Archive for the ‘Security’ Category
Friday, March 5th, 2010
Together with the release of PHP 5.3.2 by the PHP team I have released Suhosin-Patch 0.9.9.1 which comes with bugfixes and new features. The changes are:
fixed some crashbugs for IA64 architecture
check return value of mprotect() to ensure that memory is read only - credits: PAX Team
fixed mprotect() call - encrypted ...
Posted in PHP, Security | 5 Comments »
Friday, March 5th, 2010
While going through the HTTP_REFERER log of the Month of PHP Security website I realised that there are more incoming refers from various blog posts about it than there are submissions to drawing@php-security.org. Like I previously announced we will honor 10 blog postings with 25 EUR amazon coupons. The winners ...
Posted in PHP, Security | 2 Comments »
Saturday, February 27th, 2010
Two days ago I installed a mail client on my reinstalled desktop system that was not doing anything for 2 month and checked mails of the hardened-php account that were not checked for 2 months. Usually noone uses this email account to contact me, but the Suhosin bug reports sometimes ...
Posted in PHP, Security | 40 Comments »
Saturday, February 27th, 2010
I previously blogged a sneak preview of the Month of PHP Security which is a new initiative to improve security in the PHP ecosystem. Today the call for papers was released. Everyone from the PHP and security community is invited to produce quality articles/advisories about PHP security topics/bugs and submit ...
Posted in PHP, Security | 3 Comments »
Friday, February 19th, 2010
Three years ago the Hardened-PHP project organized the Month of PHP Bugs. During one month I disclosed more than 40 vulnerabilities in the PHP interpreter in order to improve the overall security of PHP. In the history of PHP this event has been one of a kind. But now, three ...
Posted in PHP, Security | 10 Comments »
Wednesday, December 9th, 2009
I released an important advisory about a remotely exploitable unserialize() vulnerability in Piwik today.
SektionEins GmbH
...
Posted in PHP, Security | 3 Comments »
Saturday, November 28th, 2009
My company SektionEins that is specialised in web application security audits, consulting and trainings has finished the english translation of the PHP Security Poster. This poster is send out for free to interested PHP programmers (until out of stock). The poster is of DIN A0 size and details the most ...
Posted in PHP, Security | 11 Comments »
Saturday, November 28th, 2009
At yesterday's RSS09 conference I gave a slightly different version of my "Shocking News in PHP Exploitation" talk. This time I disclosed for the first time how unserializing user input in Zend Framework based applications can result in direct remote PHP code execution.
The topics of my talk were
easy ways to ...
Posted in PHP, Security | No Comments »
Saturday, November 28th, 2009
On 5th of November I gave a talk titled "Shocking News in PHP Exploitation" at the Powerofcommunity hacking/security conference in Seoul, South Korea. Afterwards I uploaded my slides to this server but only distributed the link through twitter. I totally forgot about announcing the slides in my blog.
The topics of ...
Posted in PHP, Security, korea | No Comments »
Wednesday, October 7th, 2009
I am pleased to announce that Thursday 22th of October 2009 at 19:30 there will be the 10th CGNSec meetup in Cologne/Germany. The meeting takes place at Hallmackenreuther, Brüsseler Platz 9, 50674 Köln (Google Maps).
Everyone working in the field of information security is invited to attend. If you are attending ...
Posted in CGNSec, Security | No Comments »