Quick jump:  What's new

 
Go to:
 
Weblog: security   
in Dobrica Pavlinušić's random unstructured stuff
Disappointed in php -- again!

Taint checking? Just say no, according to php developers (I must admit, I stopped reading after first two replies).

Pixy tries to address that (in Java, sic!) and fails on my test code. Only hope left (as it seems) is generation of AST tree using phc or using Parse_Tree. Both look like a workable way to get AST tree, but I really wouldn't like to implement taint analysis for language which I don't particularly like.

Any suggestions from idle readers of my blog?

OOH, this day would be more-or-less complete waste if I didn't stumble upon hypertable which seem like nice implementation of bigtable in sane language (C/C++). Now if I could just find bunch of machines to run it on...

permalink
PHP Security

Oxymoron, right? Well for somebody who loves perl so much, it is. Anyway here it is...



One-liners

show phpinfo from shell

echo '<? phpinfo() ?>' | php5

Security scanning

Spike PHP Security Audit Tool

http://developer.spikesource.com/projects/phpsecaudit/

sudo apt-get install php5-xslt

Small list of checked expressions, quite difficult to browse.

Pixky

http://pixybox.seclab.tuwien.ac.at/pixy/

Enables taint analysis of code. Doesn't handle ISO-8859-2 chars well, and breaks with terrifing error, but it's a very promising tool (in Java, sigh)

phc

http://www.phpcompiler.org/

Great tool to get php's AST tree. Used by Plumhead

Links

fetchrss: http://del.icio.us/rss/dpavlin/php+security
  • There was an error: 500 Server closed connection without sending any data back

permalink
Weblog Navigation
Loading...
Weblog Archives
  • Loading...