Yet Another PHP Security Blog

Month of PHP Security

nospam@example.com (Christopher Kunz) — Sat, 27 Feb 2010 19:44:35 +0100

The folks at SektionEins security consulting are starting a new Month of PHP Security. They are currently collecting interesting entries via a public CfP on php-security.org and will publish the most interesting stuff duringMay 2010 - one item per day.

Papers, Exploits and other stuff related to the following topics can be submitted:

New vulnerability in PHP itself
New vulnerability in PHP extensions/patches (such as eAccelerator or Suhosin )
Explain a single topic of PHP application security in a detailed paper
Explain a complex vulnerability in/attack against an “interesting” PHP application
Explain a complex attack method (in a theoretical article) against PHP itself
Explain how to attack encrypted PHP applications
Release of a new open source PHP security tool
Other stuff related to PHP security

There’s a bunch of prices, including security conference tickets and Amazon vouchers. You should check it out!

More info: http://www.php-security.org/

Geode, Loki and the implications

nospam@example.com (Christopher Kunz) — Thu, 09 Oct 2008 16:24:44 +0200

(Preface: Most of the scenarios I am going to point out have actually been around for a long time, since Loki toolbar existed for a while now. However, I live under a stone and seem to learn things a million years after the “in crowd”. So, no flaming pls.)

So, the Mozilla Labs have released an experimental Geode plugin that is a preview for possible future native features in the Firefox mainline (and derived) browsers. The plugin basically provides a possibility for web sites to receive the user’s current physical location on a fairly precise scale.

I have played with the plug-in a little and found that it is between 10 and 50 meters off in an urban, although not very densely populated area of Hannover, Germany. This is surely not GPS-quality positioning, but it works indoors and gives a detailed enough ballpark figure to enable most “where’s the next café”-like business models.

The whole endeavor is part of an upcoming W3C spec for geolocation and thus somewhat high-profile and “official”. This is no longer a niche project, or at least aims not to be. Sure enough, my interest was sparked and I dug a little deeper.

Continue reading "Geode, Loki and the implications"

Upcoming article series regarding security - some thoughts

nospam@example.com (Christopher Kunz) — Tue, 03 Jun 2008 17:11:03 +0200

After throwing the first article about PKI and PHP at you with relatively few explanation about why I am doing this, I thought I’d post something that explains a bit more in detail.

Continue reading "Upcoming article series regarding security - some thoughts"

X.509 PKI login with PHP and Apache

nospam@example.com (Christopher Kunz) — Fri, 30 May 2008 12:22:28 +0200

Preface

As some of you know, I’m currently working in an environment that is very much about security in terms of “how do I determine for sure who is accessing my service while having all access encrypted”. Since grid computing (that’s what I’m currently doing) also is very much about Single-sign on and delegation of rights, username/password authentication schemes don’t quite do it for us. Thus, a PKI (public key infrastructure) based on X.509 is employed.

Huh?

Acronyms-a-plenty, you think. Well, it’s not so bad at all. What we call X.509 certificates is what you would call “SSL Certificates”. The correct name for those certificates is “X.509 certificate” and that’s what I’m going to refer to. Whatever name you call the child, it is what you already know and probably use - the certificates that make you able to verify you’re actually buying at amazon.com. More generally speaking, X.509 certificates can be mutually used by servers and clients alike to authenticate themselves to the other party. We can exploit this feature to get away from traditional knowledge-based credentials towards possession-based credentials.
Continue reading "X.509 PKI login with PHP and Apache"

This is what this blog is about

nospam@example.com (Christopher Kunz) — Fri, 30 May 2008 12:17:02 +0200

Yay, first post!

nospam@example.com (Christopher Kunz) — Fri, 30 May 2008 08:35:14 +0200

I had the domain “php-security.net” since we first started writing the german PHP security book and up to now, I didn’t have anything I could do with it, so it went to rot on Sedo. However, I found a nice topic for blogging under the shower this morning and so I set up a new S9Y instance. Hope you enjoy it. Don’t expect this to be very full though, I am only going to post stuff that is not appropriate content for php-sicherheit.de or my personal blog.

So mainly, there will be some english PHP security articles here. Enjoy.