Dr. Christopher Kunz

Just by accident (you should never browse your feed reader directly before going to bed), I stumbled upon an incredibly self-ironic posting in some dude’s blog. I have to ask myself: What are you guys taking? Are you seriously discussing any kind of name-dropping as an interview subject?

It’s not only irrelevant who created a programming language, it’s even a hindrance for interviewers since all that small-talk bullshit takes precious time off the actual knowledge assessment. And I’ll be damned before I let someone who happens to know how Rasmus’s mother’s cat’s brother was named get in the way of an actual developer who knows what they are doing. Then again, I’m in the lucky position not to be able (or have to, depending on your PoV) to hire “PHP developers”.

This whole discussion is just fat bullshit. What are you thinking? I couldn’t give a fat fuck about people who know names. I don’t give a shit if someone knows that a dude wrote an, erm... “magazine” about security at O’Reilly or if some dude named Lerdorf thought it’s a great idea to do some dynamic web stuff. I want to know if people know their trade.

Really. It’s unbelievably ridiculous. Get a hold of yourselves. Are you really thinking that knowing names is worth ANYTHING?

Das hier schlug heute morgen in der mailbox webmaster ätt de-punkt.de auf. Die übliche langweilige Headeranalyse sparen wir uns mal, kommt eh’ aus einem Botnet (in diesem Fall aus dem schönen Argentinien... hm, Steak!). Interessant ist eigentlich nur der Inhalt:

To: <xxx@de-punkt.de>
Subject: Achtung, bitte Logindaten und Passwort bereithalten

Subject: ACHTUNG, gemeiner VIRUS. Dringend diese Datei auf Ihrem Webserver
einbinden
===============================

Sehr geehrte Damen und Herren,
im Moment werden Millionen Webserver von Viren befallen.
Bitte binden Sie unbedingt den Anhang zum Schutz auf Ihrer Webseite
in folgendes Verzeichnis ein:
www.de-punkt.de/robots.txt
Die Robots-Datei erstellen Sie mir Ihrem Editor:
__________________________________________
User-agent: *
Disallow: /
____________________________________________
Diese speichern Sie als robots.txt und binden Sie in Ihrem Hauptverzeichnis
ein.


Nur so ist sicher, dass kein Schaden entsteht indem Sie dem Virus
verbieten, Ihre Webseite zu besuchen.
Bitte beeilen Sie sich, da an diesem Wochenende mit einem erheblichen
Angriff zu rechnen ist.

Noch Fragen?

Internet-Security-Team
Meisenweg 11

47441 Moers

0900-8XXXXX2

Offenbar möchte da jemand, daß de-punkt.de seinen PR6 abgibt, indem wir einfach allen Bots den Zutritt zu unserer Website verwehren - denn nichts anderes steht in der “angehängten” robots.txt. Interessanter Ansatz des Social Engineering, stellen sich eigentlich nur zwei Fragen:

1. Wer fällt bitte auf so etwas rein?

2. Wer hat diese Mail noch bekommen?

Zu 2: Offenbar so einige, es gibt bereits diverse Blog- und Newseinträge, wenn man “Internet Security Team Moers” googled, so etwa hier, hier und hier.

In the “information gathering” chapter of my book “PHP-Sicherheit” and my presentations on the same topic, I usually talk about how incredibly weird stuff can end up in the source code of rather big web sites. While checking a number of sites for a specific vulnerability, I ended up finding the following stuff. I modified it so there’s no real information leakage and am currently trying to reach the respective vendors.

<!--
<table class=“debug” width=“100%”><tr><td>
<a target=“_blank” href=“/sys/admin/”>- Zur Admin-Seite</a><br>
<a target=“_blank” href=“http://someothersite.de.de/gui/”>- Styleguide</a><br>
<a target=“_blank” href=“/sys/info.php”>- Phpinfo ()</a><br>
<br>
<a href=“http://validator.w3.org/check/referer”><img border=“0” src=“http://www.w3.org/Icons/valid-html401” alt=“Valid HTML 4.01!” title=“Valid HTML 4.01!” height=“31” width=“88”></a>
</td></tr></table>
-->

Another nice one:

<!--DB-Error in Zeile 1712: DB Error: syntax error: / Layouttyp3: - / SELECT layouttyp.datei,layouttyp.name FROM layouttyp INNER JOIN teaserplatz ON teaserplatz.layouttyp_id=layouttyp.id INNER JOIN teasertyp ON easerplatz.teasertyp_id=teasertyp.id INNER JOIN dokument ON teaserplatz.dokument_id=dokument.id WHERE teaserplatz.pos=5,’erbt_layout’ AND dokument.id=14528 AND teasertyp.name=’sonder’-->
<!--Fehler: Datei /export/www/CONTENT/soim-80/docs/cms/teasermanager/teasersnippets/ nicht gefunden<br>-->
And finally:
WARNING in file e:\Daten\enid\host\htdocs\media\layout\141.php on line 227: mysql_num_rows(): supplied argument is not a valid MySQL result resource
Although it might seem obvious, I cannot stress it enough: Remove debug code and possible PHP errors from your production sites!

I already blogged this at our PHP Security Blog, but it is not (yet? hey Toby ) aggregated on planet-php, so here goes again.

You can now download my session slides for the full-day workshop on PHP security - unfortunately for my international readers, they are in German. If that doesn’t scare you (because you got taught lots of useful german phrases in the last days, right Caitlin? ), you can get them here:PHP Sicherheit Workshop.

If you need a little explanation on the PHP Security Quiz by Mayflower, just read the extended entry.

I already blogged this at our PHP Security Blog, but it is not (yet? hey Toby ) aggregated on planet-php, so here goes again.

You can now download my session slides for the full-day workshop on PHP security - unfortunately for my international readers, they are in German. If that doesn’t scare you (because you got taught lots of useful german phrases in the last days, right Caitlin? ), you can get them here:PHP Sicherheit Workshop.

If you need a little explanation on the PHP Security Quiz by Mayflower, just read the extended entry.

18:44:03 recorda warum ist mein code scheisse?
18:44:08 @absynth weil er unsicher ist
18:44:25 recorda rennt sowieso über https

Update:



21:49:49 recorda absynth: sicherheitsscripts ist doch voll umsonst wenn ich ne .htaccess mach kann
eh niemand rein in das script ausser dem admin der das cms benutzt

(aus #php.de)

That was a weird week. I think I rarely changed locations that often, and I kinda lost track of what time zone, currency and/or event I was currently at. However, it turned out to be a very rewarding week, too.

All in all, I roughly travelled around 5600 km, which is probably quite a lot given the fact that I otherwise leave Hannover rarely. I changed timezones twice, currencies 4 times (including transit airports), and spoke at two different (un-)conferences. There were nights in school gyms, Sofia park bars, hostel dorms and for 2 nights, I even slept in my own home (tue->wed->thu).

My overall perception was that the security topic is still kinda “hot” and although most attendees (naturally, those at PHP Vikinger were more on top of things) seemed to have a firm grasp of what could go wrong with PHP applications, there is still a lack of trustworthy and well-designed solutions to the various security dilemmas. As Kris Köhntopp said on the PHP Vikinger, using stuff like mod_security, our Hardening Patch or other assorted security products is not a real solution, since there is no programmatical and wellformed approach to them. Instead of having a defined and limited outer and inner area for applications (like, an array of all possible URL entries to the application, as well as all possible output it generates), we are putting out fires as they emerge. Of course, we do that because we currently have no other way of keeping our boxes alive and the attackers out as long as possible, but still, Kris has a point.

For about 4 hours now, the PHP Vikinger is in full swing. Everyone arrived between 10 and 11, and together we hacked up a makeshift agenda. Remember that this is an “unconference”, so attendees are in full charge of the whole event. Our lead viking Zak, inspired by the mighty power of Thor himself, took it upon him to moderate the scheduling and get everything started. Now, everyone who wants gets up and does a presentation, starts a discussion or - as Kris is currently doing - stipulates brainstorming with the attending core developers and other PHP nerds.

The current discussion is even somewhat strategic, pointing things out that PHP still lacks, things that need to adopt to changes in our environment and stuff that is really good in comparison to other languages. Kris is creating a list of everything that’s thrown at him and every item so far has been diligently discussed.

After that, Ilia and me will do some security stuff, with him doing introductions and me likely focusing on the server side. My obsession with securing servers without touching apps is well-known, plus it’s a good place to show off the Hardening patch.

Für alle, die schon darauf gewartet haben: Peters und mein Buch, “PHP-Sicherheit”, ist endlich da! Ihr könnt das Werk, auf das wir im Übrigen ziemlich stolz sind, bei Amazon und direkt beim Verlag bestellen. Für die unvermeidlichen Errata gibts eine eigene Website: PHP-Sicherheit.de.

For everyone who’s been waiting for it: Peter’s and my book, “PHP-Sicherheit” (in german only) is finally available. You can order the book - of which we’re very proud - via amazon.de or directly from the publisher. There’s going to be an errata/updates web site under PHP-Sicherheit.de.

We have been running mod_php on our customer hosting servers for several reasons, but I have never been truly satisfied with that situation. The security risks are the most obvious problem, since Safe Mode is not a practicable solution and open_basedir is not quite secure enough for mission-critical applications.
Now I need to assess (err... not asses.) the breakage potential - I hope you can help me with that.

I apologize to my english readers, this announcement is probably not that interesting for you. It’s about a workshop I’m going to hold in Essen, Germany about my favorite topic: PHP security.

Für alle, die sich für das Thema “PHP-Sicherheit” interessieren, gibt es vom 23. - 27. Januar 2006 ein Intensivseminar zu PHP - Sicherheit in Webapplikationen in der “Villa Vogelsang”, auch als “Linuxhotel” bekannt. Dieses Seminar werde ich zusammen mit meinem Kollegen Peter Prochaska aus dem Hardened-PHP Project leiten.

Mehr Infos im erweiterten Eintrag.

That’s it - I’m home again, after almost four extremely rewarding and interesting days at the International PHP Conference in Frankfurt. The conference offered a chance to get together with all the cool guys from the international community, mix and mingle, drink lots of beer (my bar invoice was around 80 bucks) and of course hack at PHP.

Since we had our own booth for the Hardened-PHP Project, we had the opportunity to pitch or little thingy to a wider base of interested developers and administrators, and the discussions at the booth sparked some new ideas for the Hardening Patch. We were also able to show off two advance copies of my (and my coauthor Peter Prochaska’s) first book, “PHP-Sicherheit”. It is the first german book dedicated to the security of our favorite scripting language, and after having it under public scrutiny for three days, I’m now confident it’s gonna be a success. Thanks to everyone for their feedback!

For everyone who’s been in one of my talks, thanks for your interest to you guys and see you on the next conference. I will upload the slides to both presentations to my web server and notify everyone with a separate posting.

Yay!

As usual, I will be in attendance of the International PHP Conference in Frankfurt/Germany again, marking my 7th (or 8th, including the Amsterdam conferences) participation in this event. This year, however, promises to be a very special conference. Exciting things are going to happen - read more in the extended entry.

Seit dem Wochenende ist die neue Website des Hardened-PHP Project online, an dem ich mitwirke. Zusätzlich zum mittlerweile in der Version 0.3.2 erschienenen Hardening-Patch für PHP werden wir eine Sammlung aller von uns herausgegebenen Advisories sowie weiteren PHP-Security bezogenen Content anbieten.

Und: Man kann uns mieten, um als Bugjäger eigene PHP-Applikationen auf Securityprobleme zu untersuchen.