Month of PHP Security - Summary

在PHP安全月期间,共发现40个漏洞,接近2007年整个PHP错误月的披露数量。截止目前,还有11天,预计会有更多漏洞出现,尤其SQL注入漏洞在PHP应用中增多。网站进行了改进,增加了评论功能,并提供Twitter关注。最后10天内,发生了PHP解释器内存泄露、安全课程和多篇文章发布。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

it is 21th of May. The Month of PHP Security
(http://www.php-security.org) is still running and we have reached a
vulnerability count of 40 vulnerabilities, which is nearly as much as we
disclosed during the whole Month of PHP Bugs in 2007. However there are
11 more days until the end of May and therefore there are still plenty
of more vulnerabilities to come. Escpecially the amount of SQL injection
vulnerabilites in PHP applications will increase, because it is called
SQL injection marathon for a reason. And we also have several articles
and submissions left.

There have been some changes to the website that should make it easier
to read and we also added the possiblity to comment on bugs/entries/news
and articles.

For those that don't already know you can follow the Month of PHP
Security on Twitter, too. Just follow @mops_2010

Here is the summary of what happened during the last 10 days.

Related Events
--------------

Returning into the PHP Interpreter – Remote Exploitation of Memory
Corruptions in PHP is not over, yet.
http://php-security.org/2010/05/21/related-event-returning-into-the-php-interpreter-remote-exploitation-of-memory-corruptions-in-php-is-not-over-yet/

PHP Security Course – Advanced PHP Auditing at Source and Bytecode level
http://php-security.org/2010/05/19/related-event-php-security-course-advanced-php-auditing-at-source-and-bytecode-level/


Articles
--------

MOPS Submission 07: Our Dynamic PHP – Obvious and not so obvious PHP
code injection and evaluation
http://php-security.org/2010/05/20/mops-submission-07-our-dynamic-php/

MOPS Submission 06: Variable Initialization in PHP
http://php-security.org/2010/05/17/mops-submission-06-variable-initialization-in-php/

Article: Decoding a User Space Encoded PHP Script
http://php-security.org/2010/05/13/article-decoding-a-user-space-encoded-php-script/

MOPS Submission 05 – The Minerva PHP Fuzzer
http://php-security.org/2010/05/11/mops-submission-05-the-minerva-php-fuzzer/


PHP Vulnerabilities
-------------------

MOPS-2010-040: PHP strtr() Interruption Information Leak Vulnerability
http://php-security.org/2010/05/21/mops-2010-040-php-strtr-interruption-information-leak-vulnerability/

MOPS-2010-039: PHP strpbrk() Interruption Information Leak Vulnerability
http://php-security.org/2010/05/21/mops-2010-039-php-strpbrk-interruption-information-leak-vulnerability/

MOPS-2010-038: PHP http_build_query() Interruption Information Leak
Vulnerability
http://php-security.org/2010/05/21/mops-2010-038-php-http_build_query-interruption-information-leak-vulnerability/

MOPS-2010-037: PHP str_getcsv() Interruption Information Leak Vulnerability
http://php-security.org/2010/05/21/mops-2010-037-php-str_getcsv-interruption-information-leak-vulnerability/

MOPS-2010-036: PHP htmlentities() and htmlspecialchars() Interruption
Information Leak Vulnerability
http://php-security.org/2010/05/21/mops-2010-036-php-htmlentities-and-htmlspecialchars-interruption-information-leak-vulnerability/

MOPS-2010-034: PHP iconv_mime_encode() Interruption Information Leak
Vulnerability
http://php-security.org/2010/05/18/mops-2010-034-php-iconv_mime_encode-interruption-information-leak-vulnerability/

MOPS-2010-033: PHP iconv_substr() Interruption Information Leak
Vulnerability
http://php-security.org/2010/05/18/mops-2010-033-php-iconv_substr-interruption-information-leak-vulnerability/

MOPS-2010-032: PHP iconv_mime_decode() Interruption Information Leak
Vulnerability
http://php-security.org/2010/05/18/mops-2010-032-php-iconv_mime_decode-interruption-information-leak-vulnerability/

MOPS-2010-028: PHP phar_wrapper_open_url Format String Vulnerabilities
http://php-security.org/2010/05/14/mops-2010-028-php-phar_wrapper_open_url-format-string-vulnerabilities/

MOPS-2010-027: PHP phar_parse_url Format String Vulnerabilities
http://php-security.org/2010/05/14/mops-2010-027-php-phar_parse_url-format-string-vulnerabilities/

MOPS-2010-026: PHP phar_wrapper_unlink Format String Vulnerability
http://php-security.org/2010/05/14/mops-2010-026-php-phar_wrapper_unlink-format-string-vulnerability/

MOPS-2010-025: PHP phar_wrapper_open_dir Format String Vulnerability
http://php-security.org/2010/05/14/mops-2010-025-php-phar_wrapper_open_dir-format-string-vulnerability/

MOPS-2010-024: PHP phar_stream_flush Format String Vulnerability
http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/

MOPS-2010-022: PHP Stream Context Use After Free on Request Shutdown
Vulnerability
http://php-security.org/2010/05/12/mops-2010-022-php-stream-context-use-after-free-on-request-shutdown-vulnerability/

MOPS-2010-021: PHP fnmatch() Stack Exhaustion Vulnerability
http://php-security.org/2010/05/11/mops-2010-021-php-fnmatch-stack-exhaustion-vulnerability/


PHP Application Vulnerabilities
-------------------------------

MOPS-2010-035: e107 BBCode Remote PHP Code Execution Vulnerability
http://php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution-vulnerability/

MOPS-2010-031: e107 Usersettings loginname SQL Injection Vulnerability
(UPDATED)
http://php-security.org/2010/05/16/mops-2010-031-e107-usersettings-loginname-sql-injection-vulnerability/

MOPS-2010-030: CMSQlite mod Parameter Local File Inclusion Vulnerability
http://php-security.org/2010/05/15/mops-2010-030-cmsqlite-mod-parameter-local-file-inclusion-vulnerability/

MOPS-2010-029: CMSQlite c Parameter SQL Injection Vulnerability
http://php-security.org/2010/05/15/mops-2010-029-cmsqlite-c-parameter-sql-injection-vulnerability/

MOPS-2010-023: Cacti Graph Viewer SQL Injection Vulnerability
http://php-security.org/2010/05/13/mops-2010-023-cacti-graph-viewer-sql-injection-vulnerability/


Thank you
Stefan Esser

Month of PHP Security / php-security.org
SektionEins GmbH / www.sektioneins.com

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值