It appears that PHP, upon seeing an incoming parameter with a name that ends in [something] (where something may be empty), automatically turns that variable into an array.
How many of you PHP developers out there knew that? I didn't. And I had to dig quite a bit to find a reference to this behaviour in the docs.
So, incoming stuff from the URL or the POST data are no longer strings all the time. Can they magically become other things than strings and arrays as well? Maybe not now, but what if some PHP developer thinks up another "nifty" feature _after_ I read the docs; how then am I supposed to protect my application in the future? Do I need to re-read the docs every time I upgrade PHP?
And is there a way to turn this "we know better than you what you need"-behaviour off?
I'm sick of seing framework developers add "nifty" features that you have to know about in order to write secure code. It's not only PHP, but also several highly popular Java frameworks that I work with these days. Some of them make it quite easy to write to object fields that are normally out of reach of the input fields in a form.
I want a framework that makes it impossible to make mistakes, and where you have to _enable_ potentially dangerous features when you _know_ you need them, rather than _disable_ potentially dangerous features most people don't know about (or use).
I don't know about the new attacks, but I researched a bit after Gregory Steuck posted about "XXE (Xml eXternal Entity) attack" on Bugtraq in 2002 (http://www.securityfocus.com/archive/1/297714).
You can easily do DoS attacks on a Java-based thing running on e.g. Linux if you manage to trick the server into parsing one of the following two XML documents:
<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "file:/dev/tty">
Both will make the XML parser try to read from the TTY, thus blocking "forever" waiting for input that never comes. The fun thing is that it doesn't help to setExpandEntityReferences(false), even though the name sounds like it would help. The only thing that works (afaik), is to install a custom made EntityResolver that refuses to look up external entities. Since nobody does that, this vulnerability may be found all over the place.
Variations exist for other OS-es and other web platforms as well. I even found that Adobe Reader was vulnerable once (http://shh.thathost.com/secadv/adobexxe/), and I recently stumbled across a similar thing in a commercial web-protecting security application. (They're working on a fix.)
No, but dividing things into smaller pieces makes it easier to fix those pieces in isolation.
The nice thing with computer software, is that you can keep subdividing until you reach a collection of single bits. Repairing a single bit is very easy, so there you go.
Since the article mentions Microsoft's attempts to undermine competing businesses, here's an interesting link to the Eupean Committee for Interoperable Systems' (ECIS) article "Microsoft: A History of Anticompetitive Behavior and Consumer Harm" (PDF): http://www.ecis.eu/documents/Finalversion_Consumerchoicepaper.pdf
Published on 2009-03-31. Required reading.:-)
Astronomical? Like in millions of millions of stars?
If you compare to Oslo, the capitol of Norway, the closes neighbour to Sweden, the four guys have been sentenced to pay the price of a big house each (that is: four houses in total, in case I get the wording wrong) in the second most expensive part of the city. It's a lot of money (a lot!), but hardly astronomical.
Yes. You should immediately dial 555-23-4789. Upon hearing the beep, please state in a clear voice your name, address, social security number and credit card number, and we will get back to you as soon as possible to help resolve the problems.
No software with the complexity of modern browsers is secure. What is more interesting than counting the number of vulnerabilities, is watching how seriously the vendors treat the vulnerabilities in their products. IIRC, Opera has been very quick in fixing the wholes that have been found in their browser. Compare that to the many months Microsoft have spent NOT fixing critical stuff in IE, and you will understand which one of those products I would use if Mozilla/Firefox wasn't around.
When run through my first-order, Java-based GarbageGenerator, I get this:
Because at any level of our TCO than many customers from Unix is one of, it does it cost of the right newsgroup to Windows and larger group that's available off of fully flexible, onto the marketplace and technology to deliver that as an administrator, that's how comprehensive support from risk model, we say hey, because no one piece underneath both of business value to design and that's what could be hiring it in terms of other thing frequently get by licensing model that face, what that we hear from the early nineties, such as how we look at the Unix and the end of saying hey look at the products both TCO on this is that they've continued to offer an industry-wide problem.
And so they see maybe give you might read in mission-critical way, so then Yankee talked about how we quantify, and reference models in way to decide to work load. Microsoft have more from 25 days between 100 to create value. So, more importantly, one thing frequently get some other thing get 30% greater TCO and methodology and look how we've done their pains over five-year period of different than Linux and the word Linux. So I'm buying then bringing that cost of our architecture, it's about the Platform Strategy, and testing, when we really understand how do find areas to grow, and methodology and open-source model, but that say by products Linux as well we quantify, more secure identity management layer, what that has been different. There is.
The other thing they're gathering out there that they'd like to be on non-commission basis where we are there have deployed, Windows. And maybe you spent lot of software there than something that spoke about week month outside of the vendor support and spend quite few companies like hardware and play different open-source technologies, yes, your software operating system and Open Source Technology Analysis Center here really this type of people are contributing in terms of tests to understand all your IT organizations to 20% savings for customer perspective, security you should be able to say, there is definitely not just matter of this is definitely not quite different than just saying the directives are few topics that arise around in this is continual ways to provide our server.
Martin Taylor think are here in marketplace for security audit, and the proof point in certain level of software acquisition cost of integration, support. About how to give some clarity on really selling is we do find the application that really hire it every single one thing that we'll be fully understand when we have much burden, think it. Some of the other thing that as when we talked to customer environment. Although this isn't just Microsoft. Mainly the things very excited about that Microsoft has participated and level problem you're willing to, hardware. So let me how you build anything arise around just the world on this would not completely sure that suit against wall full of Unix and development model and know that against four-year-old USB device drivers. There are and definitely not just some of technology, Martin Taylor think there are over five-year period just kernel.org, it's important comparative point that customers that can get some level interoperability. Commercial distribution. Some of how they're gathering out of the little wizards and, both developed, and turn them through promoting open source. That being said for just matter to happen.
Re:Nothing for you to see here. Please move along
on
SCO.com Defaced
·
· Score: 1
It need not be. I downloaded the current, original image file and modified it using Gimp on a GNU/Linux system. The "strings webinar_land2-1.jpg | head" command that someone mentioned produces exactly the same output both before and after my modification, including "Adobe Photoshop 7.0".
Slashdot Mirror
With this, humans won't need take BigDog for a daily walk anymore.
"Friendly countries"; like, the USA?
What? No mention of the Pixel Qi -based Adam? This is the one I'm waiting for.
http://notionink.wordpress.com/
http://www.notionink.in/
I made Basus not long ago. Successfully tested on about 50 kids. Read about the idea behind the programming language here: http://basus.no/idea.html
Get it here: http://basus.no/
It appears that PHP, upon seeing an incoming parameter with a name that ends in [something] (where something may be empty), automatically turns that variable into an array.
How many of you PHP developers out there knew that? I didn't. And I had to dig quite a bit to find a reference to this behaviour in the docs.
So, incoming stuff from the URL or the POST data are no longer strings all the time. Can they magically become other things than strings and arrays as well? Maybe not now, but what if some PHP developer thinks up another "nifty" feature _after_ I read the docs; how then am I supposed to protect my application in the future? Do I need to re-read the docs every time I upgrade PHP?
And is there a way to turn this "we know better than you what you need"-behaviour off?
I'm sick of seing framework developers add "nifty" features that you have to know about in order to write secure code. It's not only PHP, but also several highly popular Java frameworks that I work with these days. Some of them make it quite easy to write to object fields that are normally out of reach of the input fields in a form.
I want a framework that makes it impossible to make mistakes, and where you have to _enable_ potentially dangerous features when you _know_ you need them, rather than _disable_ potentially dangerous features most people don't know about (or use).
I don't know about the new attacks, but I researched a bit after
Gregory Steuck posted about "XXE (Xml eXternal Entity) attack" on
Bugtraq in 2002 (http://www.securityfocus.com/archive/1/297714).
You can easily do DoS attacks on a Java-based thing running on
e.g. Linux if you manage to trick the server into parsing one of the
following two XML documents:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ENTITY xee SYSTEM "file:/dev/tty">
]>
<foo>foo: &xee;</foo>
<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "file:/dev/tty">
Both will make the XML parser try to read from the TTY, thus blocking
"forever" waiting for input that never comes. The fun thing is that
it doesn't help to setExpandEntityReferences(false), even though the
name sounds like it would help. The only thing that works (afaik), is
to install a custom made EntityResolver that refuses to look up
external entities. Since nobody does that, this vulnerability may be
found all over the place.
Variations exist for other OS-es and other web platforms as well. I
even found that Adobe Reader was vulnerable once
(http://shh.thathost.com/secadv/adobexxe/), and I recently stumbled
across a similar thing in a commercial web-protecting security
application. (They're working on a fix.)
No, but dividing things into smaller pieces makes it easier to fix those pieces in isolation.
The nice thing with computer software, is that you can keep subdividing until you reach a collection of single bits. Repairing a single bit is very easy, so there you go.
Since the article mentions Microsoft's attempts to undermine competing businesses, here's an interesting link to the Eupean Committee for Interoperable Systems' (ECIS) article "Microsoft: A History of Anticompetitive Behavior and Consumer Harm" (PDF): http://www.ecis.eu/documents/Finalversion_Consumerchoicepaper.pdf Published on 2009-03-31. Required reading. :-)
Astronomical? Like in millions of millions of stars?
If you compare to Oslo, the capitol of Norway, the closes neighbour to Sweden, the four guys have been sentenced to pay the price of a big house each (that is: four houses in total, in case I get the wording wrong) in the second most expensive part of the city. It's a lot of money (a lot!), but hardly astronomical.
"Kinder Capitalism" is "you can have my teddy bear for ten lollipops". The kind of dealing that takes place in a Kindergarten.
For the record: The CTO of Opera Software, Håkon "howcome" Wium Lie, is the father of CSS.
Rated "funny", but should have been "insightful".
Thanks, mate. I find the term quite stupid, and you explained why in a way that most geeks can understand. Again, thanks.
Eh, could someone please define the term "hardware firewall"?
PIE? That would be approx. 3.141592654 * 2.718281828, which is 8.53973422235.
At least in a case insensitive world.
They probably make paper themselves.
(Also, why do all these misguided technophobe posts always get modded up first? I thought this was a site for technology enthusiasts.)
I'm sure all of them will be extremely enthusiastic about my new uber-cool, super high tech suicide machine.
Yes. You should immediately dial 555-23-4789. Upon hearing the beep, please state in a clear voice your name, address, social security number and credit card number, and we will get back to you as soon as possible to help resolve the problems.
I found this one quite interesting:. php?num=88
http://www.viguard.com/en/news_view
Have no idea about the truth, though.
No software with the complexity of modern browsers is secure. What is more interesting than counting the number of vulnerabilities, is watching how seriously the vendors treat the vulnerabilities in their products. IIRC, Opera has been very quick in fixing the wholes that have been found in their browser. Compare that to the many months Microsoft have spent NOT fixing critical stuff in IE, and you will understand which one of those products I would use if Mozilla/Firefox wasn't around.
When run through my first-order, Java-based GarbageGenerator, I get this:
Because at any level of our TCO than many customers from Unix is one
of, it does it cost of the right newsgroup to Windows and larger group
that's available off of fully flexible, onto the marketplace and
technology to deliver that as an administrator, that's how
comprehensive support from risk model, we say hey, because no one
piece underneath both of business value to design and that's what
could be hiring it in terms of other thing frequently get by licensing
model that face, what that we hear from the early nineties, such as
how we look at the Unix and the end of saying hey look at the products
both TCO on this is that they've continued to offer an industry-wide
problem.
And so they see maybe give you might read in mission-critical way, so
then Yankee talked about how we quantify, and reference models in way
to decide to work load. Microsoft have more from 25 days between 100
to create value. So, more importantly, one thing frequently get some
other thing get 30% greater TCO and methodology and look how we've
done their pains over five-year period of different than Linux and the
word Linux. So I'm buying then bringing that cost of our architecture,
it's about the Platform Strategy, and testing, when we really
understand how do find areas to grow, and methodology and open-source
model, but that say by products Linux as well we quantify, more secure
identity management layer, what that has been different. There is.
The other thing they're gathering out there that they'd like to be on
non-commission basis where we are there have deployed, Windows. And
maybe you spent lot of software there than something that spoke about
week month outside of the vendor support and spend quite few companies
like hardware and play different open-source technologies, yes, your
software operating system and Open Source Technology Analysis Center
here really this type of people are contributing in terms of tests to
understand all your IT organizations to 20% savings for customer
perspective, security you should be able to say, there is definitely
not just matter of this is definitely not quite different than just
saying the directives are few topics that arise around in this is
continual ways to provide our server.
Martin Taylor think are here in marketplace for security audit, and
the proof point in certain level of software acquisition cost of
integration, support. About how to give some clarity on really selling
is we do find the application that really hire it every single one
thing that we'll be fully understand when we have much burden, think
it. Some of the other thing that as when we talked to customer
environment. Although this isn't just Microsoft. Mainly the things
very excited about that Microsoft has participated and level problem
you're willing to, hardware. So let me how you build anything arise
around just the world on this would not completely sure that suit
against wall full of Unix and development model and know that against
four-year-old USB device drivers. There are and definitely not just
some of technology, Martin Taylor think there are over five-year
period just kernel.org, it's important comparative point that
customers that can get some level interoperability. Commercial
distribution. Some of how they're gathering out of the little wizards
and, both developed, and turn them through promoting open source. That
being said for just matter to happen.
It need not be. I downloaded the current, original image file and modified it using Gimp on a GNU/Linux system. The "strings webinar_land2-1.jpg | head" command that someone mentioned produces exactly the same output both before and after my modification, including "Adobe Photoshop 7.0".
You can use Linux, Tomcat, PostgreSQL and Java with no pain, except for the pronounciation of the acronym.
Nothing to see here.
Unless you try to implement a compatible Basic compiler/interpreter. Mono comes to my mind...
Here's what Mr. Bruce has to say:
d -4 .htm
http://www.bruce-campbell.com/projects/evil-dea