Last week, at PHP Forum Paris 2005, Rasmus Lerdorf (the father of PHP if you don't know) showcased "Scanmus", a tool he's been developping internally at Yahoo in order to detect any severe security holes in PHP applications.
Of course, I took the opportunity to submit b2evolution as a candidate for the scanner to try all its evil tricks on!
While I was a little bit worried, since I submitted the not-yet-perfect Phoenix release, the results are pretty comforting about the overall security level provided by b2evolution.
Actually, the only issue detected by the scanner, as explained by Rasmus, is due to the demo server running an older version of PHP. Moreover it impacts PHP sessions, which b2evolution does not actually use (we'll turn them off on the demo server as well).
Of course, the test cannot be considered definitive, but still, if you compare b2evo's results with average results, you should get an idea about how much work and effort we've been putting into b2evo lately.
If you're interested, you can watch the video! Well, you will see no more than the screen from the picture above (except it moves a little), you won't even see Rasmus on screen, but you'll hear him commenting! ;)
My favorite quote: [Looking at the vulnerability report] "...nothing else?... That's disappointing! :>"
Watch on Youtube: https://youtu.be/_g94H14uNAY
8 comments
Comment from: blueyed
The video is funny. I can even hear François speak.. ;)
The mentioned vulnerability because of using PHP’s session management (which was just on the demo site to store if someone wants to use debugging) is removed.
Maybe you should send WP a copy ? ;)
¥
Comment from: fplanque
I wish I could use google but:
Thanks for your interest in Google Video.
Currently, the playback feature of Google Video isn’t available in your country.
We hope to make this feature available more widely in the future, and we really appreciate your patience.
Comment from: laygnuk
This is great :) i feel just so much better(about spam) since the dawn release already, and can’t wait for the next release :)
Keep up the good work, it’s a pleasure working with B2evolution!
Do you know if he plans to release this tool ? (or if you know an equivalent tool)
Comment from: Craig Webster
Instead of Google video, why not use the Coral CDN: http://doc.b2evolution.net.nyud.net:8090/media/b2evo_scanmus.mp4
Have an intermediate page which tries to redirect to the CDN version and if it fails have a backup link to the direct download.
really funny video :)
That’s awesome news! And it reflects the level of support that I have seen over the past 2 months with the recent wave of blog spammers. Thanks to the entire b2evo community. I’m eager to run Phoenix and use some of its new features!