PUBLIC MARKS with tags security & php

It has been a very long time since the last Suhosin extension has been released, but today this has changed with the release of Suhosin 0.9.21. Among the changes are two new features that will protect applications that put too much trust into the SERVER variables from several XSS (and SQL injection) attacks. These features are suhosin.server.strip and suhosin.server.encode.

PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.

PhpSecInfo provides an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.

PHPスクリプトへのアタックらしい。

NeedSecure Pro is a first class tool enabling you to easily password protect any directory on your website with .htaccess and .htpasswd files. It has useful member management opportunities. The script is the ultimate protection solution for your website at a reasonable price. With NeedSecure Pro you can allow / deny access to any protected directory on your web site, change directory names to virtual names, manage the protected directories in the way you like, add new users to protected directories automatically, send mass newsletter to all registered users, edit language files and e-mail templates, edit / remove / suspend member accounts, temporarily disable new registrations, search member account by username, real name or email and much more. The script has a user-friendly installation, which requires no additional programming or configuration. FREE installation and FREE support included.

在前幾篇文章介紹過 PHP 透過 Sudo 執行 root 指令，對於單行的指令沒有問題，但如果要執行 passwd 修改系統密碼的話便不行了。 要解決可以安裝 super 或 expert，而另一個方法是用非互動的方法修改密碼，但如果主機上有其他用戶可以放置他們的網頁，則不建議使用。以下是具體步驟: 1. 用 root 執行 visudo，加入以下一行: apache ALL=NOPASSWD:/usr/bin/passwd [A-z]*, !/usr/bin/passwd root

onPHP5.com - Clickable, Obfuscated Email Addresses

Appelé POBS, permet de faire n'importe quoi avec votre code

PHP Security Scanner is a tool written in PHP intended to search PHP code for vulnarabilities. MySQL DB stores patterns to search for as well as the results from the search. The tool can scan any directory on the file system.

Appelé POBS, permet de faire n'importe quoi avec votre code

Ou comment bien sécuriser les mots de passe

Basic PHP script security covers issues like prevention of SQL injections, XSS and CSRF attacks, variable tampering, etc.