarios I am going to point out have actually been around for a long time, since Loki toolbar existed for a while now. However, I live under a stone and seem to learn things a ...
