php security books

At 11:22 AM +0100 7/4/07, Ross wrote:
>http://amazon.co.uk/s/ref=nb_ss_w_h_...0&Go.y=0&Go=Go
>
>
>looking at the top 3 on the list here, personally I quite like the O'Reilly
>books. Can someone recommend one of these or any other that will give me a
>good solid understanding of PHP security?
>
>
>Thanks,
>
>Ross

1. Essential PHP Security by Chris Shiflett

Excellent

tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com

Hi.

On Wednesday 04 July 2007 13:01, Andrew Hutchings wrote:

> Avoid the O'Reilly one as it is flawed.

In what way?

On Wed, 2007-07-04 at 11:23 -0400, Andrew Hutchings wrote:
> In article <200707041544.30740.php@wastedtimes.net>
> php@wastedtimes.net(Mark Kelly) wrote:
>
> > Hi.
>
> > On Wednesday 04 July 2007 13:01, Andrew Hutchings wrote:
>
> >> Avoid the O'Reilly one as it is flawed.
>
> > In what way?
>
> Its written by Chris Shiflett, isn't that enough reason?

Ouch.

Cheers,
Rob.
--
..------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'

Andrew Hutchings wrote:
> In article <200707041544.30740.php@wastedtimes.net>
> php@wastedtimes.net(Mark Kelly) wrote:
>
>> Hi.
>>
>> On Wednesday 04 July 2007 13:01, Andrew Hutchings wrote:
>>
>>> Avoid the O'Reilly one as it is flawed.
>
>> In what way?
>
> Its written by Chris Shiflett, isn't that enough reason?

There's no need for that without justification. Please justify that comment.

-Stut

--
http://stut.net/

this is getting good; i want to know why its *flawed* now too.

no pressure :)

-nathan

On 7/4/07, Stut <stuttle@gmail.com> wrote:
>
> Andrew Hutchings wrote:
> > In article <200707041544.30740.php@wastedtimes.net>
> > php@wastedtimes.net(Mark Kelly) wrote:
> >
> >> Hi.
> >>
> >> On Wednesday 04 July 2007 13:01, Andrew Hutchings wrote:
> >>
> >>> Avoid the O'Reilly one as it is flawed.
> >
> >> In what way?
> >
> > Its written by Chris Shiflett, isn't that enough reason?
>
> There's no need for that without justification. Please justify that
> comment.
>
> -Stut
>
> --
> http://stut.net/
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Hi Andrew,

Wednesday, July 4, 2007, 4:23:38 PM, you wrote:

>>> Avoid the O'Reilly one as it is flawed.

>> In what way?

> Its written by Chris Shiflett, isn't that enough reason?

No, not really. The errata are clearly published online, and while you
could argue that some of them shouldn't have existed in the text in
the first place, security is such a moveable feast that whatever is
written today will almost surely have changed within a very short period
of time, regardless of the author.

If just one person takes something useful away from his book, that
makes them think "damn yes, I DO allow that in my scripts!", then it
was a worthwhile purchase. He (along with a number of others) have
done a wonderful job of raising the PROFILE of security (or lack
thereof) in PHP applications and the PHP world in general. Before the
likes of him and Steffan started blogging and writing about all the
issues out there it was a piss-poorly covered area that most
developers (*especially* new ones) ignored or were not even aware of.

Even if some of the techniques in the book are now flawed, the profile
and awareness he has generated did nothing to harm the PHP community,
and does not warrant your shit slinging.

Cheers,

Rich
--
Zend Certified Engineer
http://www.corephp.co.uk

"Never trust a computer you can't throw out of a window"

Andrew Hutchings wrote:
> In article
> <7dd2dc0b0707041022k29aec05bxee83073a8e0d09cb@mail .gmail.com>quickshift
> in@gmail.com ("Nathan Nobbe") wrote:
>
>> ------=_Part_178329_18179255.1183569772294
>> Content-Type: text/plain; charset=ISO-8859-1;
>> format=flowedContent-Transfer-Encoding: 7bit
>> Content-Disposition: inline
>>
>> this is getting good; i want to know why its *flawed* now too.
>>
>> no pressure :)
>>
>
> OK, well, for example page 3 of the book suggests making PHP output
> errors into Apache's error_log. To do this on Linux it means PHP
> would have to be run as root.

huh? funny thing is that on all the machines I work with Apache runs under
it own user (apart from at start up when it briefly urns as root before switching),
I run php as an Apache module (I'm assuming we're not talking about php cli given that
we're mentioning Apache), this means php is running in the context of the apache user
.... and btw is quite capable of logging to the Apache error_log

running php as a CGI probably means you can't have php (which is probably running in
the context of the site owners' user account) log to the general apache error_log but
in such cases I would assume that the server configuration included error and access logging
on a per (v)host basis.

seems like your spreading FUD - I doubt Chris Shiflett is perfect and I'm sure he's
probably made a few security mistakes of his own but your current example is not one of them
AFAICT.

andrew...

are you sure about this... i would have thought that if you have an apache
user 'apache' and allow php to be run as/by 'apache' than this would provide
complete access to anything php needs to do as 'apache'.

this should definitely work if you allow the 'group' for the apache err log
files be accessed by this user...

so.. i ask again.. are you sure about this..



-----Original Message-----
From: Andrew Hutchings [mailto:andrew@linuxjedi.co.uk]
Sent: Wednesday, July 04, 2007 10:39 AM
To: php-general@lists.php.net
Subject: Re: [php] Re: php security books


In article
<7dd2dc0b0707041022k29aec05bxee83073a8e0d09cb@mail .gmail.com>quickshift
in@gmail.com ("Nathan Nobbe") wrote:

> ------=_Part_178329_18179255.1183569772294
> Content-Type: text/plain; charset=ISO-8859-1;
> format=flowedContent-Transfer-Encoding: 7bit
> Content-Disposition: inline
???
> this is getting good; i want to know why its *flawed* now too.
???
> no pressure :)
???

OK, well, for example page 3 of the book suggests making PHP output
errors into Apache's error_log. To do this on Linux it means PHP
would have to be run as root.

???
Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/
Windows is the path to the darkside...Windows leads to Blue Screen. Blue
Screen leads to downtime. Downtime leads to suffering...I sense much Windows
in you...

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

the root user issue aside, i still dedicate a separate file in /var/log
for my php apps.

-nathan

On 7/4/07, Andrew Hutchings <andrew@linuxjedi.co.uk> wrote:
>
> In article
> <1f0401c7be6a$2ff95a30$0301a8c0@tmesa.com>bedougla s@earthlink.net
> ("bruce") wrote:
>
> > andrew...
> ¾
> > are you sure about this... i would have thought that if you have an
> > apache user 'apache' and allow php to be run as/by 'apache' than this
> > would providecomplete access to anything php needs to do as 'apache'.
>
> Logging in apache is done (in standard configurations) by process
> owned as root, and in most configurations the logs are owned as root
> and are not readable by any other user.
> > this should definitely work if you allow the 'group' for the apache
> > err logfiles be accessed by this user...
>
> If you do this then it is possible for a apache process using PHP to
> read the error logs and an abused script could show a potential hacker
> the layout to your site or other useful information.
> > so.. i ask again.. are you sure about this..
>
> Yep.
>
>
> **
>
> Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/
> Windows is the path to the darkside...Windows leads to Blue Screen. Blue
> Screen leads to downtime. Downtime leads to suffering...I sense much Windows
> in you...
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

On Wed, Jul 04, 2007 at 11:36:06AM -0700, bruce wrote:
> andrew...
>
> are you sure about this... i would have thought that if you have an apache
> user 'apache' and allow php to be run as/by 'apache' than this would provide
> complete access to anything php needs to do as 'apache'.
>
> this should definitely work if you allow the 'group' for the apache err log
> files be accessed by this user...
>
> so.. i ask again.. are you sure about this..
>

Hi all...

the only owner with write permissions of the logs is root! I mean
the standard configuration for the apache webserver. Read
permissions for groups for the apache logs can be different per distribution.
You can configure your environment for the PHP processes to log in seperate
files.
If you allow write access for the 'group' you open the door
wide for hackers.

greetings
Mario

--
-----------------------------------------------------
| havelsoft.com - Ihr Service Partner für Open Source |
| Tel: 033876-21 966 |
| Notruf: 0173-277 33 60 |
| http://www.havelsoft.com |
| |
| Inhaber: Mario Günterberg |
| Mützlitzer Strasse 19 |
| 14715 Märkisch Luch |
-----------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iQIVAwUBRowK4jUZahlMISn3AQJQ4g/8DTyQ98k9UZSMtQ/QLdVsNMInTg5iFcs2
j0NSlF+tB0KQvHMoeqnbrk8Hm05sKfQl39QXnKQNFGwrYA9Sgp NCK4JWZFfxGF2k
LR7M9ou4NejIUD9C8i4FTVoJCo2Lxr8Hy+/Yvs9o81ij6mlCL0gpwTkSgziaFKqd
s3yFNazhHlyq6hGTYo/f4pzgB4+1XTQEc6kJLo5WYHCccvd0NgCVigdA2l+GnK/K
estngo9mt8d7QZaKC9VhqG5LGh/Pyd3LhnDXkUXg/ddZAtmcJT4KoEiJkHGifZje
se3bf8QW1mmZWFubZrIfKfK+1wlXgiZw4unUEEmu1v6YcxKpXh tCnIgAqC7helPX
bIGkr+swITf816NwrDw2oo8Onc5CnEZ9t83Wp/fnqYkblmzTDTYM1KCc8DfauiBm
wE3FP7GX9nZ+qQgyIcwZuMdMmaYc5HrnOemCxxQGADkjQJmzjR 5tyuCkbsTuuqZo
uUqeJUAKl0MptaMfwdJerQ43t0gfo9RqJtas+2BgpxoHi02Swg dP05fd4NjJdJ/O
1u5RBwG8UqZ3MpPZU5DGLo4LsMwsWmCjcMO2o8d36CM7wPEyuj Cn9dJGvH+Rzf6o
y02Zjypwe+G7J/5bCrA1tgYN2Sp+11BIZ5E4ahoG9qT8qBXWOhIsmTh+EiRrKKZ8
QrC0YlW0mMU=
=f4nl
-----END PGP SIGNATURE-----