Get Started for FREE
Sign up with Facebook Sign up with X
I don't have a Facebook or a X account
 Your new post is loading...
Your new post is loading...
Scoop.it!
Attackers injected malicious JavaScript code into the official website for the PHP programming language, redirecting some visitors' browsers to Flash exploits. 
No comment yet.
Sign up to comment
Scoop.it!
L’universalité du protocole HTTP a depuis longtemps séduit les développeurs ; les applications portées sur le web sont de plus en plus nombreuses. La mise en place d’annuaires (LDAP par exemple) a épargné la tête des utilisateurs en ne leur faisant mémoriser qu’un seul mot de passe, mais leurs doigts sont encore durement sollicités car ils doivent s’authentifier chaque fois qu’il accèdent une application. Plusieurs solutions de Single Sign-On (authentification unique et unifiée) sont d’ores et déjà disponibles dans le commerce. Cet article décrit une solution libre, simple, riche et sûre : CAS (Central Authentication Service), développée par l’Université de Yale, et adoptée par le projet ESUP-Portail.
Mickael Ruau's insight:
Développé par l'Université de Yale, CAS (Central Authentication Service [7]) met en oeuvre un serveur d'authentification accessible par W3, composé de servlets java, qui fonctionne sur tout moteur de servlets (Tomcat par exemple), et dont les points forts sont listés ci-dessous.
- La sécurité est assurée par les dispositifs suivants : o le mot de passe de l'utilisateur ne circule qu'entre le navigateur client et le serveur d’authentification, nécessairement à travers un canal crypté. o Les ré-authentifications suivantes sont faites de manière transparente à l'utilisateur, sous réserve de l'acceptation d’un cookie privé et protégé. Seul le serveur d'authentification peut lire et écrire ce cookie, qui ne contient qu'un identifiant de session. o L'application reçoit du serveur d'authentification un « ticket opaque » qui n'est pas porteur d'information personnelle. Ce ticket circule en clair via le navigateur (en paramètre CGI) ; il n'est pas rejouable, a une durée de vie courte, est n'est utilisable que par l'application qui l'a demandé. L'application va ensuite contacter directement (en http) le serveur CAS afin de faire valider (et expirer) ce ticket ; le serveur CAS va retourner à l'application l'identifiant de la personne, validé. L'application n'a ainsi jamais accès au mot de passe (schéma pourtant classique de pratiquement tous les mécanismes de SSO). - Les mécanismes classiques imposent une communication entre le navigateur web et l’application, ce qui exclut les configurations n-tiers, où une application doit directement interroger un service nécessitant authentification (c'est le cas par exemple pour un portail accédant à un web service). CAS, dans sa version 2.0, résout ce problème en proposant un mécanisme de mandataires (proxies). Des tickets dédiés permettent à des applications tierces, n’ayant aucune communication avec le navigateur client, d’être assurées de l’authentification de l’utilisateur. Cette fonctionnalité est assurément le point fort de CAS. - Le package proposé implémente tout le protocole de mise en oeuvre du SSO, à l'exception du module d'authentification locale qui est à la charge de l'administrateur du serveur d’authentification. Cela laisse la liberté d’implémenter exactement l’authentification souhaitée (LDAP, Kerberos [8], certificats X509, NIS, un panachage, ...). - Des librairies clientes en Java, Perl, JSP, ASP, PL/SQL et PHP sont livrées. Cela permet une grande souplesse sur les serveurs d'applications. L’intégration dans des outils utilisés dans le monde universitaire est d’ores et déjà faite, comme celle d’uPortal [9]. - L'utilisation de cookies exclusivement privés dans CAS (passage de tickets entre serveur d’authentification et applications uniquement sous forme de paramètres de GET HTTP) permet à CAS d'être opérationnel sur des serveurs situés dans des domaines DNS différents. - Un module Apache (mod_cas) permet d'utiliser CAS pour protéger l'accès à des documents web statiques, les librairies clientes ne pouvant être utilisées dans ce cas. - Un module PAM [10] (pam_cas) permet de « CAS-ifier » des services non web, tels que FTP, IMAP, ... - Enfin, CAS est en production dans plusieurs Universités américaines, avec des authentifications internes Kerberos ou LDAP, ce qui permet d’être confiant sur sa fiabilité[1].
Scoop.it!
SaunterPHP is the PHP version of the Saunter test framework and is based on the PHPUnit runner.
Mickael Ruau's insight:
Sometimes the easiest way to figure something out is to look at working examples. While the examples are not included in the distribution, there are complete, working SaunterPHP projects online in github.
Scoop.it!
An analyzing tool for projects written in PHP. It analyzes a system, calculates various unit metrics, such as cyclomatic complexity and dependencies to other ...
Mickael Ruau's insight:
FeaturesStatic Source Code Analysis for any php projectIntegrates with Xdebug to perform dynamic analysisCalculate various metrics for each unit, such as cyclomatic complexity and dependenciesMultiple report options, such as xml, html and diagramsPossibility to merge multiple analysis to one
Scoop.it!
Rav Antivirus Log Analysis Kit is a collection of scripts that parse the RAV logs and insert the data into a database. Also included is a php front-end that ...
Scoop.it!
GPL PHP AntiVirus for webmasters. Scans your web server's file system for dangerous and malicious code in public HTML, PHP, CGI and text files, usually caused by defacement or security holes in shared hosting accounts.
Mickael Ruau's insight:
Le concept est intéressant pour les serveurs sur lesquels il n'est pas possible d'installer un anti-virus (hébergement mutualisé...).
Scoop.it!
Yasca is an open source program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code, integrating with other open-source tools as needed.
Mickael Ruau's insight:
Yasca est utilisable avec une vaste liste de langages.
Scoop.it!
The goal of this project is to provide a standard template for Jenkins jobs for PHP projects.
Mickael Ruau's insight:
Most web applications are changed and adapted quite frequently and quickly. Their environment, for example the size and the behaviour of the user base, are constantly changing. What was sufficient yesterday can be insufficient today. Especially in a web environment it is important to monitor and continuously improve the internal quality not only when developing, but also when maintaining the software. Jenkins is the leading open-source continuous integration server. Thanks to its thriving plugin ecosystem, it supports building and testing virtually any project. The goal of this project is to provide a standard template for Jenkins jobs for PHP projects.
Scoop.it!
This program reformat and beautify PHP 4 and PHP 5 source code files automatically. The program is Open Source and distributed under the terms of PHP Licence. It is written in PHP 5 and has a command line tool.
Scoop.it!
Le présent article présuppose que vous soyez familier avec le concept de tests unitaires ainsi que celui de développement web avec le langage PHP. Il s'agit d'un guide pour le nouvel et impatient utilisateur de SimpleTest. Pour une documentation plus complète, particulièrement si vous découvrez les tests unitaires, consultez ladocumentation en cours, et pour des exemples de scénarios de test, consultez le tutorial sur les tests unitaires.
Mickael Ruau's insight:
<?php require_once('simpletest/autorun.php'); require_once('../classes/log.php'); class TestOfLogging extends UnitTestCase { } ?>
Scoop.it!
If you want to block tough proxies like hidemyass.com, my previously posted .htaccess methods won't work. Those methods will block quite a bit of proxy vis
Mickael Ruau's insight:
To stop tough proxy visits from sites like hidemyass.com, add the following slice of finely crafted PHP to the top of your header.php file: <?php if(@fsockopen($_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1)) die("Proxy access not allowed"); ?>
Scoop.it!
A Notepad++ plugin that allows users to develop regular expressions and test them against their open documents.
Scoop.it!
Découvrez comment installer et utiliser Composer PHP pour inclure des bibliothèques PHP automatiquement.
Mickael Ruau's insight:
Tout comme Nuget pour le language .Net, PHP possède quelques installateurs de bibliothèques, qui installent vos bibliothèques préférées pour vous, tout en gérant les dépendances.
|
Scoop.it!
phpCAS est un système de single sign-on écrit en php.
Mickael Ruau's insight:
There are lots of applications that were CASified thanks to phpCAS. Feel free to add yours!
E-learning and collaboration software with integrated CAS support (using attribute release via SAML) in version 2.x http://www.chamilo.org
Scoop.it!
Behat is a behavior-driven development (BDD) framework that lets you write human-readable story-driven code that describes how your application should function. It’s quick and easy to get started with, and easy to learn.
Mickael Ruau's insight:
Homepage: http://behat.org/
Scoop.it!
BlueDuck SDA combining automation for Win32 and Web in a single script. The perfect combination for developing automated cases, AutoIt and Selenium together
Mickael Ruau's insight:
FeaturesData provider - in BlueDuck SDA as a bridge between a Test and a data source. A data provider is used to retrieve data from a data source (xls,ini,xml) and to reconcile changes to hat data back to the data source.Object Repositories (Test Object Model) - When you create a test, you need to set the resources that will be used by that test.Test objects are stored representations of the actual elements in your application.Data generator - is an automatic data generator for testing. It helps testers to automatically generate test data in test script with logically correct and realistic test data.Page Object pattern - native support for Page Object pattern.Record screen - native support for records screen activity from the Windows desktop into standard AVI movie files.Handles popup - native support forHandles popup dialogs like alert, confirm, login etc..Scripts can be Into standalone executables compiledis also very small, self-contained and will run on all versions of Windows out-of-the-box with no annoying "runtimes" required!
Scoop.it!
Test Case Web (TCW) is an online test case management (TCM) and test-tracking system built with PHP and a SQL backend.
Scoop.it!
PHP ClamAV - ClamAV Interface for PHP5 Scripts PHP-ClamAV is a PHP5 extension that allows to incorporate virus scanning features on your PHP5 scripts. It uses ...
Mickael Ruau's insight:
Un anti-virus pour éviter de propager des infections via les fichiers uploadés sur votre site (hébergement mutualisé...).
Scoop.it!
RIPS is a static source code analyser for vulnerabilities in PHP webapplications. It was released during the Month of PHP Security (www.php-security.org).
Mickael Ruau's insight:
Featuresdetect XSS, SQLi, File disclosure, LFI/RFI, RCE vulnerabilities and more5 verbosity levels for debugging your scan resultsmark vulnerable lines in source code viewerhighlight variables in the code vieweruser-defined function code by mouse-over on detected callactive jumping between function declaration and callslist of all user-defined functions (defines and calls), program entry points (user input) and scanned files (with includes) connected to the source code viewergraph visualization for files and includes as well as functions and callscreate CURL exploits for detected vulnerabilties with few clicksvisualization, description, example, PoC, patch and securing function list for every vulnerability7 different syntax highlighting colour schematadisplay scan result in form of a top-down flow or bottom-up traceonly minimal requirement is a local webserver with PHP and a browser (tested with Firefox)regex search function
Scoop.it!
Developpement: Vous souhaitez passer au niveau supérieur d'industrialisation sur vos projets PHP ?
Mickael Ruau's insight:
Utilisez Jenkins et passez à Ant pour l'automatisation des tâches et la génération d'indicateurs de qualité de votre code PHP.
Scoop.it!
Intégration continue avec Jenkins : installation et configuration de base - Pascal MARTIN (n+1).zéro
Jenkins, précédemment connu sous le nom de Hudson[1], est un outil Open-Source d’Intégration Continue, écrit en JAVA. Cet article va montrer comment installer un serveur d’Intégration Continue sous Jenkins ; et sera suivi d’un second article, qui montrera comment utiliser cette plate-forme pour intégrer un projet PHP.
Mickael Ruau's insight:
Une grande richesse de Jenkins (qui, de base, ne fait pas bien grand chose — surtout pour ce qui est de projets PHP) est son système de plugins, ainsi que le grand nombre de plugins existant. Pour accéder aux écrans de gestion des plugins, : Administrer Jenkins > Gestion des plugins, qui devrait vous mener à http://jenkins:8080/pluginManager/.
Scoop.it!
phpDocumentor 2 is a tool with which it is possible to generate documentation from your PHP source code. With this documentation you can provide your consumers with more information regarding the functionality embedded within your source and not only what is usable to them from your user interface. Documentation generated by phpDocumentor 2 does not aim to be a replacement for conventional documentation but is rather supplemental, or reference, documentation. This documention can prove to be very useful in the following, example, situations: Sets of libraries or applications providing an API, such as phpDocumentor 2 itselfFrameworks, such as Zend Framework or SymfonyPluggable architectures, such as WordPress or PyroCMS
Mickael Ruau's insight:
Template System
phpDocumentor 2 contains an incredibly flexible template system which enabled you to alter your output in any way imaginable. This can range from simply applying your own branding for the HTML output by merely altering a couple of CSS files to determining which types of output are generated and where they are made available. Reports & ChartsphpDocumentor 2 is capable of extracting interesting information and present those in the form of graphs and reports. The following are currently supported: An inheritance diagram showing all subclassing and implementing of interfaces.Reporting errors in your source code's inline documentationReporting which elements are marked as deprecatedReporting where TODO's are placed in your code and what is to be doneThis list will only grow in the future to help you determine where to invest your resources in order to make your code more stable and maintainable.
Scoop.it!
CSRF may be possible when an attacker can form a URL, which performs an action on the behalf of an authenticated user. Forming such URLs becomes much more difficult, if unique tokens are included in HTTP requests. Including difficult to predict token in HTTP requests is an effective defense against CSRF attacks.
What to Do
CSRF may be possible when an attacker can form a URL, which performs an action on the behalf of an authenticated user. Forming such URLs becomes much more difficult, if unique tokens are included in HTTP requests. Including difficult to predict token in HTTP requests is an effective defense against CSRF attacks.
Mickael Ruau's insight:
To include unique tokens in HTTP requests: Identify sensitive operations. Review application design and code to identify all operations that require authorization.Identify code that performs sensitive operations. Identify all pages that are involved in performing sensitive operations - this includes both the pages that link to sensitive operations and the code that actually carries out the sensitive operations.Choose a method for generating unique tokens. There are different ways to generate unique tokens. One approach is to use the uniqid function combined with a hash based on current time. For example:uniqid(md5(microtime()), true);
Scoop.it!
A reader recently brought to my attention a reported vulnerability on servers running PHP. It's been known about for eons, but it's new to me and it involv
Mickael Ruau's insight:
PHP contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker makes certain HTTP requests with crafted arguments, which will disclose PHP version and another sensitive information resulting in a loss of confidentiality.
On servers running PHP, visit any page, remove the trailing slash, and append any of the following query-strings: ?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 ?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 ?=PHPE9568F34-D428-11d2-A769-00AA001ACF42If the vulnerability is present, requests made with these query-strings results in a variety of easter eggs and detailed PHP credits (see screenshots). When these easter eggs are visible, it means that expose_php is enabled on the server.
Scoop.it!
phpspec is a PHP development tool for test-first development, otherwise known as (spec) behavior driven development. You end up writing code in small iterative steps, guided by the emerging design.
|
Visitors to the official website for the PHP programming language over the past couple of days might have had their computers infected with malware.
Hackers managed to inject malicious JavaScript code into a file on the php.net site called userprefs.js. The code made requests to a third-party website that scanned visitors’ browsers for vulnerable plug-ins and executed exploits that, if successful, installed a piece of malware, said Daniel Peck, a research scientist at Barracuda Networks.