Archive for June, 2009


Googles PHP performance tips – What about security?

June 25, 2009

Today Travis Biehn has posted a link to the Full Disclosure Mailinglist leading to Googles “PHP performance tips“.

Don’t copy variables for no reason.

Sometimes PHP novices attempt to make their code “cleaner” by copying predefined variables to variables with shorter names. What this actually results in is doubled memory consumption, and therefore, slow scripts. In the following example, imagine if a malicious user had inserted 512KB worth of characters into a textarea field. This would result in 1MB of memory being used!

$description = $_POST[‘description’];
echo $description;

echo $_POST[‘description’];

Complement from me:

echo htmlspecialchars($_POST[‘description’], ENT_QUOTES);



SQL Injection:

June 21, 2009

Uhhh, thats nice…

Free Image Hosting at’&thumb=1

I’ve tried to send an email to ‘’ which is linked to the contact button, but all i got back was this:

Final-Recipient: rfc822;
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp;550 5.7.1 RESOLVER.RST.AuthRequired; authentication required

A whois on this domain shows me the email address So i have send a quick notice to her. Let’s see if I will get an answer…



June 21, 2009

I had a little break, and found a new shop with xss holes in it:

Free Image Hosting at;%3C/script%3E&W1=&W2=&W3=

I’ve send an email to them…


Internet censorship in germany

June 21, 2009

Germany is on the verge of censoring its Internet: The government – a grand coalition between the German social democrats and conservative party – seems united in its decision: On Thursday the parliament is to vote on the erection of an internet censorship architecture.

The Minister for Family Affairs Ursula von der Leyen kicked off and lead the discussions within the German Federal Government to block Internet sites in order to fight child pornography. The general idea is to build a censorship architecture enabling the government to block content containing child pornography. The Federal Office of Criminal Investigation (BKA) is to administer the lists of sites to be blocked and the internet providers obliged to erect the secret censorship architecture for the government.

Image Hosted by The Dawning of Internet Censorship in Germany

*no comment*

EDIT: Here is the ePetition System of the german government: Internet – Keine Indizierung und Sperrung von Internetseiten

Isn’t it funny that they use SMF 1.1.9 to build an e-Petition system? Maybe someone should have a closer look at it… 😉



June 21, 2009

New blog, new xss…
Today i found an internet shop which is doing a lot of comment spamming in blogs etc… ->
It does not took long to find an xss hole in the registration page:
Just post

Or enter
"><SCrIPT>alert("Yes, I'm vulnerable to XSS")</SCrIPT>
to the inputbox you want it to be.

Free Image Hosting at

And no… I will not give damn spammers a link to their website, you have to copy & paste… And in this case I will not send a notice to the administrator. He has enough to do with spamming etc, i don’t want to disturb him…