Latest php news

This Metasploit module exploits an underflow vulnerability in PHP-FPM versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on Nginx. Only servers with certain Nginx + PHP-FPM configurations are exploitable. This is a port of the original neex's exploit code (see refs). First, it detects the correct parameters (Query String Length and custom header length) needed to trigger code execution. This step determines if the target is actually vulnerable (Check method). Then, the exploit sets a series of PHP INI directives to create a file locally on the target, which enables code execution through a query string parameter. This is used to execute normal payload stagers. Finally, this module does some cleanup by killing local PHP-FPM workers (those are spawned automatically once killed) and removing the created local file.

Full Article

php

Horde Groupware Webmail Edition 5.2.22 PHP File Inclusion

By packetstormsecurity.com
Published On :: Thu, 12 Mar 2020 20:10:33 GMT

Horde Groupware Webmail Edition version 5.2.22 suffers from a PHP file inclusion vulnerability.

Full Article

php

PHPKB Multi-Language 9 image-upload.php Code Execution

By packetstormsecurity.com
Published On :: Mon, 16 Mar 2020 13:57:49 GMT

PHPKB Multi-Language 9 suffers from an image-upload.php remote authenticated code execution vulnerability.

Full Article

php

PlaySMS index.php Unauthenticated Template Injection Code Execution

By packetstormsecurity.com
Published On :: Mon, 06 Apr 2020 18:55:45 GMT

This Metasploit module exploits a preauth Server-Side Template Injection vulnerability that leads to remote code execution in PlaySMS before version 1.4.3. This issue is caused by double processing a server-side template with a custom PHP template system called TPL which is used in the PlaySMS template engine at src/Playsms/Tpl.php:_compile(). The vulnerability is triggered when an attacker supplied username with a malicious payload is submitted. This malicious payload is then stored in a TPL template which when rendered a second time, results in code execution.

Full Article

php

ThinkPHP 5.0.23 Remote Code Execution

By packetstormsecurity.com
Published On :: Tue, 14 Apr 2020 15:47:20 GMT

This Metasploit module exploits one of two PHP injection vulnerabilities in the ThinkPHP web framework to execute code as the web user. Versions up to and including 5.0.23 are exploitable, though 5.0.23 is vulnerable to a separate vulnerability. The module will automatically attempt to detect the version of the software. Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.

Full Article

php

QRadar Community Edition 7.3.1.6 PHP Object Injection

By packetstormsecurity.com
Published On :: Tue, 21 Apr 2020 20:13:50 GMT

QRadar Community Edition version 7.3.1.6 suffers from a php object injection vulnerability.

Full Article

php

PHP-Fusion 9.03.50 Arbitrary File Upload

By packetstormsecurity.com
Published On :: Mon, 27 Apr 2020 14:39:52 GMT

PHP-Fusion version 9.03.50 suffers from an arbitrary file upload vulnerability.

Full Article

php

CentOS-WebPanel.com Control Web Panel (CWP) 0.9.8.851 phpMyAdmin Password Change

By packetstormsecurity.com
Published On :: Tue, 20 Aug 2019 22:06:49 GMT

CentOS-WebPanel.com Control Web Panel (CWP) version 0.9.8.851 allows an attacker to change arbitrary passwords.

Full Article

php

POS PHP 17.5 Cross Site Scripting

By packetstormsecurity.com
Published On :: Tue, 28 Apr 2020 14:50:09 GMT

POS PHP version 17.5 suffers from a persistent cross site scripting vulnerability.

Full Article

php

PHP-Fusion 9.03.50 Cross Site Scripting

By packetstormsecurity.com
Published On :: Thu, 30 Apr 2020 23:03:33 GMT

PHP-Fusion version 9.03.50 suffers from a persistent cross site scripting vulnerability.

Full Article

php

SimplePHPGal 0.7 Remote File Inclusion

By packetstormsecurity.com
Published On :: Tue, 05 May 2020 20:49:23 GMT

SimplePHPGal version 0.7 suffers from a remote file inclusion vulnerability.

Full Article

php

PHP 5.2.3 imap_open Bypass

By packetstormsecurity.com
Published On :: Thu, 15 Nov 2018 17:45:50 GMT

PHP version 5.2.3 (Debian) suffers from an imap imap_open disable functions bypass vulnerability.

Full Article

php

PHP imap_open Remote Code Execution

By packetstormsecurity.com
Published On :: Wed, 28 Nov 2018 01:52:56 GMT

The imap_open function within PHP, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imap_open to execute arbitrary commands. While many custom applications may use imap_open, this exploit works against the following applications: e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use. Prestashop exploitation requires the admin URI, and administrator credentials. suiteCRM/e107/hostcms require administrator credentials.

Full Article

php

Google Cloud VM Instance Setup with Ubuntu and XAMPP PHP Server

By feedproxy.google.com
Published On :: Tue, 06 Aug 2019 20:10:50 PDT

Google cloud platform is a cloud computing service and a perfect alternate for Amazon Webservices. Nowadays most of the top companies are moving towards Google services for better results. Google cloud platform is offering a $300 free trial for one year. This post is about how to set up VM instances with firewall rules in addition to creating a XAMPP server with Ubuntu operation system. This is almost similar to my previous article about the Amazon EC2 setup. Try this and enrich your side projects.

Full Article

php

Microsoft Azure Virtual Machines Setup with Ubuntu and XAMPP PHP Server

By feedproxy.google.com
Published On :: Wed, 07 Aug 2019 07:39:04 PDT

Microsoft Azure is another great alternate cloud service and it is offering a one-year free trial with $200 credit. This post is almost similar to my previous Cloud service article. This will explain to you how to set up a virtual machine instance with secure firewall rules and setting up a XAMPP(PHP Maria DB Server) using the Ubuntu operating system. Microsoft Azure has lots of free project management services. This is very useful for your side projects.

Full Article

php

PHP grows up and Redis 6 is released

By weekly.statuscode.com
Published On :: Wed, 6 May 2020 00:00:00 +0000

#265 — May 6, 2020

Read on the Web

StatusCode Weekly

Covering the week's news in software development, ops, platforms, and tooling.

Caddy 2: The Go-Powered Web Server with Automatic, Default TLS — After over a year of redesign, Caddy 2 has a new architecture to v1. If you want a new HTTPS server that ‘just works’, Caddy is well worth a look IMO. Its lead creator, Matt Holt, answered lots of questions on this Hacker News thread about the release.

Caddy Web Server

Redis 6.0 Released — The next major release of the popular data structure server is here. Redis is at the heart of so many data systems nowadays that any major release is big news but 6.0 packs in a lot of new bits and pieces that make it more robust and capable of modern workloads, including:

Access Control Lists (ACL) for limiting what certain clients can do.
Diskless replication on replicas.
Threaded I/O (but Redis itself remains primarily single threaded).
SSL/TLS support.
A new client-server protocol, RESP3.

Salvatore Sanfilippo

Faster CI/CD for All Your Software Projects Using Buildkite — See how Shopify scaled from 300 to 1800 engineers while keeping their build times under 5 minutes.

Buildkite sponsor

An 'Extra Dumbed Down' Explanation of BGP — The BGP (Border Gateway Protocol) is a fundamental part of how the Internet works by defining and exchanging routing information between systems. This post explains what BGP is but, importantly, what its flaws are and how it needs to be made better.

RevK

How PHP is Beginning to Show Its Maturity — “If you still think PHP lacks an appropriate object model, you might be pleasantly surprised taking a look again.” Add proper FFI, dependency management, and security to the mix and PHP looks better than ever as of version 7.4.

John Coggeshall (LWN)

What Netlify’s Infrastructure Team Learned As It Increased Deploy Speed by Up to 2x — How the infrastructure team at Netlify took a 4 year old codebase, isolated an issue, tested a few different solutions, and eventually improved observability while rolling it out to production.

Epure, Neal and Drasner

Quick bytes:

Tim Bray, an esteemed engineer and co-author of the original XML specification, has quit Amazon over their recent whistleblower firings.
Allegedly servers managed with Salt are being targeted en-masse by hackers right now, including the popular Ghost blogging platform. More info here. And here's Salt's response.
Forget joining the lottery to attend Apple's WWDC developer conference this year.. it's going online for everyone to enjoy.
Want to code but short of project ideas? What To Code hopes to solve your coder's block.
Yes, yes, yes, the TIOBE Index's methodology has all sorts of problems, but C just jumped over Java to reach #1.
Maybe the news about the sale of the .ORG TLD will finally come to a close? ICANN's board has withheld consent for a change of control.

???? Jobs

DevOps Engineer at X-Team (Remote) — Join X-Team and work on projects for companies like Riot Games, FOX, Coinbase, and more. Work from anywhere.

X-Team

Find a Job Through Vettery — Vettery specializes in tech roles and is completely free for job seekers. Create a profile to get started.

Vettery

ℹ️ Interested in running a job listing in StatusCode Weekly? There's more info here.

???? Stories and Opinions

How a Few Lines of Code Broke Lots of JavaScript Packages — A week ago JavaScript developers were reporting breakage in numerous key packages. The culprit? A tiny change in a tiny dependency. A fix was quickly deployed and the creator of the affected project reflects on what happened here.

Forbes Lindesay

systemd, 10 Years Later: A Historical and Technical Retrospective

V.R.

Initial Impressions of WSL 2 — WSL (Windows Subsystem for Linux) is a compatibility layer for running Linux executables natively within Windows 10 and ”..it feels like a new era for web development on Windows.”

Dave Rupert

What Port Numbers Do Developers Use Locally? — A look at what port numbers developers are using locally in development.

Roland Crosby

▶ A Language Head to Head: Kotlin 4 vs. Scala 3

Garth Gilmour and Eamonn Boyle

▶ Does Agile Make Us Less Secure? — Weighing up the balance between older ways of making things ‘just so’ before deploying versus pushing to production numerous times a day.

Michael Brunton-Spall

How to Remain Agile with DynamoDB — Amazon DynamoDB delivers performance at scale but at a cost to flexibility. See how the costs can be mitigated to remain Agile.

Rob Cronin

???? Tutorials

Using AWS CodeBuild to Execute Administrative Tasks — A look at using AWS CodeBuild to run scheduled or adhoc jobs. It’s not the first tool most would jump to (as it’s marketed as a build service) but the flexibility provided is pretty neat and might help you package together code in a way that better suits your use case (it’s well suited for batch jobs that take a while to run, rather than 500ms functions, say!)

Gojko Adzic

Git Branch Naming Conventions — A primer on naming branches for modern git workflows to help organize your or your team’s work.

Sanket Saurav

Implementing Conway's Game of Life in 32 Bytes — Not exactly a tutorial but if you can read x86 you’ll learn something. Here’s a video of it in action.

SizeCoding

TLDR: Writing a Slack bot to Summarize Articles — Using state-of-the-art NLP to read more news, faster? I always find automated summaries to be kinda useless, but the way it’s put together is neat nonetheless.

Chris Ismael

OAuth 2.0 Security Best Current Practices

IETF

Using PostgreSQL for JSON Storage — With JSON and JSONB types and associated advanced ways to query such columns, using Postgres as a store for JSON data is pretty simple. This is the briefest of overviews but leads into an interactive online tutorial.

Steve Pousty

???? Code and Tools

Never IPv4: A Quick Way to Test Your IPv6 Support — If this site doesn't load for you, you're in the majority! It's a test site that only has AAAA records and so will only work on a fully working IPv6 stack. NeverIPv6.com provides the opposite.

As207960 Cyfyngedig

actions-cli: Monitor Your GitHub Actions in Real Time from the Command Line

Tommaso De Rossi

Pixie Is Alive. Monitor & Trace K8s Apps On-Prem Without Changing Code — At-scale streaming, gaming, e-comm & SaaS SRE teams run eBPF based edge monitoring Pixie scripts to debug in minutes.

Pixie sponsor

Backblaze B2 Cloud Storage Now Has S3 Compatible APIs — Backblaze B2 has been a compelling alternative to S3 for a while on price alone but now it shares an API too.

Gleb Budman

awesome-kubernetes: A Curated List for Awesome Kubernetes Sources — A lot of k8s resources here from installers and useful articles to platforms, projects, books, and Twitter accounts.

Ramit Surana

Rich: A Python Library for Rich Text and Beautiful Formatting in the Terminal — This does look really nice.

Will McGugan

Full Article

php

The Clash of the titans: Cake PHP Vs Zend Development

By feedproxy.google.com
Published On ::

Over the years, PHP development has turned out a lot of...

Full Article

php

Openings for AngularJS/NodeJS/Java/PHP Tech Lead/Core Dot Net for MNC Company- Andheri Seepz

By jobs.monsterindia.com
Published On :: 2020-05-09 11:22:25

Company: Confidential
Experience: 4 to 8
location: Mumbai, Mumbai City, Navi Mumbai, Thane
Ref: 24828121
Summary: Openings for AngularJS/NodeJS/Java/PHP Tech Lead/Core Dot Net for MNC Company- Andheri Seepz Experience: 1) Angular JS: 3 to 5 Years 2) Node JS: 3 to 5 Years 3) Java: 3 to 5 Years 4) PHP Tech....

Full Article

php

Building Scalable PHP Web Applications Using the Cloud : A Simple Guide to Programming and Administering Cloud-Based Applications [Electronic book] / Jonathan Bartlett.

By encore.st-andrews.ac.uk
Published On ::

[Berkeley, CA] : Apress L. P., [2019]

Full Article

php

How to Build a Dynamic Imgur Upload App Using jQuery & PHP

By designshack.net
Published On :: Thu, 29 Aug 2013 14:00:13 +0000

Many new online web services are providing backend APIs for developers. These allow anyone to connect into a web app and pull out specific information (or push or change bits of data). Today we’re specifically looking at the API for Imgur. In this tutorial I want to demonstrate how we can remotely mirror an image […]

Full Article

php

MongoDB and PHP / Steve Francia

By prospero.murdoch.edu.au
Published On ::

Francia, Steve

Full Article

php

PHP solutions : dynamic web design made easy / David Powers

By prospero.murdoch.edu.au
Published On ::

Powers, David, author

Full Article

Cayman Islands Dollar(KYD)/Philippine Peso(PHP)

Swiss Franc(CHF)/Philippine Peso(PHP)

CFA Franc BCEAO(XOF)/Philippine Peso(PHP)

Vietnamese Dong(VND)/Philippine Peso(PHP)

Macedonian Denar(MKD)/Philippine Peso(PHP)

Zambian Kwacha(ZMK)/Philippine Peso(PHP)

South Korean Won(KRW)/Philippine Peso(PHP)

Jordanian Dinar(JOD)/Philippine Peso(PHP)

Lebanese Pound(LBP)/Philippine Peso(PHP)

Bahraini Dinar(BHD)/Philippine Peso(PHP)

Chilean Peso(CLP)/Philippine Peso(PHP)

Maldivian Rufiyaa(MVR)/Philippine Peso(PHP)

Malaysian Ringgit(MYR)/Philippine Peso(PHP)

Nicaraguan Cordoba Oro(NIO)/Philippine Peso(PHP)

Netherlands Antillean Guilder(ANG)/Philippine Peso(PHP)

Estonian Kroon(EEK)/Philippine Peso(PHP)

Danish Krone(DKK)/Philippine Peso(PHP)

Fiji Dollar(FJD)/Philippine Peso(PHP)

New Zealand Dollar(NZD)/Philippine Peso(PHP)

Croatian Kuna(HRK)/Philippine Peso(PHP)

Peruvian Nuevo Sol(PEN)/Philippine Peso(PHP)

Dominican Peso(DOP)/Philippine Peso(PHP)

Papua New Guinean Kina(PGK)/Philippine Peso(PHP)

Brunei Dollar(BND)/Philippine Peso(PHP)

PHPKB Multi-Language 9 Authenticated Directory Traversal

PHP Hosting Directory 2.0 Insecure Cookie

PHPDirector 0.30 Insecure Cookie Handling

PHP-Fusion CMS 9.03 Cross Site Scripting

PHP-FPM 7.x Remote Code Execution

Horde Groupware Webmail Edition 5.2.22 PHP File Inclusion

PHPKB Multi-Language 9 image-upload.php Code Execution

PlaySMS index.php Unauthenticated Template Injection Code Execution

ThinkPHP 5.0.23 Remote Code Execution

QRadar Community Edition 7.3.1.6 PHP Object Injection

PHP-Fusion 9.03.50 Arbitrary File Upload

CentOS-WebPanel.com Control Web Panel (CWP) 0.9.8.851 phpMyAdmin Password Change

POS PHP 17.5 Cross Site Scripting

PHP-Fusion 9.03.50 Cross Site Scripting

SimplePHPGal 0.7 Remote File Inclusion

PHP 5.2.3 imap_open Bypass

PHP imap_open Remote Code Execution

Google Cloud VM Instance Setup with Ubuntu and XAMPP PHP Server

Microsoft Azure Virtual Machines Setup with Ubuntu and XAMPP PHP Server

PHP grows up and Redis 6 is released

The Clash of the titans: Cake PHP Vs Zend Development

Openings for AngularJS/NodeJS/Java/PHP Tech Lead/Core Dot Net for MNC Company- Andheri Seepz

Building Scalable PHP Web Applications Using the Cloud : A Simple Guide to Programming and Administering Cloud-Based Applications [Electronic book] / Jonathan Bartlett.

How to Build a Dynamic Imgur Upload App Using jQuery & PHP

MongoDB and PHP / Steve Francia

PHP solutions : dynamic web design made easy / David Powers

php-static-analysis/phpstan-extension: PHPStan extension to read static analysis attributes

Podatność w bibliotece class.upload.php

LXer: xmlrpc.php in WordPress: What is it, and should you disable it?

PHPfr is now open-source!

PHPfr mentioned on Engadget

PHPfr 1.0 fast approaching!

PHP Function Reference

PHP 5.3

http://www.madeforone.com/Articles/index.php/feed/

PHP 5.5.21 is released

PHP 5.6.5 is available

PHP 5.4.37 Released

PHP 5.4.38 Released

PHP 5.5.22 is available

PHP 5.6.6 is available

Subscribe To Our Newsletter