the Month of PHP Security » News

Winners of the Month of PHP Security

admin — Thu, 10 Jun 2010 20:13:34 +0000

The Month of PHP Security is over and the MOPS CFP Committee has made a final decision about the ranking of the articles and tools submitted to us. And the winners are…

1000 EUR + SyScan VIP Ticket + CodeScan PHP go to Solar Designer for “How to manage a PHP application’s users and passwords“.
750 EUR + SyScan VIP Ticket go to Johannes Dahse for “RIPS – A static source code analyser for vulnerabilities in PHP scripts“
500 EUR + SyScan VIP Ticket go to Mateusz Kocielski for “The Minerva PHP Fuzzer“
250 EUR + SyScan VIP Ticket go to Arthur Gerkis for “Our Dynamic PHP – Obvious and not so obvious PHP code injection and evaluation“
CodeScan PHP goes to Mateusz Kocielski for “sqlite_single_query(), sqlite_array_query() Uninitialized Memory Usage“
CodeScan PHP goes to Jakub Vrana for “Context Aware HTML Escaping“
An Amazon coupon goes to Jordi Boggiano for “Generating Unpredictable Session IDs and Hashes“
An Amazon coupon goes to Jürgen Pabel for “Configuration Encryption Patch for Suhosin“
An Amazon coupon goes to Jakub Vrana for “Variable Initialization in PHP“
An Amazon coupon goes to Mike Boberski for “A New Open Source Tool: OWASP ESAPI for PHP“

The winners will be notified by email during the next days.

Related Event: Returning into the PHP Interpreter – Remote Exploitation of Memory Corruptions in PHP is not over, yet.

admin — Fri, 21 May 2010 09:16:10 +0000

On 18th of June 2010 Stefan Esser will present his PHP memory corruption exploitation talk at SyScan Singapore ‘10. The talk is about returning into the PHP interpreter from a remotely triggered memory corruption vulnerability in PHP. The vulnerability discussed will not be disclosed to the public during the Month of PHP Security.

Returning into the PHP Interpreter

Remote Exploitation of Memory Corruptions in PHP is not over, yet.

Among web application security experts there is the popular believe that low level vulnerabilities like buffer overflows and other kinds of memory corruption vulnerabilities do not matter for web application security. In addition to that the increasing use of exploit mitigation techniques on modern web servers make many believe that exploiting remote memory corruptions in webserver software is over. But is it really?

This talk will introduce the idea of returning into the PHP interpreter from memory corruption vulnerabilities and discuss the requirements and feasibility of different ways to do that. This idea will then be applied to a yet undisclosed PHP vulnerability, which is exposed to remote attackers in several widespread PHP applications. Different aspects of this vulnerability will be analyzed and it will be explained how they can be abused in remote information leak and memory corruption exploits. The creation of such a remote code execution exploit will then be detailed step by step.

Related Event: PHP Security Course – Advanced PHP Auditing at Source and Bytecode level

admin — Wed, 19 May 2010 11:40:34 +0000

Two weeks after the Month of PHP Security closes Stefan Esser will teach an advanced PHP security course at the SyScan Singapore security conference. The course will cover advanced techniques to audit PHP applications for security problems at source code and bytecode level. Don’t miss your chance to learn howto find PHP application security vulnerabilities from our PHP security expert himself.

Advanced PHP Auditing at Source and Bytecode level

This course will teach students advanced methods and techniques for PHP applications audits at source code and at bytecode level. The students will get to know the most common PHP security problems and how to find them at source code and bytecode level. Throughout the course several free and open source software tools will be introduced and used in order to visualize application structure, find security problems with static and dynamic analysis on source code and bytecode level and also to break PHP bytecode encryption.

Student Pre-requisite:

Ability to read, understand and develop PHP code.

Software Requirement:

Required software will be delivered in form of a VMWARE Ubuntu Linux installation.

Hardware Requirement:

Laptop Computer

Course Outline:

Source Code Auditing
——————–
Introduction to PHP Source Code Audits

What to look for
How to look for it

Common and lesser known Vulnerabilities

How they look like
How to find them

Visualization Techniques

Code Coverage
Callgraphs
Classgraphs
Function Traces

Static vs. Dynamic Analysis

Tools

Grep + regular expressions
Xdebug
Bytesuite
Dot / yEd

Bytecode Level Auditing
———————–
Introduction to the Zend Engine

Instruction Set of the Zend Engine/PHP Bytecode

Important PHP Bytecode instructions
How PHP Vulnerabilities look at Bytecode Level

PHP Bytecode Visualization

Code Coverage at Bytecode level
Callgraphs
Code Flow Graphs
Classgraphs

PHP Bytecode Encryptors

How they work
Weaknesses
Decryption

PHP Bytecode Decompilation

Static and Dynamic Analysis

Collecting variable types
PHP Tainted Mode
Data flow analysis

Tools

Dot / yEd
Xdebug
Vld
Bytekit
Bytesuite
PHPDecompiler

Winners of the “CFP Spread the Word” Drawing

admin — Tue, 04 May 2010 16:05:33 +0000

Within our Call For Papers for Month of PHP Security we asked the general public to help us spread the word by blogging about the Month of PHP Security Call For Paper in order to make it more popular and increase the chance to get good submissions. As thank you we promised to draw ten names from the list of people that blogged about our call for paper and notify us about that and give them each a 25 EUR / 33 USD Amazon coupon.

Today was the lucky day and we have selected the ten coupon winners. The winners are:

Chris Cornutt
Fred of Thinkingsecure
Christopher Kunz
Ooti of PHP Korea
Jakub Vrana
Andrew Waite
Jason Farina
David Rook
Michael Kliewe
Thijs Lensselink

The winners will be notified by email during the next days and we will ensure that they get the coupon.

Welcome to the Month of PHP Security

admin — Sat, 01 May 2010 10:08:03 +0000

We welcome you to the Month of PHP Security 2010. This initiative continues the effort of Hardened-PHP’s Month of PHP Bugs from 2007 to improve the security of PHP and the PHP ecosystem. During the Month of May 2010 we will post every day at least one new vulnerabilities in PHP and one new vulnerability in a PHP applications. In addition to that every other day we will post an article about a PHP security topic or a new PHP security tool. Among these articles and tools are those that were submitted to us during the Month of PHP Security CFP.

We also want to use this initial announcement to thank our sponsors again that made this event possible. Thank you SyScan 2010, thank you SektionEins GmbH and thank you Codescan Ltd..

We hope you will enjoy the Month of PHP Security and maybe even learn a few new things from the posted content.