天天看点
返回

Month of PHP Security - Summary

it is 21th of May. The Month of PHP Security

vulnerability count of 40 vulnerabilities, which is nearly as much as we

disclosed during the whole Month of PHP Bugs in 2007. However there are

11 more days until the end of May and therefore there are still plenty

of more vulnerabilities to come. Escpecially the amount of SQL injection

vulnerabilites in PHP applications will increase, because it is called

SQL injection marathon for a reason. And we also have several articles

and submissions left.

There have been some changes to the website that should make it easier

to read and we also added the possiblity to comment on bugs/entries/news

and articles.

For those that don't already know you can follow the Month of PHP

Security on Twitter, too. Just follow @mops_2010

Here is the summary of what happened during the last 10 days.

Related Events

--------------

Returning into the PHP Interpreter – Remote Exploitation of Memory

Corruptions in PHP is not over, yet.

<a href="http://php-security.org/2010/05/21/related-event-returning-into-the-php-interpreter-remote-exploitation-of-memory-corruptions-in-php-is-not-over-yet/">http://php-security.org/2010/05/21/related-event-returning-into-the-php-interpreter-remote-exploitation-of-memory-corruptions-in-php-is-not-over-yet/</a>

PHP Security Course – Advanced PHP Auditing at Source and Bytecode level

<a href="http://php-security.org/2010/05/19/related-event-php-security-course-advanced-php-auditing-at-source-and-bytecode-level/">http://php-security.org/2010/05/19/related-event-php-security-course-advanced-php-auditing-at-source-and-bytecode-level/</a>

Articles

--------

MOPS Submission 07: Our Dynamic PHP – Obvious and not so obvious PHP

code injection and evaluation

<a href="http://php-security.org/2010/05/20/mops-submission-07-our-dynamic-php/">http://php-security.org/2010/05/20/mops-submission-07-our-dynamic-php/</a>

MOPS Submission 06: Variable Initialization in PHP

<a href="http://php-security.org/2010/05/17/mops-submission-06-variable-initialization-in-php/">http://php-security.org/2010/05/17/mops-submission-06-variable-initialization-in-php/</a>

Article: Decoding a User Space Encoded PHP Script

<a href="http://php-security.org/2010/05/13/article-decoding-a-user-space-encoded-php-script/">http://php-security.org/2010/05/13/article-decoding-a-user-space-encoded-php-script/</a>

MOPS Submission 05 – The Minerva PHP Fuzzer

<a href="http://php-security.org/2010/05/11/mops-submission-05-the-minerva-php-fuzzer/">http://php-security.org/2010/05/11/mops-submission-05-the-minerva-php-fuzzer/</a>

PHP Vulnerabilities

-------------------

MOPS-2010-040: PHP strtr() Interruption Information Leak Vulnerability

<a href="http://php-security.org/2010/05/21/mops-2010-040-php-strtr-interruption-information-leak-vulnerability/">http://php-security.org/2010/05/21/mops-2010-040-php-strtr-interruption-information-leak-vulnerability/</a>

MOPS-2010-039: PHP strpbrk() Interruption Information Leak Vulnerability

<a href="http://php-security.org/2010/05/21/mops-2010-039-php-strpbrk-interruption-information-leak-vulnerability/">http://php-security.org/2010/05/21/mops-2010-039-php-strpbrk-interruption-information-leak-vulnerability/</a>

MOPS-2010-038: PHP http_build_query() Interruption Information Leak

Vulnerability

<a href="http://php-security.org/2010/05/21/mops-2010-038-php-http_build_query-interruption-information-leak-vulnerability/">http://php-security.org/2010/05/21/mops-2010-038-php-http_build_query-interruption-information-leak-vulnerability/</a>

MOPS-2010-037: PHP str_getcsv() Interruption Information Leak Vulnerability

<a href="http://php-security.org/2010/05/21/mops-2010-037-php-str_getcsv-interruption-information-leak-vulnerability/">http://php-security.org/2010/05/21/mops-2010-037-php-str_getcsv-interruption-information-leak-vulnerability/</a>

MOPS-2010-036: PHP htmlentities() and htmlspecialchars() Interruption

Information Leak Vulnerability

<a href="http://php-security.org/2010/05/21/mops-2010-036-php-htmlentities-and-htmlspecialchars-interruption-information-leak-vulnerability/">http://php-security.org/2010/05/21/mops-2010-036-php-htmlentities-and-htmlspecialchars-interruption-information-leak-vulnerability/</a>

MOPS-2010-034: PHP iconv_mime_encode() Interruption Information Leak

<a href="http://php-security.org/2010/05/18/mops-2010-034-php-iconv_mime_encode-interruption-information-leak-vulnerability/">http://php-security.org/2010/05/18/mops-2010-034-php-iconv_mime_encode-interruption-information-leak-vulnerability/</a>

MOPS-2010-033: PHP iconv_substr() Interruption Information Leak

<a href="http://php-security.org/2010/05/18/mops-2010-033-php-iconv_substr-interruption-information-leak-vulnerability/">http://php-security.org/2010/05/18/mops-2010-033-php-iconv_substr-interruption-information-leak-vulnerability/</a>

MOPS-2010-032: PHP iconv_mime_decode() Interruption Information Leak

<a href="http://php-security.org/2010/05/18/mops-2010-032-php-iconv_mime_decode-interruption-information-leak-vulnerability/">http://php-security.org/2010/05/18/mops-2010-032-php-iconv_mime_decode-interruption-information-leak-vulnerability/</a>

MOPS-2010-028: PHP phar_wrapper_open_url Format String Vulnerabilities

<a href="http://php-security.org/2010/05/14/mops-2010-028-php-phar_wrapper_open_url-format-string-vulnerabilities/">http://php-security.org/2010/05/14/mops-2010-028-php-phar_wrapper_open_url-format-string-vulnerabilities/</a>

MOPS-2010-027: PHP phar_parse_url Format String Vulnerabilities

<a href="http://php-security.org/2010/05/14/mops-2010-027-php-phar_parse_url-format-string-vulnerabilities/">http://php-security.org/2010/05/14/mops-2010-027-php-phar_parse_url-format-string-vulnerabilities/</a>

MOPS-2010-026: PHP phar_wrapper_unlink Format String Vulnerability

<a href="http://php-security.org/2010/05/14/mops-2010-026-php-phar_wrapper_unlink-format-string-vulnerability/">http://php-security.org/2010/05/14/mops-2010-026-php-phar_wrapper_unlink-format-string-vulnerability/</a>

MOPS-2010-025: PHP phar_wrapper_open_dir Format String Vulnerability

<a href="http://php-security.org/2010/05/14/mops-2010-025-php-phar_wrapper_open_dir-format-string-vulnerability/">http://php-security.org/2010/05/14/mops-2010-025-php-phar_wrapper_open_dir-format-string-vulnerability/</a>

MOPS-2010-024: PHP phar_stream_flush Format String Vulnerability

<a href="http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/">http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/</a>

MOPS-2010-022: PHP Stream Context Use After Free on Request Shutdown

<a href="http://php-security.org/2010/05/12/mops-2010-022-php-stream-context-use-after-free-on-request-shutdown-vulnerability/">http://php-security.org/2010/05/12/mops-2010-022-php-stream-context-use-after-free-on-request-shutdown-vulnerability/</a>

MOPS-2010-021: PHP fnmatch() Stack Exhaustion Vulnerability

<a href="http://php-security.org/2010/05/11/mops-2010-021-php-fnmatch-stack-exhaustion-vulnerability/">http://php-security.org/2010/05/11/mops-2010-021-php-fnmatch-stack-exhaustion-vulnerability/</a>

PHP Application Vulnerabilities

-------------------------------

MOPS-2010-035: e107 BBCode Remote PHP Code Execution Vulnerability

<a href="http://php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution-vulnerability/">http://php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution-vulnerability/</a>

MOPS-2010-031: e107 Usersettings loginname SQL Injection Vulnerability

(UPDATED)

<a href="http://php-security.org/2010/05/16/mops-2010-031-e107-usersettings-loginname-sql-injection-vulnerability/">http://php-security.org/2010/05/16/mops-2010-031-e107-usersettings-loginname-sql-injection-vulnerability/</a>

MOPS-2010-030: CMSQlite mod Parameter Local File Inclusion Vulnerability

<a href="http://php-security.org/2010/05/15/mops-2010-030-cmsqlite-mod-parameter-local-file-inclusion-vulnerability/">http://php-security.org/2010/05/15/mops-2010-030-cmsqlite-mod-parameter-local-file-inclusion-vulnerability/</a>

MOPS-2010-029: CMSQlite c Parameter SQL Injection Vulnerability

<a href="http://php-security.org/2010/05/15/mops-2010-029-cmsqlite-c-parameter-sql-injection-vulnerability/">http://php-security.org/2010/05/15/mops-2010-029-cmsqlite-c-parameter-sql-injection-vulnerability/</a>

MOPS-2010-023: Cacti Graph Viewer SQL Injection Vulnerability

<a href="http://php-security.org/2010/05/13/mops-2010-023-cacti-graph-viewer-sql-injection-vulnerability/">http://php-security.org/2010/05/13/mops-2010-023-cacti-graph-viewer-sql-injection-vulnerability/</a>

Thank you

Stefan Esser

Month of PHP Security / php-security.org

sql 安全 php contract支持 ubuntu云计算配置 php对象content ubuntu安装mongo Security框架
上一篇: STP mitm attack idea
下一篇: dnscat

继续阅读