The Apache/PHP/MySQL stack is immensely popular for web application development. Its components are powerful, versatile and Free. Unfortunately however, PHP comes with a default configuration that is not suitable for production mode, and may cause developers to use insecure techniques during the development phase. Inside is a check list of settings that are intended to harden the default PHP installation.
This isn't actually news, but I'm adding it for reference. In the last few months, and during my work on Drupal (as part of my job or contributions to Drupal), I discovered 2 security vulnerabilities in Drupal core: the first one is an SQL injection vulnerability that I spotted while reviewing access logs for a website I maintain. Some bot was trying to request malicious URLs and one of them triggered an error message in the logs. I investigated and turned out that it was possible to pass input into queries without sanitization in certain cases.
The other one is a cross-site scripting vulnerability. I was analyzing user.module to understand how certain parts worked when I noticed that a variable was printed to page output without passing through filters first.
Both where reported and discussed on the security mailing list, and new versions were released later.
while I am at it, here are a couple of tips:
I've just finished reading through "Essential PHP Security", a book that deals with security issues related to developing PHP applications, and I have to say, this book is a must for every PHP developer. It covers almost every aspect of web security from a PHP developer's point of view, including SQL injection, cross-site scripting, session/cookie/authentication management, file uploads, file inclusion, and many other topics. It includes a run down of possible vulnerabilities in a given topic, and how to deal with them in a secure fashion.
Even if you are an experienced PHP developer, this book has a lot to offer. While I don't claim to be one, the book served as a reminder of security pitfalls and techniques, and I managed to learn several new things from it.
Interestingly, many concepts introduced in the book are already implemented in Drupal, like the authentication and session systems and session fixation prevention techniques.
Bottom line, if you are remotely interested in PHP, this book is a must, period. Anyone who wants to touch PHP has to read this book first!
While waiting for ADSL to be enabled in my area, which (I've been told) will happen soon, I did some tinkering with my Gentoo Linux workstation to make it more protected against remote attacks, and I thought of compiling a list of security measures against the dangers of full-time Internet connection. Obviously the list is not complete, but it has tips that can surely help.
I'm a Computer Science graduate, an Open Source enthusiast, and a Googler.
I'm 24 years old, and live in Dublin, Ireland.
This is my personal blog. The views expressed on these pages are mine alone and not those of my employer.
Learning Website Development with Django
A beginner's tutorial to building web applications, quickly and cleanly, with the Django application framework.
My first book. Published by Packt Publishing in April 2008.
