[PHP] REMINDER: Month of PHP Security 2010 - CALL FOR PAPERS - Only 3 weeks left

2010-03-21 Thread Stefan Esser 
Month of PHP Security 2010 - CALL FOR PAPERS


Three years ago, in March 2007, the Hardened-PHP project had organized
the Month of PHP Bugs. During one month more than 40 vulnerabilities in
the PHP interpreter were disclosed in order to improve the overall
security of PHP. Now, three years later, SektionEins GmbH  will
continue in the same spirit and organize the Month of PHP Security.

The intention of the Month of PHP Security is to gather the best
research and articles about PHP security topics from the security
community and share them with the rest of the world. This time the goal
is not only to improve the security of PHP itself and applications
directly by fixing security bugs, but also to help PHP developers
around the world to write better and more secure PHP applications.

The Month of PHP Security will be held in May 2010 by SektionEins
GmbH. During the month of May all qualifying entries will be published
at http://php-security.org day by day.


CFP Committee
-
The CFP committee for the Month of PHP Security consists of

1) Johann-Peter Hartmann
2) Stefan Esser
3) Fukami
4) Ben Fuhrmannek

The CFP committee will review all submissions and select the list of
articles that will be published on http://php-security.org


Accepted Topics/Articles

* New vulnerability in PHP [1]
  (not simple safe_mode, open_basedir bypass vulnerabilities)
* New vulnerability in PHP related software [1]
  (popular 3rd party PHP extensions/patches)
* Explain a single topic of PHP application security in detail
  (such as guidelines on how to store passwords)
* Explain a complicated vulnerability in/attack against a PHP
  widespread application [1]
* Explain a complicated topic of attacking PHP (e.g. explain how to
  exploit heap overflows in PHP's heap implementation)
* Explain how to attack encrypted PHP applications
* Release of a new open source PHP security tool
* Other topics related to PHP or PHP application security

[1] Articles about new vulnerabilities should mention possible
fixes or mitigations.


Responsible Disclosure
--
In case of submitted vulnerabilities SektionEins GmbH will contact
the security team of the software vendor after the submission deadline
and share the vulnerability information with them. Along with the
vulnerability information SektionEins will provide the name of the
submitting party in order to give proper credits.


Prizes
--
At the end of May the CFP committee will review the published
material and determine the best entries. Selected winners will
get the following prizes.

   1.   1000 EUR + Syscan Ticket + CodeScan PHP License

   2.   750 EUR + Syscan Ticket

   3.   500 EUR + Syscan Ticket

   4.   250 EUR + Syscan Ticket

   5.-6.CodeScan PHP License
   
   7.-16.   Amazon Coupon of 65 USD/50 EUR

SektionEins reserves the right to disqualify any submitted entry.
While employees of SektionEins can and will submit entries for
the Month of PHP Security they are excluded from receiving prizes.

The 1000 EUR cash prize and the Syscan tickets were generously
sponsored by Syscan. CodeScan PHP Licenses were sponsored by
CodeScan Limited. All other cash and non-cash prizes are sponsored
by SektionEins.

The winners of the Syscan tickets can choose one of the four
Syscan 2010 conferences to go to. Syscan Tickets include free
admission to the conference, speaker's dinner and speaker party.
Hotel and travelcosts are NOT included.

Please note that non-cash prizes cannot be changed into cash prizes.


Submission
--
Submissions should be sent to c...@php-security.org and consist of the
following information:

1) Name and contact information (e-mail, postal address)
2) Employer and/or affiliations
3) Article about one of the allowed topics (at least 1000 words)
4) Optionally additional material like slides, whitepaper in PDF format

All submissions must be in English. The preferred delivery format is
plain text or HTML, but PDF is also accepted. Please pack all the
required items (pictures, text, ...) in a ZIP archive and submit this
ZIP archive by email.

Deadline for submissions is April 11, 2010.


Additional Information
--
After submission SektionEins GmbH will acknowledge submissions with
a signed email. If you do not receive such an email within one week
after submission, then please contact us at c...@php-security.org
again.

By submitting your article you are granting SektionEins GmbH the rights
to reproduce, distribute, advertise and show your article including but
not limited to http://php-security.org, printed and/or electronic
advertisements, and all other media. However you are still allowed to
publish your own work in whatever way you want.


Thanks
--
We would like to thank Syscan and Coseinc for generously offering
1000 EUR cash prize and four tickets to Syscan. If you are interested
in the latest and greates

[PHP] Release Announcement: Hardened-PHP 0.1.1

2004-05-15 Thread Stefan Esser 


_  __ _   ___  _  _  ___ 
   | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \
   | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/
   |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_| |_|  |_||_||_|  
 



The Hardened-PHP project team is pleased to announce the release of 
version 0.1.1 of our PHP security hardening patch. This new Hardened-PHP
release is the first one that is publicly announced and is considered
stable on atleast linux systems.

Hardened-PHP is a patch against the PHP codebase which adds security 
hardening features to it to protect servers on the one hand against a 
number of well known problems in hastily written PHP scripts and on 
the other hand against potential unknown vulnerabilities within the 
engine itself.

Hardened-PHP provides:

+ Protection of the Zend Memory Manager with canaries
+ Protection of Zend Linked Lists with canaries
+ Protection against internal format string exploits
+ Protection against arbitrary code inclusion
+ Syslog logging of attackers IP

We consider Hardened-PHP 0.1.1 to be the best version of Hardened-PHP
available and we strongly recommend that users of older versions upgrade
as soon as possible.

Hardened-PHP is available for download via HTTP from 

http:///www.hardened-php.net/download.php

The distribution file name is:

hardened-php-4.3.6-0.1.1.patch.gz  
MD5 checksum: 62f7d49b89c93dace247c2bc189b7503

Yours,
The Hardened-PHP Project Team...
http://www.hardened-php.net

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] [ANNOUNCE] Suhosin 0.9.6 - Advanced PHP Protection System

2006-10-02 Thread Stefan Esser 
ports automatic banning of uploaded ELF executables
  * Supports automatic banning of uploaded binary files
  * Supports automatic stripping of binary content in uploaded files
  * Configurable action on violation
- just block violating variables
- send HTTP response code
- redirect the browser
- execute another PHP script
  
  Logging Features
  
  * Supports multiple log devices 
(syslog, SAPI module error log, external logging script)
  * Supports freely configurable syslog facility and priority
  * Supports log device separated selection of alert types to log
  * Alerts contain filename and linenumber that triggered it
  * Alerts contain the IP address of the user triggering it
  * The IP Address can also be extracted from X-Forwarded-For 
HTTP headers (f.e. for reverse proxy setups)


  Copyright
  =
  
  (C) Copyright 2006 Hardened-PHP Project
  
  
  Stefan Esser / 2006-10-02

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php