Guyub – Konsultan F/OSS

Core Security Technologies today announced the release of CORE GRASP, which is a patch against the PHP 5.2.3 code tree that adds a tainted mode to PHP to protect the mysql_query() function. Their implementation adds a tainted or not flag for every byte so that it is possible on invocation of mysql_query() to determine any kind of injection.

To add such a tainted mode to PHP has been discussed several times in the past. It was rejected for several reasons like the obvious huge speed impact and the danger of false positives and a false sense of security. And indeed the way CORE GRASP is implemented it looks like a huge memory and speed overhead that should be tested. In addition to that their query parser will for example wrongly detect quotes escaped by doubling as injection attack.

Aside from this there are several other possible problems in the code like a remote one byte stack overflow (that seems harmless due to memory alignment), wrong handling of the _SERVER superglobal in case of JIT and it also seems that control characters like linebreaks can be injected into the logfiles. Further analysis and a deeper look into the code is needed.

However it has to be taken into account that this is the very first public version of CORE GRASP, so maybe all these problems are gone soon and support for further database engines is added.

You might have seen this post in Chris blog about a CSRF redirector he did. This is basically nothing more than a little script that turns a GET request into a hidden formular that is then posted via JavaScript. There have always been security issues with redirector scripts, and if you provide one open to anyone, you should care about what kind of redirects you actually allow.

Two major risks happen to exists with chris example:

1. Malicious people could misuse them as bouncers to attack other sites
2. Not every URL is a web page. Some can load plugins, display information and
   some can execute JavaScript.

Here is an example URL:

http://shiflett.org/csrf.php?csrf=javascript:alert(/I_AM_A_SECURITY_EXPERT/)

In Internet Explorer (and Safari) this will give you access to the domain (cookies, etc…). In Firefox you can still do other funny things.

So if you implement (javascript) redirector scripts, make sure you do a proper
whitelisting of the user delivered urls.

UPDATE: The above example for a simple XSS does no longer work. However there are still other XSS vulnerabilities like variable-width problems in the CSRF redirector and it is still an open bouncer for malicious persons.

EllisLab is pleased to release CodeIgniter version 1.7.2 for ready download.  What’s new?  Among other changes:

• Compatible with PHP 5.3.0
• Added a new Cart Class.
• Improvements to the Form helper
• Added is_php() to Common functions to facilitate PHP version comparisons
• Modified show_error() to allow sending of HTTP server response codes, and all internal uses now send proper status codes.
• Numerous bug fixes

Version 1.7.2 has been baking in the subversion for quite some time, and has been compatible with PHP 5.3.0 since late July, but many users understandably haven’t been running from the in-development version.  While I’d have liked to have had time to add a few more “big ticket” items to this release, making it 1.8, time is a cruel mistress.  Many of our users develop on Macs, and OS X Snow Leopard ships with PHP 5.3.0, so we felt is was more important to push out this stable maintenance release instead of waiting for an even later date – it’s been almost seven months since a refresh, afterall.  But there are still a few good surprises, and welcome changes.  Enjoy!

My old post on
compiling PHP for Mac OS 10.5 (Leopard) continues to top my most-viewed page
statistics. Sadly, that article is old and doesn’t apply very well to Snow
Leopard (10.6).

I’ve been meaning to post instructions on how to compile PHP for Snow
Leopard since last summer when I picked up the DVD, but hadn’t found the
time or opportunity to build PHP from a completely fresh start, until a few
weeks ago.

This time, I took notes on how to reliably compile PHP and Apache from
scratch on this system.

1. Download and install href="http://developer.apple.com/technologies/xcode.html">Xcode.
   You’re on your own for the details of this one, but frankly, if you can’t
   figure it out, you’ll find the next steps too difficult. Think of it as
   a prerequisite.

2. Create a working directory. I use ~/src,
   but you can use whatever you like.

   
   $ mkdir ~/src
   $ cd ~/src
     

3. Install href="http://github.com/mxcl/homebrew">Homebrew. Homebrew is
   a truly great software packager for OS X. Think Macports, but not as ugly;
   Fink, but not as broken (and not as binary). Designed for Mac. It’s Ruby,
   but we don’t have to hold that against them. (-:

   
   $ curl http://gist.github.com/raw/323731/572b315c4f7ee78244de70e7ad703c8ae324da7a/install_homebrew.rb > install_homebrew.rb
   $ ruby install_homebrew.rb
      

4. Install your own iconv. I don’t know what Apple did to
   theirs, but it’s a huge headache. You’re best installing your own, in my
   experience.

   
   $ curl http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.13.1.tar.gz | tar -zx -
   $ cd libiconv-1.13.1
   $ ./configure --prefix=/opt && make && make install
   $ cd ..
     

5. Install Apache-HTTPD from source. This isn’t
   absolutely necessary, but Apple seems to have done some weird stuff with
   their Apache, and in my experience, it’s best to build your own. If you
   skip over this step, you’ll need to change the apxs in the
   PHP configure command, below.

   First, find your
   closest mirror.

   
   $ curl http://apache.mirror.iweb.ca/httpd/httpd-2.2.15.tar.bz2 | tar -jxf -
   $ cd httpd-2.2.15/
   $ ./configure --enable-rewrite --enable-ssl && make && make install
   $ cd ..
      

6. Install PHP dependencies using Homebrew. Easy, huh?

   
   $ echo "gd jpeg libpng libxml2 libzzip mcrypt mysql" | xargs brew install
   $ echo "libpng libxml2 readline" | xargs brew link
     

7. Install PHP from source by first selecting a href="http://php.net/get/php-5.3.2.tar.bz2/from/a/mirror">mirror.

   Note: you will need to use a really nasty patch to get this to
   build properly. See the note on iconv above. Even Apple’s own href="http://opensource.apple.com/source/apache_mod_php/apache_mod_php-53/patches/iconv.patch">iconv patch for PHP
   doesn’t work (at least not for me).

   
   $ curl -L http://ca2.php.net/get/php-5.3.2.tar.bz2/from/this/mirror | tar -jxf -
   $ cd php-5.3.2
   $ curl http://www.php.net/~scoates/patches/php-5.3.1-Makefile.global-iconv.patch | patch -p0
   $ ./configure --prefix=/usr/local --with-xsl --with-gd --with-zlib-dir \
     --enable-sockets --enable-exif --with-mcrypt --enable-soap \
     --enable-embedded-mysqli --with-mysql --with-pdo-mysql --with-curl \
     --with-libedit --with-apxs2=/usr/local/apache2/bin/apxs --enable-mbstring \
     --with-openssl --with-iconv=/opt && make && make install
   $ cd ..
     

8. Configure Apache. If you’ve done this on other
   platforms, this step should look familiar.

   1. In /usr/local/apache2/conf/httpd.conf, in the
      <IfModule mime_module> block, add the following:

      
      AddType application/x-httpd-php .php
      AddType application/x-httpd-php-source .phps
          

   2. Optionally, add PHP to DirectoryIndex by changing

      
      DirectoryIndex index.html
          

      to

      
      DirectoryIndex index.php index.html
          

   You can now test Apache + PHP by creating a phpinfo() page,
   and restarting Apache:

   
   $ echo "<?php phpinfo(); ?>" > /usr/local/apache/htdocs/info.php
   $ ln -s /usr/local/apache2/bin/apachectl /usr/local/bin/apachectl
   $ sudo /usr/local/bin/apachectl restart
     

   Now, visit localhost/info.php,
   and you should have an independent, custom-compiled Apache-PHP
   stack.

I hope this has been helpful. If I’ve given bad instructions, or if
something doesn’t work for some reason, please let me know in the
comments.

Dengan mengucap Bismillahirrahmanirrahim
Hari ini 12 Mei 2010, kami merilis versi perdana dari Keuangan Guyub – Aplikasi Keuangan Open Source untuk UKM Jasa.
Bagi teman-teman yang tertarik mencoba bisa download langsung versi perdana di http://keuangan-guyub.googlecode.com/files/KG-20100512-1.zip.
Untuk cara instalasi oleh bisa dilihat di http://code.google.com/p/keuangan-guyub/wiki/PanduanSingkatInstalasi.
Petunjuk penggunaan bisa di download di http://keuangan-guyub.googlecode.com/files/DokumentasiPengguna-KG-20100512-1.pdf.
Dan kami juga sangat mengharapkan saran, masukan, kritikan dan kontribusi [...]

As announced earlier in this blog, Manuel, Kore and me are in the process of founding our own company. Now it’s time to present the name we have thought out for this operation. We are Qafoo - The PHP quality
ninjas. Isn’t that cool? So, let me try to explain the origin of this name here. Feel invited to comment on our idea and to give us some inspiration.

May 10 ? 14 2010. Free, online sessions for PHP developers interested in learning about the Adobe Flash Platform, including: What?s New in Flash Builder 4 for PHP Developers; Using Advanced Features with Flex & PHP ; and A Basic CRUD Application with Zend_AMF and Flex 4

Stefan Esser has launched another Month of PHP security. It includes popular applications which use PHP as well as general bugs. He also includes a general PHP security article that you really should read to help secure your code. I?d also keep an eye out for the hardening of PHP configuration which will be released shortly.