Last month we started hearing reports about an Iframe injection that infected thousands of websites and servers. The malware in question is a variant of Zlob and attempt to install itself in the client-side throught an ActiveX, as an unsigned Real player control - reported McAfee Avert Labs.

There are details on how the malware try to infect clients, but not so much information on how servers have been infected. In March 2008, McAfee estimated that nearly 200,000 web pages have been found infected, most of them running phpBB.

Today Hostdepot sent a newsletter alerting that their servers are victims of the "iframe" attack and that they are working to resolve it. Many servers worldwide are still infected with this malware. phpBB was at the origin of the Perl/Santy.worm attack back in 2004, but the origin of the malware this time is still unknown.

Posted by Hatem at 7:19 AM to Alert | Permalink | Comments (0)

When a server is not well configured and the system administrator didn't make his job correctly, there is no reason to blame PHP. It's not in defense of the PHP scripting language, but to be realistic and to give to Ceasar what belongs to Ceasar!

Mod_php problem is well known for system admins and if you used to deal with high traffic websites, it's something very common to face and to resolve also. Personally during my 7-8 years of experience with PHP, I never faced such problems, even with very high traffic of one million unique visitors a day and more !

Nik Cubrilovic who posted the news on TechCrunch, posted on his blog also tips to prevent "PHP Leakage". Most easy way is using mod_security to filter output and prevent any leakage, which I find the most efficient way. Code that lives outside or inside the webroot doesn't matter much. I better recommend using PEAR if you want that your script stay out of the webroot, the classes at least. I'm curious to hear other expert's opinion on the subject, especially since it's the case of a very popular website such Facebook.

Posted by Hatem at 6:29 PM to Experience | Permalink | Comments (0)

PHPIDS is a security PHP project which aims to provide a security application layer to protect any PHP web application. Using PHPIDS you will be able to see who is attacking your site and how, while keeping your project safe. The application is simple, fast and easy to use. Released open source under LGPL.

The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.

Posted by Hatem at 9:15 AM to Experience | Tools | Permalink | Comments (0)

Ilia Alshanetsky posted his talks over the PHP|Tek 2007. The two tutorials took 6 hours of talking, waw ! And it's quite interesting. One of the tutorials is about Securing PHP Applications (PDF) and include a security roundup for PHP application development. "Security is a road, not a destination!" is self explanatory.

There are some recommendations that I find very useful for example about reducing the number of PHP extension currently installed, also about securing sessions and files and how to protect your scripts from injections, XSS and different kind of exploits. Ilia is author of php|architect's Guide to PHP Security, an excellent security reference for PHP developer, check it out if you are looking for more detailed PHP security analysis.

Posted by Hatem at 2:57 PM to General | Permalink | Comments (0)

PHP Security Consortium released PhpSecInfo 0.2.1 an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. The new release fixed some significant bugs, from the changelog :

• uid and gid tests now correctly test the user and group that PHP is executing as (requires that exec() or posix functions are enabled)
• Changed upload_max_filesize and post_max_size return "OK" if current value is equal to recommended value
• fixed nonstandard naming with a couple locally used constants
• fixed problem with XHTML validity in cases of not run tests

Posted by Hatem at 7:49 PM to Tools | Permalink | Comments (0)

Armorize Technologies have an interesting on-demand PHP source code analysis service CodeSecure. The product developed specifically for PHP, represents a powerful tool for identifying and fixing vulnerabilities in custom developed PHP applications.

CodeSecure utilizes the latest verification technology to analyze source code. These processes form an overall picture of the code, describe the functions and systematically check for vulnerabilities. The vulnerabilities are then traced and checked for severity, depth and scope, making CodeSecure the most advanced, most effective, and most comprehensive solution available to date. For more information see Security As A Service, you may also check the Armorize's Vulnerability database which have a very nice graphic illustrating the number of vulnerabilities in different categories since 1999.

Posted by Hatem at 10:39 AM to Tools | Permalink | Comments (0)