wiki:Notes/PHP

To PHP Or Not To PHP ?

... that is the question ...

PHP is the most hacked/hackable language on earth and consequently produces the most hacked/hackable web sites on earth. A fact beyond dispute.

Also beyond dispute is that it is useful. But how to secure a fundamentally insecure language ?

Is the problem PHP or Hostmonster.com ? Both ?

Basic Security Questions

Fix it or forget it.

  1. How to secure PmWiki ? Answer: site lockdown, that is read-only permissions on wiki.d directory.
  2. How to secure phpmyadmin ?
    1. Is MySQL so tied to PHP as to be unusable able without it ?
  3. How to secure Mediawiki ?

Real Security Enhancements ( Versus Happy Facing It )

PHP 'security enhancements' are happening all the time and none of them seem to make sites more secure.

After stripping away the happy face rhetoric from the PHP community about enhanced security, what actually works or stands a chance of fundamentally changing a bad situation ?

Update Nov 2017

On the other hand, PHP 7 does seem to be more serious about security. Looking in to it ...

https://belitsoft.com/php-development-services/php7-upgrading-from-php5-perfomance-security-reasons-and-case-studies

... PHP 7 offers better security improvements compared to PHP 5, including a filtered un-serialized function and a set of functions to easily get cryptographically secure random numbers. We should keep in mind that we have to advice our clients to upgrade PHP distribution on an operational server. And, of course, new PHP-based web applications should be developed with the newest versions of PHP.

https://thenewstack.io/php-7-boasts-doubled-performance-though-security-concerns-linger/

... Using cloud-based scans and code analysis of more than 50,000 applications in the past 18 months, it found that 86 percent of applications written in PHP contained at least one cross-site scripting (XSS) vulnerability and 56 percent came with at least one SQL injection bug ...

... However, a major PHP user, the popular blogging site WordPress.com, recently unveiled a new interface, a project code-named Calypso, that replaces PHP with JavaScript, with Node.js as the code for the back end ...

Resources

http://php.net/manual/en/security.php

http://phpsecurity.readthedocs.org/en/latest/index.html

http://www.suhosin.org/stories/index.html - patch to disable eval

https://www.owasp.org/index.php/Main_Page

Open Web Application Security Project ( OWASP ) is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas.

https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

https://www.owasp.org/index.php/Category:OWASP_PHP_Project

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

https://phpbestpractices.org/

http://blog.templatemonster.com/2014/05/08/php-security-issues/

PHP has developed into the most popular programming language and is widely used for rapid development of dynamic websites. Since web servers are publically accessible, they present significant security vulnerabilities ...

SQL Injection ... Remote File Inclusion and Remote Code Execution ... Cross Site Scripting (XSS) ...Session and Cookie Hacking ... Directory Traversal (aka path traversal) ...

http://www.sitepoint.com/top-10-php-security-vulnerabilities/

http://radar.oreilly.com/2013/12/preventing-problems-in-php-security.html

http://docforge.com/wiki/Web_application/Security

http://www.net-security.org/secworld.php?id=15535 - Exploring attacks against PHP applications

http://phpsec.org/ - PHP Security Consortium

Apparently, the last posting was in 2006, which shows magnitude of the problem ...

http://www.php-security.org/ - the other PHP Security Consortium

Last posting in 2010.

http://news.dice.com/2012/08/30/php-security-flaws/ - one of more recent ...

http://www.acunetix.com/vulnerability-scanner/

As many as 70% of websites have vulnerabilities that could lead to the theft of sensitive corporate data such as, credit card information and customer lists. Hackers concentrate their efforts on web-based applications – shopping carts, forms, login pages, dynamic content, etc.

http://www.acunetix.com/websitesecurity/web-site-security/

http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/PHP-PHP.html

PHP : Security Vulnerabilities ...

http://www.smashingmagazine.com/2012/10/09/four-malware-infections-wordpress/

Common WordPress Malware Infections ...

http://www.phptherightway.com/

There’s a lot of outdated information on the Web that leads new PHP users astray, propagating bad practices and insecure code ...

Essential Applications

Semantic Mediawiki

See SemanticMediawiki

PMWiki

The inimitable ... even does the read-only file permission 'lock down trick' ... Good Dog !!!

http://www.pmwiki.org/

PmWiki is a wiki-based system for collaborative creation and maintenance of websites.

Be nice if it did Moin/Trac wiki syntax ... fairly close though ...

Works the other way ( PMWiki -> Moin ) - https://moinmo.in/PmWikiMoinMoinConverter

Update Nov 2017: A New Leaf ?

http://www.pmwiki.org/wiki/PmWiki/BlockMarkup

HTML5 support ! I know I've ranted and raved about the deficiencies of PHP, but maybe it's time to reconsider.

Semantic HTML5 elements

Since version 2.2.75, PmWiki allows the inclusion of a few semantic HTML5 elements. 

Note that an opening semantic markup automatically closes any previously opened tag of the same type,
but does not verify or tidy the structure for you, so make sure you use closing tags when needed.

(:article:)...(:articleend:)

Inserts an <article> tag. You can have the HTML id= and class= attributes like (:article id=id1 class="class1 class2":).
An (:article:) markup automatically closes a previously open such tag. To have nested tags, you need to number the tag, and the matching tag end:

    (:article:)
    Outer article
    (:article2:)
    Inner article
    (:article2end:)
    (:articleend:)

(:section:)...(:sectionend:)

  Inserts a <section> tag. You can have the HTML id= and class= attributes like (:section id=id1 class="class1 class2":).
  A (:section:) markup automatically closes a previously open such tag. To have nested tags, you need to number the tag, 
  and the matching tag end, like the (:article:) markup.

(:header:)...(:headerend:)

  Inserts a <header> tag. You can have the HTML id= and class= attributes like (:header id=id1 class="class1 class2":).
  A (:header:) markup automatically closes a previously open such tag, and it is not possible to nest such tags.

(:footer:)...(:footerend:)

  Inserts a <footer> tag. You can have the HTML id= and class= attributes like (:footer id=id1 class="class1 class2":).
  A (:footer:) markup automatically closes a previously open such tag, and it is not possible to nest such tags.

(:aside:)...(:asideend:)
  Inserts an <aside> tag. You can have the HTML id= and class= attributes like (:aside id=id1 class="class1 class2":).
  An (:aside:) markup automatically closes a previously open such tag, and it is not possible to nest such tags.

(:address:)...(:addressend:)
 Inserts an <address> tag. You can have the HTML id= and class= attributes like (:address id=id1 class="class1 class2":).
 An (:address:) markup automatically closes a previously open such tag, and it is not possible to nest such tags.

(:nav:)...(:navend:)
  Inserts a <nav> tag. You can have the HTML id= and class= attributes like (:nav id=id1 class="class1 class2":).
 A (:nav:) markup automatically closes a previously open such tag, and it is not possible to nest such tags. 

PMWiki was always easy to work with, very hackable. That and the 'lock down trick' make it very attractive for a small project ( even if it's in PHP ;-) ).

Maybe add 'five-way' semantic structures via edit time ( versus render time ) macros ? Clearly, the application understands 'edit time'.

http://www.pmwiki.org/wiki/PmWiki/Forms

(:input form "http://www.example.com":)
(:input hidden action login:)
||     Name:||(:input text username:)         ||
|| Password:||(:input password password:)     ||
||          ||(:input checkbox terms yes "Accept Terms":) ||
||          ||(:input submit value="Log In":) ||
(:input end:)

As if that weren't enough ... http://www.pmwiki.org/wiki/Cookbook/Pmwikilib

A simple but powerful python API to pmwiki

Pmwikilib is a python module that allow you to manipulate pmwiki's page easily :

  read, write an protect pages
  edit public or protected pages (of course you need informations that allow you to do it )
  access page on local file system or via http protocol on site web
  generate page history same as pmwiki do when writting, even with local file edition
  can log errors for debugging purpose 

Hmm ... Is PHP in my future ?

Sphider Plus

Still haven't found anything that does the same with less sweat and effort.

http://www.sphider.eu/

Sphider 1.3.6, release date 04-06-2013

http://www.sphider-plus.eu/

Sphider-plus version 3.2015b - The PHP Search Engine

Before downloading Sphider-plus, you are kindly requested to promote further development with your 25,-- Euro payment for the benefit of the Sphider-plus PayPal account.

Good time to download ... version 1.6.

phpMyAdmin

One of the more attacked PHP packages ... on my site at least 20-30 per day, with peaks of several hundreds per day.

If using MySQL ... which I'm not, at the moment ...

http://www.phpmyadmin.net/home_page/security/

Word Press

I seem to develop a weird attitude toward some things sometimes. I grossly, consistently and almost consciously underrate certain software, particularly PHP software. I don't know why I do it, but I have to stop doing it so often.

Case in point is WordPress, which is really excellent and may be the answer to all my prayers CMS-wise, at least in the short term.

https://wordpress.org/download/

https://wordpress.org/plugins/sqlite-integration/

This plugin enables you to create WordPress based web sites without MySQL database server. All you've got to prepare is the Apache web server or the like and PHP with PDO extension. WordPress archive and this plugin in hand, you can build a WordPress web site out of the box.

http://dogwood.skr.jp/wordpress/sqlite-integration/

System Requirements

PHP 5.2 or newer with PDO extension (PHP 5.3 or newer is better).

PDO SQLite driver must be loaded.


For several years, WordPress is moving from PHP toward NodeJS. The details are still vague ...

https://developer.wordpress.com/2015/11/23/the-story-behind-the-new-wordpress-com/

, The new WordPress.com interface is built from the ground up as a single JavaScript application that relies on the WordPress.com REST API to communicate to the WordPress core.

The client.

https://github.com/Automattic/wp-calypso/tree/master/server

The server ?

A pure NodeJS alternative -> NodeJS#KeystoneJS


http://billbreitmayer.com/under_the_hood/

Incredibly my old WordPress site from the years of yore still survives, after several hundred thousand hacker attacks. I turned off a bunch of insecure features and probably helped. Along with #PMWiki, it has withstood the test of time.

Last modified 7 months ago Last modified on 11/17/2017 06:33:50 PM