• chevron_right

      Ransomware attackers quickly weaponize PHP vulnerability with 9.8 severity rating

      news.movim.eu / ArsTechnica · Friday, 14 June - 19:40 · 1 minute

    Photograph depicts a security scanner extracting virus from a string of binary code. Hand with the word "exploit"

    Enlarge (credit: Getty Images)

    Ransomware criminals have quickly weaponized an easy-to-exploit vulnerability in the PHP programming language that executes malicious code on web servers, security researchers said.

    As of Thursday, Internet scans performed by security firm Censys had detected 1,000 servers infected by a ransomware strain known as TellYouThePass, down from 1,800 detected on Monday. The servers, primarily located in China, no longer display their usual content; instead, many list the site’s file directory, which shows all files have been given a .locked extension, indicating they have been encrypted. An accompanying ransom note demands roughly $6,500 in exchange for the decryption key.

    When opportunity knocks

    The vulnerability , tracked as CVE-2024-4577 and carrying a severity rating of 9.8 out of 10, stems from errors in the way PHP converts Unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to convert user-supplied input into characters that pass malicious commands to the main PHP application. Exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched in PHP in 2012.

    Read 11 remaining paragraphs | Comments

    • chevron_right

      PHP vulnerability allows attackers to run malicious code on Windows servers

      news.movim.eu / ArsTechnica · Friday, 7 June - 21:57

    PHP vulnerability allows attackers to run malicious code on Windows servers

    Enlarge

    A critical vulnerability in the PHP programming language can be trivially exploited to execute malicious code on Windows devices, security researchers warned as they urged those affected to take action before the weekend starts.

    Within 24 hours of the vulnerability and accompanying patch being published, researchers from the nonprofit security organization Shadowserver reported Internet scans designed to identify servers that are susceptible to attacks. That—combined with (1) the ease of exploitation, (2) the availability of proof-of-concept attack code, (3) the severity of remotely executing code on vulnerable machines, and (4) the widely used XAMPP platform being vulnerable by default—has prompted security practitioners to urge admins check to see if their PHP servers are affected before starting the weekend.

    When “Best Fit” isn't

    “A nasty bug with a very simple exploit—perfect for a Friday afternoon,” researchers with security firm WatchTowr wrote .

    Read 16 remaining paragraphs | Comments

    • chevron_right

      Movim 0.24 Mueller

      Timothée Jaussoin · pubsub.movim.eu / Movim · Tuesday, 23 April - 20:51 edit · 2 minutes · 11 visibility

    Movim 0.24, codename Mueller is out. Let's dive in all the new exciting things that you can find in this new release!

    What's new?

    XEP-0386: Bind 2, XEP-0388: Extensible SASL Profile and XEP-0474: SASL SCRAM Downgrade Protection

    Movim was definitely not the first one integrating those XMPP extensions but their implementation finally brings a much modern authentication stack to the project.

    Bind 2 and Extensible SASL Profile greatly simplifies the authentication flow allowing Movim to connect (and reconnect) even faster, don't worry the older method is still there and will allow you to connect on #XMPP servers that don't support yet this new mechanism.

    SASL SCRAM Downgrade Protection is a small security layer that sits on top of SASL (the authentication framework used by XMPP) to prevent channel-binding downgrades attack during the handshakes methods. It starts to be enforced by several servers nowadays such as ejabberd.

    We would like to thank fabiang that did an awesome work on the #PHP #SASL library to add the SCRAM Downgrade Protection to it and allow a proper integration of the feature in Movim. Thanks!

    Complete page navigation loading refactoring

    You may not have seen it but a big #refactoring work was done under the hood to greatly simplify the navigation system in Movim.

    This allows you to have a working and reliable "back-button" experience across the user interface. It is actually especially noticeable on mobile where the back button is used a lot to switch between the different UI elements (drawers, pages, sliders...).

    This refactoring also fixed a few important bugs regarding the user interface internal events that were creating weird behaviors. For example, in some cases, when you were loading several time the same page in a row, the same event was attached several time to some buttons creating an mess when clicking on it.

    And finally the browser - server connection (that relies on a Websocket) was also refactored and simplified fixing numerous connectivity bugs that we had until now.

    Changes when publishing an article

    A new post publish form

    The post publication form was slightly reorganized. The post privacy toggle was more clearly defined and another one, to disable comments and likes, was added next to it.

    Interface improvements

    Since its big rewrite in 2014 Movim relies on the Google #Material Design system. This version continue the integration of Material 3 with the redesign of the search and chat boxes as well as small forms and buttons details.

    A new placeholder was also added when starting a new chat allowing you to quickly add the user to your contact list or block him.

    New chat placeholder

    Other fixes and improvements

    A few #OMEMO bugs were also fixed, especially the bug #1261 that was preventing Movim users to decrypt their own messages in chatrooms.

    Movim <3 Linphone

    We also fixed an annoying video-conferencing bug (#1274) that was preventing Movim to accept some specific audio and video calls. This allows Movim to process calls properly coming from #SIP bridges and to connect with SIP clients like Linphone !

    We would like to especially thanks toastal for his several contributions to the project including internal image size picture management, a big refactoring of the internal language management system and some more minor interface and performances fixes.

    What's next?

    This version prepared the last important bricks required to introduce the early steps of the big audio and video-conferencing refactoring, especially with all the navigation and interface internal events management that was done the past few releases.

    We will tell you more about it soon, stay tuned!

    In the meantime, please share the good news around you and don't forget to update your server if you're an admin!

    That's all folks!

    • Sl chevron_right

      Contact publication

      pubsub.blastersklan.com / slashdot · Sunday, 14 April - 16:38 edit · 1 minute

    The PHP programming language has sunk to its lowest position ever on the long-running TIOBE index of programming language popularity. It now ranks #17 — lower than Assembly Language, Ruby, Swift, Scratch, and MATLAB. InfoWorld reports: When the Tiobe index started in 2001, PHP was about to become the standard language for building websites, said Paul Jansen, CEO of software quality services vendor Tiobe. PHP even reached the top 3 spot in the index, ranking third several times between 2006 and 2010. But as competing web development frameworks such as Ruby on Rails, Django, and React arrived in other languages, PHP's popularity waned. "The major driving languages behind these new frameworks were Ruby, Python, and most notably JavaScript," Jansen noted in his statement accompanying the index. "On top of this competition, some security issues were found in PHP. As a result, PHP had to reinvent itself." Nowadays, PHP still has a strong presence in small and medium websites and is the language leveraged in the WordPress web content management system. "PHP is certainly not gone, but its glory days seem to be over," Jansen said. A note on the rival Pypl Popularity of Programming Language Index argues that the TIOBE Index "is a lagging indicator. It counts the number of web pages with the language name." So while "Objective-C" ranks #30 on TIOBE's index (one rank above Classic Visual Basic), "who is reading those Objective-C web pages? Hardly anyone, according to Google Trends data." On TIOBE's index, Fortran now ranks #10. Meanwhile, PHP ranks #7 on Pypl (based on the frequency of searches for language tutorials). TIOBE's top ten? Python C C++ Java C# JavaScript Go Visual Basic SQL Fortran The next two languages, ranked #11 and #12, are Delphi/Object Pascal and Assembly Language.

    Read more of this story at Slashdot.

    Is PHP Declining In Popularity?
    • chevron_right

      I abandoned OpenLiteSpeed and went back to good ol’ Nginx

      news.movim.eu / ArsTechnica · Friday, 26 January - 15:29 · 1 minute

    Ish is on fire, yo.

    Enlarge / Ish is on fire, yo. (credit: Tim Macpherson / Getty Images )

    Since 2017, in what spare time I have (ha!), I help my colleague Eric Berger host his Houston-area weather forecasting site, Space City Weather . It’s an interesting hosting challenge—on a typical day, SCW does maybe 20,000–30,000 page views to 10,000–15,000 unique visitors, which is a relatively easy load to handle with minimal work. But when severe weather events happen—especially in the summer, when hurricanes lurk in the Gulf of Mexico—the site’s traffic can spike to more than a million page views in 12 hours. That level of traffic requires a bit more prep to handle.

    Hey, it's <a href="https://spacecityweather.com">Space City Weather</a>!

    Hey, it's Space City Weather ! (credit: Lee Hutchinson)

    For a very long time, I ran SCW on a backend stack made up of HAProxy for SSL termination, Varnish Cache for on-box caching, and Nginx for the actual web server application—all fronted by Cloudflare to absorb the majority of the load. ( I wrote about this setup at length on Ars a few years ago for folks who want some more in-depth details.) This stack was fully battle-tested and ready to devour whatever traffic we threw at it, but it was also annoyingly complex, with multiple cache layers to contend with, and that complexity made troubleshooting issues more difficult than I would have liked.

    So during some winter downtime two years ago, I took the opportunity to jettison some complexity and reduce the hosting stack down to a single monolithic web server application: OpenLiteSpeed .

    Read 32 remaining paragraphs | Comments

    The five developer communities that can be used for questions and answers are outstanding and supported by active users. As you go through this list and access each community, you can choose the one that works best for you. If you are new to the development process, Stack Overflow is a great starting point, and if you have been working with PHP for a while, #PHP Area is an excellent place to learn new things. If you are not interested in any of these communities and would like to ask questions related to programming in general, then Forum.phparea.com is what you should be looking at because it is focused on just that.

    Best Developer Communities To Ask Questions

    Read more at: https://mywebforum.com

    • chevron_right

      La mort de Vanilla Forums

      Loïck · Friday, 21 October, 2022 - 21:26 edit

    Where do we go now ?

    Nous nous trouvons maintenant devant la mort du logiciel de forum Vanilla. Let's go sur le post concerné que j'ai publié sur le site de Vanilla Forums.

    #vanillaforums #developpement #php #mysql #community

    • chevron_right

      Scheduling Tasks in PHP

      pubsub.slavino.sk / icinga · Wednesday, 19 October, 2022 - 13:38 edit

    In the scenario where you want to execute tasks repeatedly at a specific time and have full control over when they are executed and how the results are handled, it makes sense to build this into your application instead of setting up a cron job, for example. I’d like to give you a quick example […]

    The post Scheduling Tasks in PHP appeared first on Icinga .


    Značky: #PHP, #How-tos, #Development, #Network