Two days ago I was interviewed by the people of BlogSecurity about my thoughts about WordPress, their vulnerabilities and how they deal with them. The interview is meanwhile online.
Feeds
13616 items (0 unread) in 75 feeds
-
Watchfire Application Security Insider
-
BlogSecurity
-
sirdarckcat
-
Google Online Security Blog
-
CGISecurity.com: Your Web Site and Application Security Resource
-
Switch/Twitch
-
mybeNi websecurity
-
cat slave diary
-
SecuriTeam Blogs
-
Curiouser and Curiouser
-
Alex's Corner
-
Billy (BK) Rios
-
Chris Shiflett
-
christian's weblog
-
funkatron.com
-
GNUCITIZEN
-
The Spanner
-
hackademix.net
-
Ruby on Rails Security Project
-
It's a shampoo world anyway
-
Web Security Blog
-
ha.ckers.org web application security lab
-
Yet Another Infosec Blog
-
PHP Security Blog
-
Security Thoughts
-
Sunnet Beskerming Security Advisories
-
Disenchant's Blog
-
Sylvan von Stuppe
-
Larholm.com
-
The Turkey Curse
-
Jeremiah Grossman
-
Anurag Agarwal - Application Security Evangelist
-
Ivan Ristic
-
deep inside | security & tools
-
omg.wtf.bbq.
-
BlueHat Security Briefings
-
Tactical Web Application Security
-
.:Computer Defense:.
-
tssci security
-
Plynt Penetration Testing Blog
-
Michael Howard's Web Log
-
Security Retentive
-
BindShell.Net
-
Dominic White's .tHE pRODUCT
-
SecurityFocus News
-
Justice League
-
Schneier on Security
-
Rational Survivability
-
terminal23
-
1 Raindrop
-
hiredhacker.com
-
Matasano Chargen
-
-
Michael on Security - Musings on Information Security
-
Fortify blog
-
The Art of Software Security Assessment
-
GDS Security Blog
-
Vodun.org
-
Robert Penz Blog
-
Mark Curphey - SecurityBuddha.com
-
Liminal states
-
Security Ripcord
-
ModSecurity Blog
-
IBM Internet Security Systems Frequency X Blog
-
Suspekt...
-
extern blog SensePost;
-
Zero in a bit
PHP Security Blog
-
BlogSecurity Interview
Posted: June 29th, 2007, 1:50pm CDT
Tags: [edit]
Two days ago I was interviewed by the people of BlogSecurity about my thoughts about WordPress, their vulnerabilities and how they deal with them. The interview is meanwhile online. -
What site do you want to break today?
Posted: June 15th, 2007, 6:40pm CDT
Tags: [edit]
I just came back home and saw a very recent commit to PHP's session management. It is another attempt to fix the session cookie attribute injection that the PHP developers already tried to fix in PHP 5.2.3 without giving any credits. They still refuse to implement the correct fix that consists of just encoding the session id before sending it back through the cookie.
The amusing thing this time is that their new fix that consists of blacklisting a bunch of legal characters from the session id, will most probably result in hundreds or thousands of broken sites. What is even more funny is that the commit comes from a Zend employee that blacklists the ':' character from being used in the session id. The last time I audited the Zend Platform session clustering module it used exactly this character within session ids. This basically means that the session clustering of the Zend Platform will no longer work with the next PHP versions.
And as a final comment to the commiter: You are blacklisting a bunch of legal characters. Whatever RFC you used for choosing the characters for your blacklist was the wrong one. PHP implements the Netscape Cookie standard that is defined here. That document described very clearly that all characters are allowed except whitespace and semicolon. So nearly all the characters in your list are legal. Thank you for breaking lots of sites.
-
Chunk_split() Overflow not fixed at all...
Posted: June 4th, 2007, 2:07pm CDT
Tags: [edit]
If you are one of the guys that read the PHP CVS commits you usually know about the security bugs months before the rest of the community and this is no news for you. During the last 24h the following fix was merged into the PHP CVS.
Corrected fix for CVE-2007-2872
This fixes the chunk_split() overflow (found by SEC-CONSULT) that was according to the PHP 5.2.3 release notes already fixed. The original fix was however not only broken but complete nonsense. If you can read C you will see that the integer overflow was not fixed in PHP 5.2.3 but simply moved into a separate line and an additional bogus if clause was added.
You can test this yourself with the following code:<?php
$a=str_repeat("A", 65537);
$b=1;
$c=str_repeat("A", 65537);
chunk_split($a,$b,$c);
?>
So my recent posting that was called marketing FUD is even more true.
PS: I wonder if SEC-CONSULT was the one that reported that the fix is no fix at all or if it was one of the linux distributors. The linux distributors and their regression tests are always a good way to check if bugs are fixed correctly.
PS2: What I failed to mention in the original blog entry is that the fix of the fix is still vulnerable to an overflow, because a float number is casted to an int for the allocation. In case of big int numbers this will result in not enough memory being allocated.
-
Google for me and get Zend
Posted: June 1st, 2007, 9:21am CDT
Tags: [edit]
Brought to you from one of the comments in my blog.
Google for "Stefan Esser" and get a sponsored link for Zend.
http://www.google.com/search?q=%22Stefan+Esser%22
Update: It seems for now their budget is gone. My name is free again.
-
PHP 5.2.3 released...
Posted: June 1st, 2007, 1:27am CDT
Tags: [edit]
PHP 5.2.3 was released with several security fixes.
Again not all security fixes are mentioned in the release announcement.
Again security bugs known to the developers were not correctly fixed.
More info here.
PS: Why does PHP.net always release security fixes just before the weekend?
UPDATE: Antony Dogval from Zend meanwhile wrote a blog entry where he comments on this blog entry. He claims that I did not tell the PHP developers how to fix the issue. I love it how members of the PHP development team that do not receive the mails to security@php.net try to convince the world that I never sent those mails. I wrote atleast 2 times in the conversation about the described bug that the problem is because the session id is not encoded. I am not the php.net babysitter. I repeated myself and got ignored, I am not begging PHP.net to listen to reason.