Stealing session ids from phpinfo()
output has been a known technique for some time, and is used to bypass the HttpOnly
attribute, which prohibits JavaScript from accessing a cookie marked as such (e.g. PHPSESSID
). I just now thought of a solution that allows you to keep your phpinfo()
: we'll simply censor the sensitive data, making phpinfo()
lose some of its value to the attacker.
composer audit
When a security vulnerability is discovered in one of the PHP libraries you use, there are several options how you can learn about the bug before it's too late. I've written about PHP Security Advisories Database in one of my previous posts and how you can use it with Roave Security Advisories and a few other ways. However all of them require an extra package or a tool.
At the end of August, a critical security bug was discovered and immediately fixed in one of the popular PHP frameworks, Nette. Although the author of the framework, David Grudl, did everything possible, some did not learn about the bug in time and did not update their sites and web apps. Let me tell you a few tips not only for PHP, that will help you to know about similar problems as soon as possible.
I'm organizing another round of my training, this time remotely. Afternoons, for half of the regular price.
The time has come and after 6 years I'm closing my public training Introduction to PHP and Classes and objects in PHP, the last round this December. I'm also writing some new courses.
FPD is one of approximately 17576 three-letter abbreviations used on the Internet, and one of the few where the letter F doesn't stand for, um, let's say friend. The meaning of the acronym that I'd like to talk about is important for web application security: FPD means Full Path Disclosure.