http://security.phpmagazine.net/ http://security.phpmagazine.net/images/logo.png http://security.phpmagazine.net/ en Copyright 2008 Fri, 20 Jun 2008 21:48:18 +0000 http://blogs.law.harvard.edu/tech/rss HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are... http://security.phpmagazine.net/2008/06/html_purifier_standardscomplia.html http://security.phpmagazine.net/2008/06/html_purifier_standardscomplia.html Tools Fri, 20 Jun 2008 21:48:18 +0000 To keep your database safe from SQL injection attacks, GreenSQL is a new Open Source database firewall that you might give a try. GreenSQL works as a reverse proxy and has built in support for MySQL. The logic is based... http://security.phpmagazine.net/2008/05/greensql_open_source_database.html http://security.phpmagazine.net/2008/05/greensql_open_source_database.html Tools Sat, 31 May 2008 06:31:39 +0000 Last month we started hearing reports about an Iframe injection that infected thousands of websites and servers. The malware in question is a variant of Zlob and attempt to install itself in the client-side throught an ActiveX, as an unsigned... http://security.phpmagazine.net/2008/04/mass_iframe_attack_continue_in.html http://security.phpmagazine.net/2008/04/mass_iframe_attack_continue_in.html Alert Sat, 19 Apr 2008 07:19:36 +0000 When a server is not well configured and the system administrator didn't make his job correctly, there is no reason to blame PHP. It's not in defense of the PHP scripting language, but to be realistic and to give to... http://security.phpmagazine.net/2007/08/facebook_code_revealed_mod_php.html http://security.phpmagazine.net/2007/08/facebook_code_revealed_mod_php.html Experience Mon, 13 Aug 2007 18:29:04 +0000 PHPIDS is a security PHP project which aims to provide a security application layer to protect any PHP web application. Using PHPIDS you will be able to see who is attacking your site and how, while keeping your project safe.... http://security.phpmagazine.net/2007/06/phpids_phpintrusion_detection.html http://security.phpmagazine.net/2007/06/phpids_phpintrusion_detection.html Tools Wed, 20 Jun 2007 09:15:18 +0000 Ilia Alshanetsky posted his talks over the PHP|Tek 2007. The two tutorials took 6 hours of talking, waw ! And it's quite interesting. One of the tutorials is about Securing PHP Applications (PDF) and include a security roundup for PHP... http://security.phpmagazine.net/2007/05/securing_php_applications.html http://security.phpmagazine.net/2007/05/securing_php_applications.html General Wed, 16 May 2007 14:57:00 +0000 PHP Security Consortium released PhpSecInfo 0.2.1 an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. The new release fixed some significant bugs, from the changelog : uid and gid tests... http://security.phpmagazine.net/2007/04/phpsecinfo_021_released.html http://security.phpmagazine.net/2007/04/phpsecinfo_021_released.html Tools Sun, 08 Apr 2007 19:49:10 +0000 Armorize Technologies have an interesting on-demand PHP source code analysis service CodeSecure. The product developed specifically for PHP, represents a powerful tool for identifying and fixing vulnerabilities in custom developed PHP applications. CodeSecure utilizes the latest verification technology to analyze... http://security.phpmagazine.net/2007/04/armorize_codesecure_ondemand_p.html http://security.phpmagazine.net/2007/04/armorize_codesecure_ondemand_p.html Tools Tue, 03 Apr 2007 10:39:51 +0000 Month of PHP Bugs already started, and there is until today 11 Bugs posted. The goal is to make PHP more secure and make people and developers aware of insecurities in the language. Day by day vulnerabilities vulnerabilities in the... http://security.phpmagazine.net/2007/03/will_php_be_more_secure_on_mar.html http://security.phpmagazine.net/2007/03/will_php_be_more_secure_on_mar.html Alert Mon, 05 Mar 2007 15:10:00 +0000 Slashdotted, As previously announced in an interview with Stefan Esser, March 2007 will be the month of PHP Bugs. A new initiative which goal is to make PHP more secure and discuss with more transparency the security issues related to... http://security.phpmagazine.net/2007/02/march_2007_the_month_of_php_bu.html http://security.phpmagazine.net/2007/02/march_2007_the_month_of_php_bu.html Experience Thu, 22 Feb 2007 16:00:24 +0000 Apocalypse Now Just because you think your data is safe does not mean your database of sensitive organization information has not already been cloned and is resident elsewhere ready to be sold to the highest bidder. To make matters worse,... http://security.phpmagazine.net/2007/02/is_your_website_hackable_why_y.html http://security.phpmagazine.net/2007/02/is_your_website_hackable_why_y.html Experience Sat, 10 Feb 2007 06:31:39 +0000 SecurityFocus posted an interview with Stefan Esser, the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). In the interview Federico Biancuzzi discussed with him how the PHP Security Response Team works, why... http://security.phpmagazine.net/2007/02/securityfocus_interview_php_se.html http://security.phpmagazine.net/2007/02/securityfocus_interview_php_se.html Interview Thu, 08 Feb 2007 14:35:45 +0000 A serious Gmail security bug have been reported where anyone can access your contact list just visiting a malicious page. The Javascript have been made public probably for usage with Google Docs since the url is linked from there, but... http://security.phpmagazine.net/2007/01/serious_gmail_vulnerability_di.html http://security.phpmagazine.net/2007/01/serious_gmail_vulnerability_di.html Alert Mon, 01 Jan 2007 14:17:30 +0000 Stefan have announced officially on his blog that he's finally retired from the PHP Security Response Team. The reasons are many, but according to Stefan the most important reason was that he realised that any attempt to improve the security... http://security.phpmagazine.net/2006/12/stefan_esser_retired_from_php.html http://security.phpmagazine.net/2006/12/stefan_esser_retired_from_php.html General Thu, 14 Dec 2006 12:17:49 +0000 Slashdotted today an experience to anonymizing RFI Attacks Through Google. An interesting approach that search engines should be aware, and if it could be done using Google crawler, it could be done also using any other spider : Noam Rathaus... http://security.phpmagazine.net/2006/11/anonymizing_rfi_attacks_throug.html http://security.phpmagazine.net/2006/11/anonymizing_rfi_attacks_throug.html Experience Thu, 23 Nov 2006 20:30:00 +0000