lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 21 May 2010 11:30:28 +0200
From: Stefan Esser <>
To: full-disclosure <>,
Subject: Month of PHP Security - Summary - 11st May - 21th

Hello Everyone,

it is 21th of May. The Month of PHP Security
( is still running and we have reached a
vulnerability count of 40 vulnerabilities, which is nearly as much as we
disclosed during the whole Month of PHP Bugs in 2007. However there are
11 more days until the end of May and therefore there are still plenty
of more vulnerabilities to come. Escpecially the amount of SQL injection
vulnerabilites in PHP applications will increase, because it is called
SQL injection marathon for a reason. And we also have several articles
and submissions left.

There have been some changes to the website that should make it easier
to read and we also added the possiblity to comment on bugs/entries/news
and articles.

For those that don't already know you can follow the Month of PHP
Security on Twitter, too. Just follow @mops_2010

Here is the summary of what happened during the last 10 days.

Related Events

Returning into the PHP Interpreter – Remote Exploitation of Memory
Corruptions in PHP is not over, yet.

PHP Security Course – Advanced PHP Auditing at Source and Bytecode level


MOPS Submission 07: Our Dynamic PHP – Obvious and not so obvious PHP
code injection and evaluation

MOPS Submission 06: Variable Initialization in PHP

Article: Decoding a User Space Encoded PHP Script

MOPS Submission 05 – The Minerva PHP Fuzzer

PHP Vulnerabilities

MOPS-2010-040: PHP strtr() Interruption Information Leak Vulnerability

MOPS-2010-039: PHP strpbrk() Interruption Information Leak Vulnerability

MOPS-2010-038: PHP http_build_query() Interruption Information Leak

MOPS-2010-037: PHP str_getcsv() Interruption Information Leak Vulnerability

MOPS-2010-036: PHP htmlentities() and htmlspecialchars() Interruption
Information Leak Vulnerability

MOPS-2010-034: PHP iconv_mime_encode() Interruption Information Leak

MOPS-2010-033: PHP iconv_substr() Interruption Information Leak

MOPS-2010-032: PHP iconv_mime_decode() Interruption Information Leak

MOPS-2010-028: PHP phar_wrapper_open_url Format String Vulnerabilities

MOPS-2010-027: PHP phar_parse_url Format String Vulnerabilities

MOPS-2010-026: PHP phar_wrapper_unlink Format String Vulnerability

MOPS-2010-025: PHP phar_wrapper_open_dir Format String Vulnerability

MOPS-2010-024: PHP phar_stream_flush Format String Vulnerability

MOPS-2010-022: PHP Stream Context Use After Free on Request Shutdown

MOPS-2010-021: PHP fnmatch() Stack Exhaustion Vulnerability

PHP Application Vulnerabilities

MOPS-2010-035: e107 BBCode Remote PHP Code Execution Vulnerability

MOPS-2010-031: e107 Usersettings loginname SQL Injection Vulnerability

MOPS-2010-030: CMSQlite mod Parameter Local File Inclusion Vulnerability

MOPS-2010-029: CMSQlite c Parameter SQL Injection Vulnerability

MOPS-2010-023: Cacti Graph Viewer SQL Injection Vulnerability

Thank you
Stefan Esser
Month of PHP Security /
SektionEins GmbH /

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists