Archive for the ‘PHP’ Category
Friday, August 15th, 2008
I previously reported about my joy with MySQL-Proxy and a simple SQL-Injection detection based on a simple heuristic.
Today I present the more interesting approach that I promised to publish after my webinar yesterday. This approach is based on the idea that SQL queries issued by an application always have a ...
Posted in MySQL, PHP, Projects, Security | 16 Comments »
Friday, August 8th, 2008
Since last night PHP 4 is finally dead...
Is it?
Well not really, because there are still millions of servers running PHP 4 that haven't upgraded to the faster, more stable and more secure PHP 5 and most of them will continue to use it. So PHP 4 will still be around ...
Posted in PHP, Projects, Security | 8 Comments »
Wednesday, August 6th, 2008
I just released a long overdue update to the Suhosin extension. There are only a few changes in it. The full changelog is
Fixed PHP 4 compilation problem introduced in 0.9.24
Fixed PHP 5.3 compilation problem
Changed PHP default POST handler to PHP's current handler
As usual you can grab your copy at
http://www.suhosin.org/
Posted in PHP, Projects, Security | No Comments »
Tuesday, August 5th, 2008
“MySQL Proxy is a simple program that sits between your client and MySQL server(s) that can monitor, analyze or transform their communication. Its flexibility allows for unlimited uses; common ones include: load balancing; failover; query analysis; query filtering and modification; and many more.”
The flexibility of MySQL Proxy is based on ...
Posted in MySQL, PHP, Projects, Security | 8 Comments »
Monday, August 4th, 2008
On PHP conferences or user group meetings one question that pops up again and again is why Xdebug and some other commercial PHP extensions e.g. Zend Debugger cannot be loaded at the same time. Those asking usually can understand why running two debuggers at the same time will lead to ...
Posted in PHP | 8 Comments »
Sunday, August 3rd, 2008
I will present a session at this year's Power of Community hacking conference in Seoul about vulnerabilities in closed source PHP applications.
Session: Vulnerability Discovery in Closed Source/Encrypted PHP Applications
Security audits of PHP applications are usually performed on a source code basis. However sometimes vendors protect their source code by encrypting ...
Posted in PHP, Security | 1 Comment »
Sunday, August 3rd, 2008
I will present two session at this year's International PHP Conference that has now moved from Frankfurt to Mainz.
Session: Suhosin catching vulnerabilities before they hit you
During the last two years the Suhosin PHP protection system has become a standard component of many PHP installations of various linux and bsd distributions.
This ...
Posted in PHP, Security | 1 Comment »
Sunday, August 3rd, 2008
I will speak at this year's Zend PHP Conference and Expo about security problems usually missing in talks about PHP security.
Session: Lesser Known Security Problems in PHP Applications
When the security of PHP applications is in focus usually standard XSS vulnerabilities, SQL Injections, Remote File Inclusions, Header Injections and CSRF are ...
Posted in PHP, Security | 1 Comment »
Friday, August 1st, 2008
When I received the following mail today I was very amused, because the TikiWiki developers seem to have a very obscure idea how to enhance the security of their product.
In the past you have found some vulnerabilities in Tikiwiki that we
have fixed based on your advice. The Tikiwiki community is ...
Posted in PHP, Security | 14 Comments »
Thursday, July 31st, 2008
A quite long time ago I stopped blogging in my previous blog at php-security.org because I wanted to move to a new domain to be able to finally blog about other things than PHP (or web application) security. Now after months of silence I start a new blog over here ...
Posted in PHP, Projects | 6 Comments »