Tuesday, December 6. 2005
Phpsecurity.org is launched
The companion website to Chris Shiflett’s important book on PHP security is now available. I was surprised and pleased to see a quote from one of my own reviews listed as an endorsement on the site. I stand by what I said: this book is an important contribution to the community, and a must-read for PHP developers.
Saturday, December 3. 2005
Zen-Cart <= 1.2.6d Security Fix
One thing that really irks me is when people publish security vulnerabilities they discover without publishing the fix. Doing so only benefits the hacker (most specifically, the script kiddie) community, begging the question, “which side are you on?” Whenver I discover a vulnerability or exploit, I make it a point to first and foremost contact the vendor (or group responsible if it is not a commercial product) and then only announce the exploit after a fix is available (if then). Not enlisting vendor support or at very least describing how a vulnerability can be patched does not help users of that software unless they are savvy enough to figure out the fix on their own. One such example is the announcement of a SQL injection vulnerability in Zen-Cart <= 1.2.6d.Here is how to fix it:
Continue reading "Zen-Cart <= 1.2.6d Security Fix"
Sunday, October 23. 2005
Essential PHP Security A Must Read
Chris Shiflett’s latest book, Essential PHP Security, should be required reading for all PHP professionals. It is the necessary antidote to the common misperception that PHP applications fall short on security. With sparkling clarity, Chris demystifies dozens of attacks and provides both solid theoretical and practical bases for coding securely in PHP. Throughout his work as a PHP security consultant, and culminating in this book, Chris has defined the lexicon for web security — telling us precisely what it means to filter input, and precisely what it means to escape output — as well as when, how and why. This is nothing short of a seminal work on web application security as it applies specifically to PHP. I intend to make it required reading in my department, and recommend it highly to colleagues in other companies developing web applications in PHP.
Continue reading "Essential PHP Security A Must Read"
Sunday, September 25. 2005
High Security On Mac/Linux Using GPG and a ThumbDrive
Using the free Gnu Privacy Guard and a USB thumb drive (which are often given away in promotionals and should be available for under $10 in small storage capacities), you can implement a strong (AES) encryption system to protect sensitive files on your computer. The process divides the means to decrypting sensitive data into three distinct components:- the encrypted file(s) - on your computer
- the private key needed to decrypt the files - on your thumbdrive
- the password required in combination with the private key to decrypt files - in your head
The process is simple and affords a great degree of security to your encrypted files, because all three components must be assembled to decrypt the data — a difficult task for a laptop thief or even a nosey coworker to accomplish, especially if you remove your thumb drive from your computer when you are not using it.
Continue reading "High Security On Mac/Linux Using GPG and a ThumbDrive"
Tuesday, September 13. 2005
Essential PHP Security Coming Soon
Chris Shiflett announced over the weekend that Essential PHP Security is due out next month. This is great news (not only for Chris, who has been hard at work for some time) but the PHP community to finally have what looks like a concise, accurate, actionable guide to one of PHP’s hottest topics: security. I have already preordered my copy from Amazon, and with free shipping it comes to just $27 and should arrive by November 12th. The countdown begins.
Sunday, July 17. 2005
Scamming Back
The BBC released an interesting article about a group called 419 Eater that is baiting and harassing perpetrators of 419 (aka “Nigerian Bank”) scams. From their code of ethics (which really is a FAQ), it seems the group aims to waste the time and resources of fraudsters while having fun stringing them along by their greed. This ostensibly is why the baiters do not consider the “sport” a waste of their own time, since they enjoy seeing how ludicrous a story the fraudsters will buy, and how demeaning a photo they can get the fraudsters to send in of themselves. While I can understand the frustration of anyone stung by an Internet scam (yes, I still capitalize that word — but that’s another post) I still feel that Internet vigilantism of any form often does more harm than good.
Continue reading "Scamming Back"
Sunday, April 24. 2005
Which Hat Are You Tipping?
“Whoever fights monsters should see to it that in the process he does not become a monster. And when you look long into an abyss, the abyss also looks into you.”-Friedrich Wilhelm Nietzsche
I was browsing through the Computer section of a major bookseller when I came across a book on hacking techniques endorsed by a computer science professor at Princeton, whose quote said, in effect, the only way to understand how to defend against hackers is to understand exactly how they hack.
Really?
Continue reading "Which Hat Are You Tipping?"
Tuesday, April 19. 2005
Understanding The Latest PHP Security Release
Since we are now starting to see news reports about the latest release of PHP, and since these reports seem to be spinning this release as a knock against PHP, I thought I’d offer some context. My understanding is that the biggest security problem this release fixes is an infinite loop/buffer overflow problem with getimagesize, wherein a specially crafted user-defined image passed to the getimagesize function could create a DoS or arbitrary code execution problem.Continue reading "Understanding The Latest PHP Security Release"
