Archive for the ‘PHP’ Category
Tuesday, April 28th, 2009
I will present a session and a workshop at this year's Dutch PHP Conference 2009 in Amsterdam. The session is about writing secure PHP applications with the Zend Framework and the workshop is a PHP security crash course for beginners. Don't expect any magic. If you want to see PHP ...
Posted in PHP, Security | No Comments »
Tuesday, April 28th, 2009
I will present two sessions at this year's International PHP Conference 2009 - Spring Edition in Berlin about Bytekit and writing secure PHP applications with the Zend Framework.
Session: Bytekit - An open source toolset to work with PHP bytecode
Bytekit is a PHP extension that allows PHP applications to directly read ...
Posted in PHP, Security | No Comments »
Friday, February 6th, 2009
A few days ago phpbb.com was hacked through a super-globals-overwrite vulnerability in PHPList that was used by an attacker for a local file inclusion exploit. Details about the whole attack, written down by someone who claims to be the attacker, can be read here. From the explanation it seems that ...
Posted in PHP, Security | 13 Comments »
Tuesday, December 30th, 2008
Two days ago I presented my session about bytecode encrypted PHP applications and how to find vulnerabilities in them at 25C3. I didn't upload the slides until now, because I got ill during the night after my talk and therefore spent most of yesterday in my hotelroom. But here are ...
Posted in PHP, Security | 3 Comments »
Tuesday, December 9th, 2008
For half a year now I was working on a secret project called "PHP Upgrade Simulator" or short ext/usim which is a PHP extension that allows people to evaluate how robust their PHP code base is when it comes to upgrading to future PHP versions. I am happy to announce ...
Posted in PHP, Projects | 24 Comments »
Sunday, December 7th, 2008
Two days ago I blogged about the release of PHP 5.2.7 and how it fixes several security bugs. Because some are mentioned and some are not mentioned in the Changelog, it is usally advised to upgrade to new PHP versions instead of using distribution packages with security backports. The problem ...
Posted in PHP, Security | 9 Comments »
Saturday, December 6th, 2008
SektionEins is an emerging IT security company with a clear focus on web application security. We're constantly looking to hire new and talented people for our team.
Required qualifications:
well-founded understanding of HTTP
good knowledge of state of the art web technology
experience with web application security audits
knowledge of PHP
experience with Ruby, Python, Perl, ...
Posted in PHP, Security | No Comments »
Friday, December 5th, 2008
165 days ago I was sitting at a customer's place and were auditing a large scale web application. The audit was mainly a blackbox penetration test to check if an attacker could attack the application with zero knowledge. However when we found something interesting we were also able to look ...
Posted in PHP, Security | 12 Comments »
Wednesday, November 5th, 2008
I just finished porting php2sql 0.1 to the new Binnavi 2.0 database format. php2sql is my still private way to import PHP bytecode into Binnavi for manual analysation and navigation.
Here are some screenshots how the PHP bytecode of FluxBB 1.2.20 looks like in Binnavi.
First screen shows the project overview window. ...
Posted in PHP, Security | 5 Comments »
Monday, November 3rd, 2008
Now that the PHP namespace seperator is fixed as backslash developers around the world face two problems. On the one hand their source code will end up looking more ugly than .NET source code and on the other hand most non-american keyboards, especially those attached to apple computers will require ...
Posted in PHP | 26 Comments »