The media has helped make cross-site scripting (XSS) a familiar term, and the attention is deserved. It is one of the most common security vulnerabilities in web applications, and many popular open source PHP applications suffer from constant XSS vulnerabilities. XSS attacks have the following characteristics: Exploit the trust a user has for a ...

Despite the similarities in name, cross-site request forgeries (CSRF) are an almost opposite style of attack. Whereas XSS attacks exploit the trust a user has in a web site, CSRF attacks exploit the trust a web site has in a user. CSRF attacks are more dangerous, less popular (which means ...

If you are one of the guys that read the PHP CVS commits you usually know about the security bugs months before the rest of the community and this is no news for you. During the last 24h the following fix was merged into the PHP CVS. Corrected fix for CVE-2007-2872 This ...

Brought to you from one of the comments in my blog. Google for "Stefan Esser" and get a sponsored link for Zend. http://www.google.com/search?q=%22Stefan+Esser%22 Popularity: unranked [?]Read more at blog-admin@nopiracy.de (Stefan Esser)

PHP 5.2.3 was released with several security fixes. Again not all security fixes are mentioned in the release announcement. Again security bugs known to the developers were not correctly fixed. More info here. PS: Why does PHP.net always release security fixes just before the weekend? PHP Releases have historically been packaged and tagged on Wednesday, ...

Because the PHP developers do not want to fix the PHP 4 Reference Counter Overflow Vulnerability that was disclosed during the Month of PHP Bugs the Hardened-PHP Project as usual had to step in to protect the users of PHP. I created a patch for the refcount overflow problem that took ...

I just released Suhosin 0.9.20 that adds a few new features and bugfixes. The most important addition is that a mutex is placed around the call to the system’s crypt() function to ensure thread safety. This mutex is necessary to close a bunch of possible attacks on the libc crypt() ...

When you read the OWASP risk evaluation standard carefully you might get as confused as I got. They estimate the risk by first estimating the likelihood and then estimating the technical and business impact. The estimation is done by assigning the numbers 0..9 to a number of factors. So far so ...