[PHP] PHP Security!!! www.armorize.com
Hi, I would like to introduce a new tool for verifying your PHP application's security. Our product uses the most advanced static source code analysis for identifying vulnerabilities in PHP code. Right now we are working with our version 1.17 which has improved functionality, speed and coverage. We have an under 5% false positive rate which drops to under 1% with a little configuration. Our false negatives are negligible! Our language parser and transformer creates an abstract model of the code through which it runs a series of program path, inter-procedural and data flow analyses after which it can tell you not only what line of code the vulnerability lies, but also highlights the tainted variable that introduced the bug and how it propagates throught the code to become a vulnerability. This provides an end to end illustration of the vulnerability, educates you regarding the dymanics of security problems in PHP and actually provides suggetions of how you should go abuout fixing the code. The best part is that becuase it is static analysis, the application does not need to be up and running, so you can run the scans during development. We are launching our Security-as-a-Service model which represents the hosting of our core technology at our R&D center, all you need to do is log-on via your Web browser and you can verify your application's security. Today we are introducing the SaaS model and are providing it on a monthly subscription basis. Purchase for one month and fix your entire code base, when you need to modify your application again, it will only cost you that month's subscription. Our introductory price is very low for this kind of tool, because there is no tool as advanced as this. But you need not take my word for it, write to [EMAIL PROTECTED] to apply for a free 2-day trial account. Please inlcude a valid business e-mail, your name, and phone number (optional). The first 50 subscribers will recieve a full month's subscription at 50% discount. The first 25 will recieve 2 months at 50% discount. Check out our website at www.armorize.com Jordan _ Share folders without harming wildlife! http://www.communicationevolved.com/en-za/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] advice on sql injection/XSS prevention
Actually there is a tool available for automated validation of PHP code. It's called static source code analysis which, very simply stated, acts like a spell checker for custom developed code. This tool is very accurate at finding, especially SQL injection and XSS, and can be run directly against the source code so it doesn't need the application to be up and running. This company http://www.armorize.com/services/securityasaservice?utm_source=jordan&utm_medium=post is offering this kind of tool delivered as a service directly over the Web which means you can either request that those authorized people verify thier code security before posting, or you can do it after they have posted. The tool shows the vulnerability as well as the tainted origin that introduces it and provides fix suggestions, etc so everything can be fixed in a very short time with very little effort -- no installation required. From: Zoltán Németh <[EMAIL PROTECTED]> To: Bing Du <[EMAIL PROTECTED]> CC: php-general@lists.php.net Subject: Re: [PHP] advice on sql injection/XSS prevention Date: Thu, 05 Apr 2007 16:23:23 +0200 I think it is generally a Bad Idea to allow users to submit code into your system... you would be better off if you would provide some pseudo-coding possibilities which would allow them to insert certain functionalities into their content - with you providing the real code running behind and replacing the pseudo-codes with the process results greets Zoltán Németh 2007. 04. 5, csütörtök keltezéssel 09.17-kor Bing Du ezt Ãrta: > Hi, > > I'm not an experienced PHP developer. We're hosting a content management > system that allow authorized people to add PHP contents. Their PHP coding > levels varies. Some are very security sensitive, but some are not. I > want to know if PHP has any ready-to-use funtion to validate form input to > help prevent SQL injection/XSS? So each programmer doesn't have to write > their own form validation code. I'd appreciate any advice or pointers. > > Thanks in advance, > > Bing > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ Message offline contacts without any fire risk! http://www.communicationevolved.com/en-za/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
FW: [PHP] Re: Please hack my app
Hi, My name is Jordan Forssman, I am representing a company called Armorize Technologies. We have developed a source code analysis platform for PHP, called CodeSecure, which scans source code for SQL injection, cross site scripting, command injection, etc, vulnerability. The tool will tell you exactly which line the vulnerability is on, explain the propagation of the tainted variables, and assist you in fixing the bug. I believe this tool will help you verify the security of your application and will be able to do so very quickly. At the moment we are scanning around 20 000 lines in under 5 minutes, or 1M in about 2 minutes, depending on the application. Currently we are accepting applications for trial accounts, if you would like to use our tool to scan your code please log on to http://www.armorize.com/events/trialapplication and submit the form. We are just starting our sales and marketing effort so I hope you can use our product and give us some feedback. If you want to know more about our company and product you can find us at: www.armorize.com , download our datasheets and whitepapers at www.armorize.com/resources/download . The trial is free and can be accessed over the Web, we are using the trials as a test case for offering the product as a service and also to promote the product. Once I receive your application I will send you an e-mail with a quickstart guide and login details. If you have any questions, please feel free to contact me anytime. Best Regards, Jordan Forssman Sales Manager Armorize Technologies Tel. +886-2-6616-0100 ext. 201 Cell. +886-938-100-214 Fax. +886-2-6616-1100 Skype: jordan4z [EMAIL PROTECTED] [EMAIL PROTECTED] -Original Message- From: Ivo F.A.C. Fokkema [mailto:I.F.A.C. [EMAIL PROTECTED] Sent: Monday, November 27, 2006 6:01 PM To: php-general@lists.php.net Subject: [PHP] Re: Please hack my app On Wed, 22 Nov 2006 09:57:50 +0100, Ivo F.A.C. Fokkema wrote: > Hi List, > > As this subject may start you wondering what the hell I'm thinking, let me > clearify: > > I've been rewriting an GPL'ed PHP/MySQL app from scratch for the last 12 > months or so. It facilitates storage of DNA mutations and the > corresponding patient data. Because patient data is involved, privacy is > very important. > Now of course I read lots of pages on SQL injection and whatnot, and I > strongly believe my application is protected from this kind of abuse. > However, believing is not enough. I've had some comments in the past about > security (previous version of the software) and although I didn't agree to > the critic, I want to be able to say the new app went though various forms > of attacks. This month, I want to release 2.0-alpha-01... > > *** THIS IS NOT ABOUT HACKING THE SERVER *** > But about getting in the application when you're not allowed to! > > If you feel like helping me out, it's located at > http://chromium.liacs.nl/LOVDv.2.0-dev/ > > 1) Please try to get in. There's one account in the system, a database > administrator, capable of doing anything. If you get in, you can easily > create a new user using the setup tab. This will be the prove of you > breaking my security rules. > > 2) Can you manage to view unpublic data? Using the Variants tab, you > can see there is currently one entry in the database (with two mutations). > This entry has a hidden column, called 'Patient ID'. There is a > text-string in that column. If you can tell me what that string is, you > win :) > > 3) Feel free to register as a submitter to see if that gives you any > rights that you shouldn't have. A submitter is only capable of adding new > data to the database (Submit tab), but that data will not be published > immediately. > > 4) After a while, I will release login details of a curator account. This > user is allowed to see non-public data and handle the specific gene, but > NOT create new users or the like. > > > If you have any questions, please ask. Thank you in advance for using your > expertise for the good cause :) In case anyone is interested; I've created a low-level user ('untrusted') in the system. Password is equal to username. Feel free to try and do stuff you're not supposed to, like creating a new user or creating a gene. Ivo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: FW: [PHP] Re: Please hack my app
Hi Ivo, Sorry for the late reply, I have been traveling. I am assigning someone to your case who will assist you in understanding the cause of the inclusion of the vulnerability in your own functions. To my understanding it is that it could be the result of a repetition of an instance discovered in your function. If you are then to include the function a number of times, the vulnerability will be identified in all those instances. However, I am assigning someone to this question who will give you a better answer, his name is Chris. As to your comments, I would greatly appreciate them. Thanks and all the best, Jordan Forssman Sales Manager Armorize Technologies US: Tel: +1-408-512-4052 ext. 201 Fax: +1-408-247-1570 TW: Tel. +886-2-6616-0100 ext. 201 Cell. +886-938-100-214 Fax. +886-2-6616-1100 Skype: jordan4z [EMAIL PROTECTED] -Original Message- From: Ivo F.A.C. Fokkema [mailto:I.F.A.C. [EMAIL PROTECTED] Sent: Saturday, December 02, 2006 12:26 AM To: php-general@lists.php.net Subject: Re: FW: [PHP] Re: Please hack my app Hi Jordan, Thank you for your offer. As you know, I've signed up a couple of days ago. I ran a scan yesterday and have gotten a big PDF file out of it. I've quickly scanned through the results and it appears there are a lot of times when I use one of my own functions (sometimes even without an argument) it finds a vulnerability. I will analyze the results more detailed later on. Would you appreciate comments on the service? Thanks again, Ivo On Tue, 28 Nov 2006 14:19:30 +0800, Jordan Forssman wrote: > Hi, > > My name is Jordan Forssman, I am representing a company called Armorize > Technologies. We have developed a source code analysis platform for PHP, > called CodeSecure, which scans source code for SQL injection, cross site > scripting, command injection, etc, vulnerability. The tool will tell you > exactly which line the vulnerability is on, explain the propagation of > the tainted variables, and assist you in fixing the bug. I believe this > tool will help you verify the security of your application and will be > able to do so very quickly. At the moment we are scanning around 20 000 > lines in under 5 minutes, or 1M in about 2 minutes, depending on the > application. > > Currently we are accepting applications for trial accounts, if you would > like to use our tool to scan your code please log on to > http://www.armorize.com/events/trialapplication and submit the form. > We are just starting our sales and marketing effort so I hope you can > use our product and give us some feedback. > > If you want to know more about our company and product you can find us > at: www.armorize.com , download our datasheets and whitepapers at > www.armorize.com/resources/download . > > The trial is free and can be accessed over the Web, we are using the > trials as a test case for offering the product as a service and also to > promote the product. Once I receive your application I will send you an > e-mail with a quickstart guide and login details. > > If you have any questions, please feel free to contact me anytime. > > Best Regards, > > Jordan Forssman > Sales Manager > Armorize Technologies > Tel. +886-2-6616-0100 ext. 201 > Cell. +886-938-100-214 > Fax. +886-2-6616-1100 > Skype: jordan4z > [EMAIL PROTECTED] > [EMAIL PROTECTED] > > > -Original Message- > From: Ivo F.A.C. Fokkema [mailto:I.F.A.C. [EMAIL PROTECTED] > Sent: Monday, November 27, 2006 6:01 PM > To: php-general@lists.php.net > Subject: [PHP] Re: Please hack my app > > On Wed, 22 Nov 2006 09:57:50 +0100, Ivo F.A.C. Fokkema wrote: > >> Hi List, >> >> As this subject may start you wondering what the hell I'm thinking, > let me >> clearify: >> >> I've been rewriting an GPL'ed PHP/MySQL app from scratch for the last > 12 >> months or so. It facilitates storage of DNA mutations and the >> corresponding patient data. Because patient data is involved, privacy > is >> very important. >> Now of course I read lots of pages on SQL injection and whatnot, and I >> strongly believe my application is protected from this kind of abuse. >> However, believing is not enough. I've had some comments in the past > about >> security (previous version of the software) and although I didn't > agree to >> the critic, I want to be able to say the new app went though various > forms >> of attacks. This month, I want to release 2.0-alpha-01... >> >> *** THIS IS NOT ABOUT HACKING THE SERVER *** >> But about getting in the application when you're not allowed to! >> >> If you feel like helping me out, it's located at >> http://chromium.liacs.nl/LOVDv.2.0-dev/ >> &
FW: FW: [PHP] Re: Please hack my app
Hi Ivo, Jordan forwarded me your mail to provide some technical explanation. First of all, sorry for the delay, due to recent business travels and out-of-office events, I haven't had a lot of time to go through my mailbox. The product version that you were using is a trial version, which does not support all of the most recent improvements we've added (version 1.2 will be released in January). You encountered one of the limitations, when you noticed that calling your own functions caused a vulnerability. Due to the way our algorithms analyzes and processes information flow through function calls, we can sometimes determine a user-defined function to be vulnerable, regardless of the parameters passed to it. One simple (artificial) example would be the following situation: function update_last_login($user_id) { mysql_query('insert into users (id, login_date) values (' . $user_id . ',' . $_GET['date'] . ')'); } No matter if you sanitize $user_id or not, the function will always pass an unsanitized user parameter into an SQL query, so the function call will always lead to a vulnerability - this would even happen if there were no function parameters. In that situation, the current trial version will report those calls to your user defined function vulnerable, possibly without finishing the tainted information flow trace to the actual sensitive method (the mysql_query in the case above). A complete traceback with a more fine-grained reporting level has already been implemented by not yet deployed to the trail servers. By the way, we would greatly appreciate any feedback that you could give us concerning usability and performance of the trial account. If you have any more technical questions, please don't hesitate to contact me. Best regards, Christian Hang Chief Software Architect Armorize Technologies, Inc. email: [EMAIL PROTECTED] -Original Message- From: Ivo F.A.C. Fokkema [mailto:I.F.A.C. [EMAIL PROTECTED] Sent: Saturday, December 02, 2006 12:28 AM To: php-general@lists.php.net Subject: Re: FW: [PHP] Re: Please hack my app Hi Jordan, Thank you for your offer. As you know, I've signed up a couple of days ago. I ran a scan yesterday and have gotten a big PDF file out of it. I've quickly scanned through the results and it appears there are a lot of times when I use one of my own functions (sometimes even without an argument) it finds a vulnerability. I will analyze the results more detailed later on. Would you appreciate comments on the service? Thanks again, Ivo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php