News Feed
Sections

News Archive
feed this:

NETTUTS.com:
Can You Hack Your Own Site? A Look at Some Essential Security Considerations
July 22, 2008 @ 12:57:07

On the NETTUTS.com website, there's a great article with some "essential security considerations" that you can use to see just how hackable your site could be.

This article walks through the brainstorming stage of planning for what is in this instance, a hypothetical user-centric web application. Although you won't be left with a complete project '" nor a market ready framework, my hope is that each of you, when faced with future workloads, may muse on the better practices described. So, without further ado...Are you sitting comfortably?

The tutorial is broken up into a few sections based around an example with a few points of failure (about book information). They work through the thought process behind the code, using the $_REQUEST variables correctly, preventing SQL injections, filtering the HTML output and a sample code download for you to see how it's all tied together.

0 comments voice your opinion now!
security consideration hack tutorial sqlinjection filter output input



Developer Tutorials Blog:
Hacking Wordpress When You've Forgotten Your Password
May 22, 2008 @ 12:58:57

The Developer Tutorials blog has an article posted today about how you can "hack" your WordPress installation if you happen to forget the password for your account:

Do you have multiple Wordpress self-hosted blogs? If so, you've likely run into a scenario where you just can't remember your password. With Wordpress 2.5 and 2.5.1 there's an annoying bug that sometimes generates passwords that don't work when you click the "Forgot Password" option. [...] Wordpress resets the password internally (in the MySQL database) but the link that it sent you to activate that password fails to connect with the database effectively locking you out of your blog. In this scenario, at least for me, all the potentially viable solutions lead to dead ends.

His six step process involves an external script (use with caution, especially before you read the source) that reaches into your WordPress install and updates your admin account and sends out an email with the resulting password.

0 comments voice your opinion now!
wordpress hack forgot password villageidiot script tool


CyberInsecure.com:
Half-Million Sites Mostly Running PHPBB Forum Software Hacked In Latest Attack
May 13, 2008 @ 14:04:38

According to the CyberInsecure.com website around a half-million websites running PHPBB were hacked in a large coordinated effort.

More than half a million websites have been compromised in a new round of attacks that hacked domains in order to infect unsuspecting users' PCs with a variety of trojans. This ongoing campaign includes new malware hosting domains and new trojans variations. All of the sites are running older or misconfigured versions of "phpBB," an open-source message forum manager. Open-source popular applications like phpBB tend to be often targeted by mass scanning and exploiting tools.

The hack redirected visitors through several steps ultimately ending up on a page that tried to take advantage of errors in older Internet Explorer and RealPlayer versions. The article talks about exactly which viruses could have caused the problems and the wide range of sites (both in topic and location) that were effected.

The best way to protect you and your PHPBB install from something like this happening is to get the latest version of the software and learn how to configure it correctly.

0 comments voice your opinion now!
phpbb forum software attack hack redirect vulnerability


Chris Hartjes' Blog:
WordPress 2.1 and Mint
January 31, 2007 @ 18:51:13

If you're both a WordPress an Mint user and are wanting to integrate them the easy way, check out this new entry from Chris Hartjes about combining the two.

Now, the installation is fairly easy but there was a weird bug that was appearing, where a check to see if you are running a licensed copy of Mint kept getting triggered when I tried to access my feeds via a feed alias. The solution? An ugly hack, if you ask me.

The problem was with a Pepper for Mint called Bird Feeder Pepper that helps track RSS feed usage. The solution he found was a snippet of PHP code you'll need to insert into several of the feed scripts WordPress offers (as provided).

0 comments voice your opinion now!
wordpress mint statistics birdfeeder pepper addon hack wordpress mint statistics birdfeeder pepper addon hack


Jacob Santos' Blog:
Zend Framework Hackish Include Path Solution
October 02, 2006 @ 13:18:50

Jacob Santos was having a problem with the Zend Framework. It couldn't find its own files. So, he's come up with a hack that helps mod_php users to avoid the problem.

I've had problem with Zend Framework not being able to find its files, which is usually not good. The "workaround" of adding the realpath works, but would be overwritten when updating. Besides, going through the files just to add realpath locations is a hassle.

The php_value only works with mod_php, so good luck if you are running PHP using CGI/FastCGI. Actually, you'll have no luck, because it won't work using CGI.

Essentially, it uses the ihi_set function to define the correct include path. Check out the comments of the post for some other suggestions.

0 comments voice your opinion now!
zend framework path solution hack iniset includepath zend framework path solution hack iniset includepath


PHPKitchen:
Getting Zend Debugger Working on a Macbook Pro
August 28, 2006 @ 07:56:55

On the PHPKitchen, Demian Turner shares exactly how he managed to get the Zend Debugger up and working on his Mac Book Pro.

Okay, there is some considerable hacking involved to get this working, and the solution is only a workaround until "sometime before the end of 2006", which was quoted to me by Zend as the time they expect to get the Zend debugger working for the mactel platform. No rush there guys.

His solution involved using Parallels Desktop, Zend Studio, a hack on the installer to get it working, ensuring it finds the right php.ini (a problem he had) and customizing the setup to work with the buttons of your choosing.

0 comments voice your opinion now!
zend debugger mac book pro parallels desktop studio hack zend debugger mac book pro parallels desktop studio hack


ReadyToBeServed.com:
Web Host May Ask Client To Cover Cost Of Hack
August 14, 2006 @ 08:03:39

According to this new article on ReadyToBeServed.com, a flaw in the PHPNuke software allowed a malicious user access to a server to cause all sorts of headaches for both the hosting company and the others hosted on that machine.

A Wellington, New Zealand, Web hosting company may seek compensation from a client that it claims is responsible for the worst hacking attack in the company's history. IServe blames lax security on their client's part for the hacking job that resulted in the defacing of hundreds of Websites.

The hack forced iServe to shut down all its FTP servers for 28 hours, while it replaced many of its customers' websites with back-ups that were made a few days before the incident.

Joy Cottle, iServe's general manager estimates the problem cost about $20,000 to repair. Clients with dedicated servers were not affected by the hack.

They report that the attack happened because of a flaw in the content management system that allowed the user to overwrite websites of other customers on the machine. They are even considering trying to recoup some of the costs from the customer that allowed it to happen. The hole was one found in the older version of PHPNuke the customer had uploaded.

Due to the incident, iServe is now considering banning cleints from running PHPNuke
1 comment voice your opinion now!
hack phpnuke security hole overwrite ban hack phpnuke security hole overwrite ban


PHP Security Blog:
phpBB mass hack in preparation?
March 27, 2006 @ 07:14:55

In relation to this message found on a newsgroup last Monday (03.20.2006), Stefan Esser has this new post on the PHP Security Blog with his opinions on "FuntKlakow" and the situation.

During the last days a lot of blog entries, forum posts and even articles in IT magazines were made about a potential phpBB mass hack in preparation. From what is reported it seems to me that FuntKlakow is only a spambot and that the whole situation is a little bit overhyped. In the end it seems enough to enable the visual confirmation in the registration form (captcha) to keep FuntKlakow out, although the captcha is so bad that it should not be hard to break it.

Despite the comment made above, he doesn't suggest dismissing the issue just yet. It's quite possible that the "deception" of FuntKlakow being a spam bot is just that, and it could turn into a massive tool for some developer out there to flip a switch and have a huge amount of server-level access across the world.

Stefan also briefly mentions a patch that he submitted to the phpBB team concerning an issue with the signature_bbcode_uid remote code execution exploit - which wasn't used. Instead, an internal patch was applied that still didn't quite cover the issue.

0 comments voice your opinion now!
php security phpbb mass hack FuntKlakow patch php security phpbb mass hack FuntKlakow patch


Issociate.de Newsreader:
phpBB mass-hack being prepared?
March 20, 2006 @ 07:51:03

In this posting included on the Issociate.de site's Newsreader, there's talk of a "massive phpBB hack" that might be taking place.

During the last few days a bot using a name FuntKlakow, has been registering to at least hundreds (maybe thousands) of phpBB forums.

Ok, what is a danger? Next time the phpBB announces a critical vulnerability, the bot would have everything ready (just a post click away) from attacking thousands of sites/forums.

It's an interesting situation and, as suggested in some of the comments on this digg post, will be interesting to see what happens. It is a little odd for that many items to come up on a search for the name that are only profiles for phpBB boards, especially given phpBB's track record...

0 comments voice your opinion now!
php phpbb mass hack FuntKlakow bot spam bug php phpbb mass hack FuntKlakow bot spam bug



Community Events











Don't see your event here?
Let us know!


security framework ajax zend release database package code job application mysql releases zendframework book PHP5 conference example PEAR cakephp developer

All content copyright, 2008 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework