About
-
Use information disclosure to gather PHP configuration statistics
von
in PHPDamien Seguy from nexen.net sent an e-mail with a notice about his newest statistics project: „PHP configuration statistics“. He gathered output of around 12,000 public available phpinfo() scripts. Some of the results of his investigations: Here are some funny and not so funny stats. PHP admins likes to compile PHP in Summer Register global is…
-
Chorizo available for French customers: win an iPod Nano!
Today, we’re announcing a reselling partnership between Mayflower GmbH and Waterproof S.A.R.L., makers of PHP IDE PHPEdit and a French based company. They’re reselling the Chorizo! software to their customers and in their local country France. You can view the product page on their website. If you happen to be on Forum PHP in Paris…
-
MySQL Webinar: LAMP – Security for the Web2.0
It has only been two years since Tim O’Reilly coined the phrase Web 2.0 and even shorter time since Jesse James Garret created the shortcut AJAX for the base technology of modern internet applications. In this period the nature of web applications underwent a major change in user experience and development methods. It is the…
-
Code Inclusions on a Silver Plate
von
in PHPLooking for code inclusions? The versatile google cluster has a solution for this, like for many other tasks. This search lang:php \secho\([^)]*_REQUEST[^)]*\); lets You find various places where some variable from the superglobal $_REQUEST is printed with echo. By the same means, you can easily find places where such a variable is directly included in…
-
Buy one XSS, get a CSRF for free
Cross Site Request Forging (see http://en.wikipedia.org/wiki/Cross-site_request_forgery for more information) has been around for a while now. It misuses the trust of a web application that every request sent by the browser is wanted by its user.For example, if you know that i am logged in to our blog admin backend most of the time, and…
-
Web2.0 Security: Warum im Web2.0 Gefahren lauern
Aus dem Symantec Internet Security Threat Report: 69% aller Vulnerabilities passieren in Webapplikationen. Die Mitre Corporation CVE Datenbank bestätigt: 21,5% aller Lücken sind XSS Lücken. Johann-Peter Hartmann, CTO Mayflower GmbH, zeigte auf der AJAX in Action in Frankfurt dieser Woche, warum insbesondere Web2.0 und XSS besonders weh tun: bis zu 100% der üblichen MVC (Model,…
-
Understanding successful tracing of security vulnerabilities
Web applications can easily become very complex. Several hundreds of thousands of lines of code (no HTML templates!) is usual at larger corporate solutions. This also means that your PHP applications follows the standards like object oriented programming, nested classes etc. When it comes down to detect security vulnerabilities, a lot of tools are available.…
-
SQL injections for dummies – and how to fix them (Update)
Well, database operations are bread-and-butter work for most PHP applications. PHP and MySQL, for example, have been like brother and sister for many years. You may have heard about „SQL injections“, a bad taste from the outside world of $_GET, $_POST, $_COOKIE and the like. Everybody should know that you shouldn’t pass variables from outside…