Top 20 PHP APP Vulnerabilities

Hello,
Browsing on the Internet I find some interesting graphs from National Vulnerability Database http://nvd.nist.gov/ that published NVD.

Some others references: http://blog.funkatron.com/archives/general/the-php-app-insecurity-top-20/
http://www.cerias.purdue.edu/weblogs/category/secure-it-practices/
http://www.phpdeveloper.org/news/7652

phpPBB, wordpress, etc [B)]

It is very important to take one eye over this APPs, HC sell this Pack of PHP APP for $$$... but these APPs are very unsecure.

Regards.

R.N.

I pointed out why we and several other users wouldnt purchase the addon pack.

Example,
28th March 2007 - HC Build 8 ships with phpbb build 2.7.0.1
30th March 2007 - phpBB find security bug
1st April 2007 - phpBB fix bug and release update
20th May 2007 - HC Build 9 ships with latest update

Now the above is theory, build numbers arent correct again its theory of what happens

Time between phpBB publishing update and hc adding it into their software is long.

Second problem we have no idea which versions of phpBB websites are running. All new sites will get the phpbb update but current sites wouldn't

Again that sort of setup is a security risk.

For us to buy it hc would have to constantly monitor app bug databases, usually you can subscribe to mailing list. Then as soon as an update was released update the files on HC master server and make all HC servers check every 24hrs for application updates. This doesnt mean core HC updates just applications e.g. phpbb, wordpress.

That covers the response time between updates issues and hc publishing them but the next issue what versions of each app are the sites running. My suggestion hc put a build number marker in a file within each app, most app's have one but when you update it isn't always updated. So then hc after downloading updated packages runs through all sites which are running phpbb and applies the update files, usually mysql scripts and replacing of some files. Only issue with this is when a users modified a template for phpBB or added a custom skin or something they may loose it. But the idea is better than nothing.

You guys might disagree with me on both points but with the current setup i will not purchase the addon pack!

But in the case of the first suggestion it will mean more work for hc i.e. checking on current updates but if they build a system to read the update feeds which most open source apps provide shouldnt be a problem.

Again auto update for app's only i wouldnt want hc downloading any core updates i.e. hotfixes without me knowing about it and doing it manually simply due to the issues which can crop up. 10mins to install an update once or twice a month doesnt bother most admins!


__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.

I agree with you.

R.N.

On the topic of app's

phpMyAdmin should be made as a virtual directory on all domains to one root phpmyadmin folder say like awstats is in the awstats folders so only one folder has to be updated.

phpMyAdmin shouldnt be part of the app pack in my view. Its a tool which aids customers to access mysql db's. It should be free and as i said included like awstats is so theirs no security risk. Its not like phpBB or a blog no end user config is needed.

Anyway HC's view on this will be interesting but i doubt we will get any feedback until monday!

Also when this api is released will be interesting if we can add in our own app's would like to add dnn, zencart, cubecart etc etc!

__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.

We support lot of click & install apps. and it is difficult for us to update our installer to integrate each and every patch they release. Anyway thanks for your suggestions and we will check the possibilities.

________________________
HC Support Team
support@hostingcontroller.com
http://hostingcontroller.com
+1-213-341-1419

No one is asking you to update it every time. Just more often than you do. It would have to be a higher frequency than the releases for hc. Besides what it so hard about it since 99% of the code is written by someone else?

KM

KieranMullen

quote:

---

Originally posted by HC Support
[br]We support lot of click & install apps. and it is difficult for us to update our installer to integrate each and every patch they release. Anyway thanks for your suggestions and we will check the possibilities.

________________________
HC Support Team
support@hostingcontroller.com
http://hostingcontroller.com
+1-213-341-1419

---

Hi,
June 1st, 56 days ago, We had the last HC build and in this time several bugs and mores critical bugs are discovered for these PHP-APP. ...

R.N.

That long ago :( time does fly :)

__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.

HC is including Mambo didn't they hear abouth Joomla?

Well i looked into Joomla for a hc user when i setup their server.

Anyways to cut a long story short it might be possible to replace the mambo files with the Joomla files, i.e. even though it says mambo it would install Joomla!

I haven't tested it as i refuse to pay for an add-on pack, waste of money!


__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.

I tested replacing Mambo files with Joomla files it works and after editing a few xml files I could replace the name mambo in Joomla also in HC. This is an unwanted solution becourse it has to be done again afther a update.

Thought it would work!

__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.