December 2007
Suhosin 0.9.21 - XSS Protection - PHP Security Blog
by mbertierIt has been a very long time since the last Suhosin extension has been released, but today this has changed with the release of Suhosin 0.9.21. Among the changes are two new features that will protect applications that put too much trust into the SERVER variables from several XSS (and SQL injection) attacks. These features are suhosin.server.strip and suhosin.server.encode.
October 2007
September 2007
PHPIDS » Web Application Security 2.0 » Index
by mbertier & 1 other (via)PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.
August 2007
May 2007
PHP Security Consortium: PHPSecInfo
by kasi77 (via)PhpSecInfo provides an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.
April 2007
March 2007
February 2007
NeedSecure - Improve your site security
by kirilloNeedSecure Pro is a first class tool enabling you to easily password protect any directory on your website with .htaccess and .htpasswd files. It has useful member management opportunities. The script is the ultimate protection solution for your website at a reasonable price. With NeedSecure Pro you can allow / deny access to any protected directory on your web site, change directory names to virtual names, manage the protected directories in the way you like, add new users to protected directories automatically, send mass newsletter to all registered users, edit language files and e-mail templates, edit / remove / suspend member accounts, temporarily disable new registrations, search member account by username, real name or email and much more. The script has a user-friendly installation, which requires no additional programming or configuration. FREE installation and FREE support included.
PHP 修改 Linux 系統密碼 - Real-Blog
by realmip在前幾篇文章介紹過 PHP 透過 Sudo 執行 root 指令,對於單行的指令沒有問題,但如果要執行 passwd 修改系統密碼的話便不行了。
要解決可以安裝 super 或 expert,而另一個方法是用非互動的方法修改密碼,但如果主機上有其他用戶可以放置他們的網頁,則不建議使用。以下是具體步驟:
1. 用 root 執行 visudo,加入以下一行:
apache ALL=NOPASSWD:/usr/bin/passwd [A-z]*, !/usr/bin/passwd root
January 2007
onPHP5.com - Clickable, Obfuscated Email Addresses
by camel & 3 others
onPHP5.com - Clickable, Obfuscated Email Addresses
PHP Security Scanner project official website
by clochix & 1 otherPHP Security Scanner is a tool written in PHP intended to search PHP code for vulnarabilities. MySQL DB stores patterns to search for as well as the results from the search. The tool can scan any directory on the file system.
Basic PHP Script Security
by clochix & 3 othersBasic PHP script security covers issues like prevention of SQL injections, XSS and CSRF attacks, variable tampering, etc.