php|tek09: Day #1

Tutorial day at php|tek! The day begun with a PHP Breakfast, where I met guys like Matthew Weier O’Phinney and saw the guys from yesterday as well. After that I moved on to registration and got my tek swag on!

The first session I attended was a Security Bootcamp by Christian Wenz (@chwenz)  where we analysed some security issues and sample applications, going over some of the basics of PHP security and look at some of the most active players today like XSS and CSRF. It was interesting and refreshing, an overall great tutorial for people looking for the light at the end of a security tunnel, or at least to learn what holes to look for in their applications.

After that we had lunch, cortesy of MTACon. And the afternoon was ready for a kick off with a awesome session, PHP Code Review with Sebastan Bergmann, Arne Blankerts and Stefan Priebsch. This session was an eye opener and loads of fun. Basically we pickup php frameworks and apps, like Habari, Magento and such and look at the code to find the bad, the ugly and the down right down outrageous. The kid  of stuff we found in some apps was simply amazing, from major security issues in Habari to insanelly pointless code in magento. This session was very interactive and pointed out a whole bunch of things we should avoid on a daily basis.

After the sessions we headed over to get some official and famous Chicago Stuffed  Pizza at Giordano’s, it is definativelly aproved! So dinner with 40 PHPers ended up back in the hotel fomr some Hockey and Basketball surrounded by PHP talk.

Ready for the first oficial day of php|tek. By the way… we got some great shirt swag at the conf.. bring money! buy shirts!

Pictures on Flickr: http://www.flickr.com/search/?q=phptek+OR+tek09&m=tags&d=taken-20090515-20090525&ss=2&ct=0&w=all

Update: Seems the security issue is not major, as it occurs only during installation. It is however still a security issue and a violation of the “filter all input” mantra.

8 thoughts on “php|tek09: Day #1

  1. I find it difficult to characterize any of the security issues (which I am only able to see from the posted slide deck) as major.

    Furthermore, it seems very irresponsible to post supposedly major issue to an open conference without first notifying the vendor (Habari) and/or offering some clarification post-conference. For the life of me, I still can’t find most of the issues which supposedly exist.

  2. The security issue is NOT a risk for any installed Habari.

    Under very specific circumstances, including an attacker already knowing your database name, username and password, and _before_ Habari has been installed, an attack was possible. If you’d already installed, the attack isn’t possible. A fix has now been circulated.

  3. Its worth mentioning that the Habari team was warned of the security issue, and as Michael stated it really wasn’t that bad of an issue, so maybe my “major” keyword was badly misused as i did not have this scope info. And the Habari team responded really fast and a fix really is done.

    Also the audience at Tek is expected to be a group of responsible programmers, not some script kiddies and ill-intentioned developers, at least i hope we can fit them in there.

  4. I have to mention that the Habari team (of which I am a member) was NOT properly notified of this prior to the session, which would have been the right thing to do. Still, without proper notification, a fix was release within a day.

  5. Yeah

    ‘minor security issue that was fixed within hours of being reported to the Habari community’

    just doesn’t have the same ring to it, does it ?

Comments are closed.