wiki:Notes/PHP

To PHP Or Not To PHP ?

... that is the question ...

PHP is the most hacked/hackable language on earth and consequently produces the most hacked/hackable web sites on earth. A fact beyond dispute.

Also beyond dispute is that it is useful. But how to secure a fundamentally insecure language ?

Is the problem PHP or Hostmonster.com ? Both ?

Basic Security Questions

Fix it or forget it.

  1. How to secure PmWiki ? Answer: site lockdown, that is read-only permissions on wiki.d directory.
  2. How to secure phpmyadmin ?
    1. Is MySQL so tied to PHP as to be unusable able without it ?
  3. How to secure Mediawiki ?

Real Security Enhancements ( Versus Happy Facing It )

PHP 'security enhancements' are happening all the time and none of them seem to make sites more secure.

After stripping away the happy face rhetoric from the PHP community about enhanced security, what actually works or stands a chance of fundamentally changing a bad situation ?

Resources

http://php.net/manual/en/security.php

http://phpsecurity.readthedocs.org/en/latest/index.html

http://www.suhosin.org/stories/index.html - patch to disable eval

https://www.owasp.org/index.php/Main_Page

Open Web Application Security Project ( OWASP ) is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas.

https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

https://www.owasp.org/index.php/Category:OWASP_PHP_Project

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

https://phpbestpractices.org/

http://blog.templatemonster.com/2014/05/08/php-security-issues/

PHP has developed into the most popular programming language and is widely used for rapid development of dynamic websites. Since web servers are publically accessible, they present significant security vulnerabilities ...

SQL Injection ... Remote File Inclusion and Remote Code Execution ... Cross Site Scripting (XSS) ...Session and Cookie Hacking ... Directory Traversal (aka path traversal) ...

http://www.sitepoint.com/top-10-php-security-vulnerabilities/

http://radar.oreilly.com/2013/12/preventing-problems-in-php-security.html

http://docforge.com/wiki/Web_application/Security

http://www.net-security.org/secworld.php?id=15535 - Exploring attacks against PHP applications

http://phpsec.org/ - PHP Security Consortium

Apparently, the last posting was in 2006, which shows magnitude of the problem ...

http://www.php-security.org/ - the other PHP Security Consortium

Last posting in 2010.

http://news.dice.com/2012/08/30/php-security-flaws/ - one of more recent ...

http://www.acunetix.com/vulnerability-scanner/

As many as 70% of websites have vulnerabilities that could lead to the theft of sensitive corporate data such as, credit card information and customer lists. Hackers concentrate their efforts on web-based applications – shopping carts, forms, login pages, dynamic content, etc.

http://www.acunetix.com/websitesecurity/web-site-security/

http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/PHP-PHP.html

PHP : Security Vulnerabilities ...

http://www.smashingmagazine.com/2012/10/09/four-malware-infections-wordpress/

Common WordPress Malware Infections ...

http://www.phptherightway.com/

There’s a lot of outdated information on the Web that leads new PHP users astray, propagating bad practices and insecure code ...

Essential Applications

Semantic Mediawiki

See SemanticMediawiki

PMWiki

The inimitable ... even does the lock down trick ... Good Dog !!!

http://www.pmwiki.org/

PmWiki is a wiki-based system for collaborative creation and maintenance of websites.

Be nice if it did Moin/Trac wiki syntax ... fairly close though ...

Works the other way ( PMWiki -> Moin ) - https://moinmo.in/PmWikiMoinMoinConverter

Sphider Plus

Still haven't found anything that does the same with less sweat and effort.

http://www.sphider.eu/

Sphider 1.3.6, release date 04-06-2013

http://www.sphider-plus.eu/

Sphider-plus version 3.2015b - The PHP Search Engine

Before downloading Sphider-plus, you are kindly requested to promote further development with your 25,-- Euro payment for the benefit of the Sphider-plus PayPal account.

Good time to download ... version 1.6.

phpMyAdmin

One of the more attacked PHP packages ... on my site at least 20-30 per day, with peaks of several hundreds per day.

If using MySQL ... which I'm not, at the moment ...

http://www.phpmyadmin.net/home_page/security/

Word Press

I seem to develop a weird attitude toward some things sometimes. I grossly, consistently and almost consciously underrate certain software, particularly PHP software. I don't know why I do it, but I have to stop doing it so often.

Case in point is WordPress, which is really excellent and may be the answer to all my prayers CMS-wise, at least in the short term.

https://wordpress.org/download/

https://wordpress.org/plugins/sqlite-integration/

This plugin enables you to create WordPress based web sites without MySQL database server. All you've got to prepare is the Apache web server or the like and PHP with PDO extension. WordPress archive and this plugin in hand, you can build a WordPress web site out of the box.

http://dogwood.skr.jp/wordpress/sqlite-integration/

System Requirements

PHP 5.2 or newer with PDO extension (PHP 5.3 or newer is better).

PDO SQLite driver must be loaded.

http://billbreitmayer.com/under_the_hood/

Incredibly my old WordPress site from the years of yore still survives, after several hundred thousand hacker attacks. I turned off a bunch of insecure features and probably helped. Along with #PMWiki, it has withstood the test of time.

Last modified 3 months ago Last modified on 02/03/2017 12:16:58 PM