PHP Security Consortium Launched

← Back to Stories (view on slashdot.org)

PHP Security Consortium Launched

Posted by timothy on Monday January 31, 2005 @02:57PM from the floodgates dept.

Chris Shiflett writes "We're happy to announce the official launch of the PHP Security Consortium (PHPSC). Our mission is 'to promote secure programming practices within the PHP community through education and exposition while maintaining high ethical standards.' You can read the official press release or visit us at phpsec.org."

4 of 64 comments (clear)

Min score:

Reason:

Sort:

Re:Good by blankslate · 2005-01-31 15:30 · Score: 2, Interesting

Nice. It'd be good to see an audited set of widgets made available for say, secure database logins and file dissemination which we know to be approved by expert eyes.

--
---- death to all fanatics
Too bad the only article contains a race condition by Wizard+of+OS · 2005-02-01 00:51 · Score: 2, Interesting

(I also posted this on the CAPATCHA topic, but I think it's relevant here too).

Too bad that that example on that site of 'an international group of PHP experts dedicated to promoting secure programming practices within the PHP community.' is flawed.

It always writes to the same .jpg file, so two people requesting the page at the same time will see the same image (the last generated one).

If these are the PHP experts on secure programming, I am now really worried.

--

--
If code was hard to write, it should be hard to read
Re:Too bad the only article contains a race condit by Wizard+of+OS · 2005-02-01 01:17 · Score: 2, Interesting

The code says:

and:

$image = $captcha->getCAPTCHAAsJPEG();
$handle = fopen('captcha.jpg', 'w');
fwrite($handle, $image);
fclose($handle);

So, assume this happens:
- Client A requests the site
- Client B requests the site
- PHP engine process request for A: generates a random string 'abcde' and creates the captcha.jpg for this 'abcde'
- PHP engine process request for B: generates a random string 'fghij' and creates the captcha.jpg for this 'fghij'
- Due to some network lag (200ms), A will now request 'captcha.jpg'

A will see 'fghij', but the session for A will have 'abcde' set. This means that A cannot validate himself.

The problem here is ofcourse that the file is always the same: if you would use a PHP file that generates the images for a request (based on the sessionid from a cookie), you would be safe.

--

--
If code was hard to write, it should be hard to read
Re:Good by arkanes · 2005-02-01 10:55 · Score: 4, Interesting

This attitude is in no small part responsible for the generally terrible security of web-based applications. Security is *not* a set of "audited widgets". You have to know what to do and what not to do - there's no magic widget that is going to secure your application. You *can't* write a general purpose, secure widget for exposing files over the internet without the end developer knowing what they're doing.