How security flaws in PHP's core can affect your application

20 Jul 2017 by Dr. Johannes Dahse
PHP Core Security

Popular security vulnerabilities occur due to bad coding practices or coding mistakes. Often a single missing character or incautiously used language feature opens the gates for an external attacker. But even when all best practices for secure programming are carefully adhered to, a PHP application’s source code is only as secure as the PHP interpreter it runs on. In this post, we will see how memory corruption bugs in the PHP core itself can affect an application’s security.

Read More ...

Why mail() is dangerous in PHP

3 May 2017 by Robin Peraglie
Email Security in PHP

During our advent of PHP application vulnerabilities, we reported a remote command execution vulnerability in the popular webmailer Roundcube (CVE-2016-9920). This vulnerability allowed a malicious user to execute arbitrary system commands on the targeted server by simply writing an email via the Roundcube interface. After we reported the vulnerability to the vendor and released our blog post, similar security vulnerabilities that base on PHP’s built-in mail() function popped up in other PHP applications 1 2 3 4. In this post, we have a look at the common ground of these vulnerabilities, which security patches are faulty, and how to use mail() securely.

Read More ...