Comments on: PHPIDS 0.5 has landed http://php-ids.org/2008/06/07/phpids-05-has-landed/ Fri, 18 Jun 2010 11:58:23 +0000 hourly 1 http://wordpress.org/?v=3.0 By: PHPIDS » Web Application Security 2.0 » Blog Archive » PHPIDS showing up in PHPMagazin http://php-ids.org/2008/06/07/phpids-05-has-landed/comment-page-1/#comment-268 PHPIDS » Web Application Security 2.0 » Blog Archive » PHPIDS showing up in PHPMagazin Wed, 09 Jul 2008 22:50:10 +0000 http://php-ids.org/?p=64#comment-268 [...] it was written quite some time ago and published just now, so it doesn’t cover all the cool new features that are available since PHPIDS version >= 0.5. That means, you won’t find anything on allowed HTML code in user input, which PHPIDS is [...] [...] it was written quite some time ago and published just now, so it doesn’t cover all the cool new features that are available since PHPIDS version >= 0.5. That means, you won’t find anything on allowed HTML code in user input, which PHPIDS is [...]

]]> By: .mario http://php-ids.org/2008/06/07/phpids-05-has-landed/comment-page-1/#comment-261 .mario Wed, 02 Jul 2008 12:24:02 +0000 http://php-ids.org/?p=64#comment-261 Hey mrhassell, Thanks for your comment. I agree with you in most points - yes PHP is shipped with settings that make any security affine developer or consultant just shiver. But - what I don't get yet is what you would suggest to be an approach for solving the 'knowledge and understanding' problem. I've been doing quite a lot of talks and presentation around PHP security and most times the auditorium was interested but uniformed - even about the most easy to get issues. I think that is because of the misconception that IT security is some kind of witchery which takes developers who know their markup and codes years to learn or even basically understand. The bridge between creating and exploiting seems more narrow for most devs - or not even existing - than you would normally expect. So - all hope seems gone for developers who don't want to risk a peek outside the box? How could one reach people who are not interested but should be? How to make the whole thing sexy? Greetings, .mario Hey mrhassell,

Thanks for your comment. I agree with you in most points – yes PHP is shipped with settings that make any security affine developer or consultant just shiver. But – what I don’t get yet is what you would suggest to be an approach for solving the ‘knowledge and understanding’ problem. I’ve been doing quite a lot of talks and presentation around PHP security and most times the auditorium was interested but uniformed – even about the most easy to get issues.

I think that is because of the misconception that IT security is some kind of witchery which takes developers who know their markup and codes years to learn or even basically understand. The bridge between creating and exploiting seems more narrow for most devs – or not even existing – than you would normally expect.

So – all hope seems gone for developers who don’t want to risk a peek outside the box? How could one reach people who are not interested but should be? How to make the whole thing sexy?

Greetings,
.mario

]]> By: mrhassell http://php-ids.org/2008/06/07/phpids-05-has-landed/comment-page-1/#comment-254 mrhassell Sun, 29 Jun 2008 07:07:11 +0000 http://php-ids.org/?p=64#comment-254 Personal home pages = PHP. The original CGI by Rasmus Lerdorf, was originally PERL based. Andi Gutmans and Zeev Suraski rewrote the parser to make PHP 3 and the vulerabilies that exist in ANY version of PHP prior to V5.2.6 - require intense scrutiny and establishment of strict policy's "prior" to any form of web server installation. http://www.sans.org/top20/#s1 - please take a look at what these web application security defects actually are - you will find that PHP hold's the crown for being the most insecure web application framework. "By default, PHP allows file functions to access resources on the Internet using a feature called "allow_url_fopen".... ever heard of - Remote code execution - Remote root kit installation and are you aware that on Windows, complete system compromise may be possible through the use of PHP’s SMB file wrappers? It's quite an admirable job that you are doing at php-ids.org and I commend you on your valiant efforts. The problem is greater than the single module which you are providing however and I feel that you have a responsibility to inform users of PHP as to what, where and why these vulerabilies exist and how to "work around" them to secure their web application servers. I'm quite surprised to see that so few comments have been made in relation to the PHPIDS 0.5 milstone and it frustrates and annoys me that having been fortunate enough to watch the evolution of OO programming and framework's since age 11 (I'm now 35) that the 'real' meaning behind all good intentions is discarded or arrogantly overlooked, by over confident people who simply fail to do their homework and understand the background or basis of what they are talking about. Knowledge if said to be power, requires understanding and hence a decent explanation should be required. Stating the obvious only complicates the matter and fail's to enlighten any student. Personal home pages = PHP. The original CGI by Rasmus Lerdorf, was originally PERL based. Andi Gutmans and Zeev Suraski rewrote the parser to make PHP 3 and the vulerabilies that exist in ANY version of PHP prior to V5.2.6 – require intense scrutiny and establishment of strict policy’s “prior” to any form of web server installation.

http://www.sans.org/top20/#s1 – please take a look at what these web application security defects actually are – you will find that PHP hold’s the crown for being the most insecure web application framework.

“By default, PHP allows file functions to access resources on the Internet using a feature called “allow_url_fopen”…. ever heard of – Remote code execution – Remote root kit installation and are you aware that on Windows, complete system compromise may be possible through the use of PHP’s SMB file wrappers?

It’s quite an admirable job that you are doing at php-ids.org and I commend you on your valiant efforts. The problem is greater than the single module which you are providing however and I feel that you have a responsibility to inform users of PHP as to what, where and why these vulerabilies exist and how to “work around” them to secure their web application servers.

I’m quite surprised to see that so few comments have been made in relation to the PHPIDS 0.5 milstone and it frustrates and annoys me that having been fortunate enough to watch the evolution of OO programming and framework’s since age 11 (I’m now 35) that the ‘real’ meaning behind all good intentions is discarded or arrogantly overlooked, by over confident people who simply fail to do their homework and understand the background or basis of what they are talking about.

Knowledge if said to be power, requires understanding and hence a decent explanation should be required. Stating the obvious only complicates the matter and fail’s to enlighten any student.

]]> By: .mario http://php-ids.org/2008/06/07/phpids-05-has-landed/comment-page-1/#comment-232 .mario Sun, 08 Jun 2008 09:13:36 +0000 http://php-ids.org/?p=64#comment-232 I'd love to see that the WPIDS receives an update. But on the other hand it's not so hard to use the real PHPIDS in combination with WP - if you have trouble achieving that feel free to contact us in the forum. What I know is that the Typo3 plugin/extension will be updated soon - and then of course find its way back into our download section. Greet8ings, .mario I’d love to see that the WPIDS receives an update. But on the other hand it’s not so hard to use the real PHPIDS in combination with WP – if you have trouble achieving that feel free to contact us in the forum.

What I know is that the Typo3 plugin/extension will be updated soon – and then of course find its way back into our download section.

Greet8ings,
.mario

]]> By: joe cool http://php-ids.org/2008/06/07/phpids-05-has-landed/comment-page-1/#comment-231 joe cool Sun, 08 Jun 2008 04:17:55 +0000 http://php-ids.org/?p=64#comment-231 "All other download links to unofficial extensions have been removed due to lack of maintenance by the authors and severe bugs / bad programming. Sorry guys." Nooooooooooooooo!!!... :'(((( Will Wordpress plugin be updated? Thank you PHPIDS team! “All other download links to unofficial extensions have been removed due to lack of maintenance by the authors and severe bugs / bad programming. Sorry guys.”

Nooooooooooooooo!!!… :’((((

Will WordPress plugin be updated?

Thank you PHPIDS team!

]]>