PHP Security Consortium Launched 64
Chris Shiflett writes "We're happy to announce the official launch of the PHP Security Consortium (PHPSC). Our mission is 'to promote secure programming practices within the PHP community through education and exposition while maintaining high ethical standards.' You can read the official press release or visit us at phpsec.org."
Re:Good (Score:2, Interesting)
Too bad the only article contains a race condition (Score:3, Interesting)
Too bad that that example on that site of 'an international group of PHP experts dedicated to promoting secure programming practices within the PHP community.' is flawed.
It always writes to the same
If these are the PHP experts on secure programming, I am now really worried.
Re:Too bad the only article contains a race condit (Score:3, Interesting)
and:
$image = $captcha->getCAPTCHAAsJPEG();
$handle = fopen('captcha.jpg', 'w');
fwrite($handle, $image);
fclose($handle);
So, assume this happens:
- Client A requests the site
- Client B requests the site
- PHP engine process request for A: generates a random string 'abcde' and creates the captcha.jpg for this 'abcde'
- PHP engine process request for B: generates a random string 'fghij' and creates the captcha.jpg for this 'fghij'
- Due to some network lag (200ms), A will now request 'captcha.jpg'
A will see 'fghij', but the session for A will have 'abcde' set. This means that A cannot validate himself.
The problem here is ofcourse that the file is always the same: if you would use a PHP file that generates the images for a request (based on the sessionid from a cookie), you would be safe.
Re:Good (Score:5, Interesting)