PhpStorm Got New Version

Popular PHP IDE received version 2018.3 with a lot of new features and updates
23 November 2018   305

JetBrains, specializing in the creation of IDE, announced the release of the final version of PhpStorm 2018.3. This cross-platform product is developed on the basis of the IntelliJ IDEA platform and is intended for development in the PHP scripting language.

The updated development environment works with PHP 7.3. Developers have improved support for DQL (Doctrine Query Language), a query language focused on the project's object model. DQL compiles requests for receiving or modifying data using user-created class names and fields. The IDE version for early access simply highlighted the lines of the code with the requests; in the final, full navigation and editing was implemented.

For PHPDoc, the concept of intersection (Intersection Types) was added, allowing variables to belong to several types at the same time. Improved some refactoring tools. HTTP requests can now be generated using run. The debugger was provided with the ability to search for variables.

When working with PHPUnit, you can automatically generate the setUp and tearDown methods used when running tests. This solution will speed up the work with the code.

JetBrains specialists have expanded the possibilities for working with the GitHub repositories. In PhpStorm 2018.3 a tool has been added for the management of pull request that allows you to view and sort them. Fixed IDE work with submodules: now when cloning a project, they are saved correctly.

The new development environment contains tools for automatically correcting the code and bringing it to industry standards, such as PSR-2. For this, the developers have included the PHP CS Fixer utility in PhpStorm 2018.3. Settings even allow you to define your own standards for the code.

Improved IDE interface itself. Implemented new search features, added new color schemes. Todo, an operator that generates a task list, like the example of similar tools in JavaScript, TypeScript, SQL, CSS, and HTML can now include several lines.

To work with databases, the developers reworked the code supporting these modules and included NoSQL DBMS Apache Cassandra and relational PostgreSQL into the system.

The previous version of IDE was released in July 2018. Then the developers added custom postfix fill patterns and reworked the structured search and replace.

Get more info at official blog.

WorldPress Websites to be Under a Thread

Using the AWP plugin vulnerability, attackers can create users with administrator's rights
21 November 2018   233

In October 2018, in a popular plugin for generating accelerated mobile pages AMP for WP, a vulnerability was discovered that allows any registered user to gain administrator privileges. Now WordPress sites with this plugin are under XSS-attack, which aims to create a "fake" administrators.

The error that allows to increase the rights of the user is the lack of verification of the rights to perform administrator actions in older versions of the plugin. Since version 0.9.97.20, released in early November 2018, the problem has been solved. But the lack of automatic updating of plugins on many WordPress sites makes them vulnerable.

WordFence information security specialist Mikey Veenstra said that a large-scale automated XSS attack is now under way, exploiting open vulnerability.

The malicious script is located at https: // sslapis [.] Com / assets / si / stat.js. Running the script from the admin browser will create a new one, but already under the control of intruders. This is done through a hidden iframe element that simulates the registration of a new user and sends a click () event to “push” the send data button.

In this way, an administrator account with the user name supportuuser and the address supportuser72019@gmail.com is added to the target site. The script analyzes the list of plugins and tries to install a PHP backdoor.

The script reads variables added to the URL of the hacked plug-in, assigning them as environment variables. This allows you to use any commands from the attacker:

WordPress site admins are recommended:

  • check the list of administrators and remove unknowns;
  • update AMP for WP to version 0.9.97.20 or higher;
  • check the activity of the WooCommerce plugin, which is also subject to XSS attack.

In June 2018, RIPS employees reported a WordPress vulnerability that allows malicious code to be loaded into the system and delete critical files. In November 2018, they also discovered a gap in the WooCommerce plugin for this CMS.