On the NETTUTS.com website, there's a great article with some "essential security considerations" that you can use to see just how hackable your site could be.

This article walks through the brainstorming stage of planning for what is in this instance, a hypothetical user-centric web application. Although you won't be left with a complete project '" nor a market ready framework, my hope is that each of you, when faced with future workloads, may muse on the better practices described. So, without further ado...Are you sitting comfortably?

The tutorial is broken up into a few sections based around an example with a few points of failure (about book information). They work through the thought process behind the code, using the $_REQUEST variables correctly, preventing SQL injections, filtering the HTML output and a sample code download for you to see how it's all tied together.

The Developer Tutorials blog has an article posted today about how you can "hack" your WordPress installation if you happen to forget the password for your account:

Do you have multiple Wordpress self-hosted blogs? If so, you've likely run into a scenario where you just can't remember your password. With Wordpress 2.5 and 2.5.1 there's an annoying bug that sometimes generates passwords that don't work when you click the "Forgot Password" option. [...] Wordpress resets the password internally (in the MySQL database) but the link that it sent you to activate that password fails to connect with the database effectively locking you out of your blog. In this scenario, at least for me, all the potentially viable solutions lead to dead ends.

His six step process involves an external script (use with caution, especially before you read the source) that reaches into your WordPress install and updates your admin account and sends out an email with the resulting password.

According to the CyberInsecure.com website around a half-million websites running PHPBB were hacked in a large coordinated effort.

More than half a million websites have been compromised in a new round of attacks that hacked domains in order to infect unsuspecting users' PCs with a variety of trojans. This ongoing campaign includes new malware hosting domains and new trojans variations. All of the sites are running older or misconfigured versions of "phpBB," an open-source message forum manager. Open-source popular applications like phpBB tend to be often targeted by mass scanning and exploiting tools.

The hack redirected visitors through several steps ultimately ending up on a page that tried to take advantage of errors in older Internet Explorer and RealPlayer versions. The article talks about exactly which viruses could have caused the problems and the wide range of sites (both in topic and location) that were effected.

The best way to protect you and your PHPBB install from something like this happening is to get the latest version of the software and learn how to configure it correctly.

If you're both a WordPress an Mint user and are wanting to integrate them the easy way, check out this new entry from Chris Hartjes about combining the two.

Now, the installation is fairly easy but there was a weird bug that was appearing, where a check to see if you are running a licensed copy of Mint kept getting triggered when I tried to access my feeds via a feed alias. The solution? An ugly hack, if you ask me.

The problem was with a Pepper for Mint called Bird Feeder Pepper that helps track RSS feed usage. The solution he found was a snippet of PHP code you'll need to insert into several of the feed scripts WordPress offers (as provided).

Jacob Santos was having a problem with the Zend Framework. It couldn't find its own files. So, he's come up with a hack that helps mod_php users to avoid the problem.

I've had problem with Zend Framework not being able to find its files, which is usually not good. The "workaround" of adding the realpath works, but would be overwritten when updating. Besides, going through the files just to add realpath locations is a hassle.

The php_value only works with mod_php, so good luck if you are running PHP using CGI/FastCGI. Actually, you'll have no luck, because it won't work using CGI.

Essentially, it uses the ihi_set function to define the correct include path. Check out the comments of the post for some other suggestions.

On the PHPKitchen, Demian Turner shares exactly how he managed to get the Zend Debugger up and working on his Mac Book Pro.

Okay, there is some considerable hacking involved to get this working, and the solution is only a workaround until "sometime before the end of 2006", which was quoted to me by Zend as the time they expect to get the Zend debugger working for the mactel platform. No rush there guys.

His solution involved using Parallels Desktop, Zend Studio, a hack on the installer to get it working, ensuring it finds the right php.ini (a problem he had) and customizing the setup to work with the buttons of your choosing.

According to this new article on ReadyToBeServed.com, a flaw in the PHPNuke software allowed a malicious user access to a server to cause all sorts of headaches for both the hosting company and the others hosted on that machine.

A Wellington, New Zealand, Web hosting company may seek compensation from a client that it claims is responsible for the worst hacking attack in the company's history. IServe blames lax security on their client's part for the hacking job that resulted in the defacing of hundreds of Websites.

The hack forced iServe to shut down all its FTP servers for 28 hours, while it replaced many of its customers' websites with back-ups that were made a few days before the incident.

Joy Cottle, iServe's general manager estimates the problem cost about $20,000 to repair. Clients with dedicated servers were not affected by the hack.

They report that the attack happened because of a flaw in the content management system that allowed the user to overwrite websites of other customers on the machine. They are even considering trying to recoup some of the costs from the customer that allowed it to happen. The hole was one found in the older version of PHPNuke the customer had uploaded.

Due to the incident, iServe is now considering banning cleints from running PHPNuke

In relation to this message found on a newsgroup last Monday (03.20.2006), Stefan Esser has this new post on the PHP Security Blog with his opinions on "FuntKlakow" and the situation.

During the last days a lot of blog entries, forum posts and even articles in IT magazines were made about a potential phpBB mass hack in preparation. From what is reported it seems to me that FuntKlakow is only a spambot and that the whole situation is a little bit overhyped. In the end it seems enough to enable the visual confirmation in the registration form (captcha) to keep FuntKlakow out, although the captcha is so bad that it should not be hard to break it.

Despite the comment made above, he doesn't suggest dismissing the issue just yet. It's quite possible that the "deception" of FuntKlakow being a spam bot is just that, and it could turn into a massive tool for some developer out there to flip a switch and have a huge amount of server-level access across the world.

Stefan also briefly mentions a patch that he submitted to the phpBB team concerning an issue with the signature_bbcode_uid remote code execution exploit - which wasn't used. Instead, an internal patch was applied that still didn't quite cover the issue.

In this posting included on the Issociate.de site's Newsreader, there's talk of a "massive phpBB hack" that might be taking place.

During the last few days a bot using a name FuntKlakow, has been registering to at least hundreds (maybe thousands) of phpBB forums.

Ok, what is a danger? Next time the phpBB announces a critical vulnerability, the bot would have everything ready (just a post click away) from attacking thousands of sites/forums.

It's an interesting situation and, as suggested in some of the comments on this digg post, will be interesting to see what happens. It is a little odd for that many items to come up on a search for the name that are only profiles for phpBB boards, especially given phpBB's track record...