A great Web Hosting Company
posted by Kelly Web Services @ 12:15pm, Sunday 23rd November 2008.
Kelly Web Services now recommends the best webhosting company on the net, Host Monster. We have referred many customers to this hosting company. Every single one is completely satisfied . We hignly recommend that you sign up with them today.. There fees are extreamly low priced only 5.95 per month.
Exploiting PHP SELF *Security*
posted by Kelly Web Services @ 4:53am, Tuesday 15th January 2008.
I found a very interesting article about protecting against PHP_SELF exploits. I thought it might be a good idea to gather a few test cases demonstrating the problem. Why PHP allows these URL’s is beyond me and it wouldn’t take much work to filter out these malicious URL’s in the PHP code.
For any of you that don’t know, it’s possible to inject code into PHP_SELF. It works by supplying a “/” after the actual PHP file then entering your desired code. I’ve done 4 test cases which show how it’s possible to inject javascript and perform a redirect on code which doesn’t filter PHP_SELF correctly.
Test case 1
Injects data into a HTTP header, although this scenario is not very likely I thought I would include it to show that even running htmlentities or htmlspecialchars won’t save you from attack completely.
Test case 2
Shows how easy it is to inject XSS into links, this is very likely as many PHP applications ofter refer to the same page to change the current action/display.
Test case 3
A search page often includes references to PHP_SELF and can be exploited as easily as links.
Test case 4
Finally I show how code can be injected directly on the page without the need to break out of anything.
The test cases can be downloaded here:-
Test cases
PHP 6
posted by Kelly Web Services @ 10:50am, Thursday 10th January 2008.
Taking a look at PHP 6
While most web hosts are still in the PHP 4 era, the PHP developers are already planning and working on PHP 6. Lets have a look at whats been keeping them busy.
Unicode supportWhen youre creating a website, you hardly have to think about the character encoding. You only have to decide how you tell the user agent what encoding youre using, but with a little help of Apaches
PHP is already being used for a long time, creating a big user base, but also a lot of bad habits. Bad habits often result in slow scripts or even security holes. But these bad habits are not always the cause of the developer. Of course, he (lets just assume were dealing with a stereotype developer here for simplicity's sake) is the one whos using it in his application, but sometimes the developer is not even aware hes using it.
Im, of course, talking about the register_globals [php.net], magic_quotes [php.net] and safe_mode [php.net] functions. These three functions are hell for every PHP programmer so Im sure everyone will be happy to hear that these functions will disappear in PHP 6.
In other related cleanup news, register_long_arrays and the long versions of the super globals like $HTTP_COOKIE_VARS are also gone in PHP 6. Same goes for zend.ze1_compatibility_mode which dealt with the backwards compatibility of PHP 5 classes.
Alternative PHP CacheCaching is a very good way to improve the performance of an application. Thats why there was a large demand for a good opcode cache in the default distribution of PHP. And when theres a demand, theres probably also a person or a group to meet that demand. The result is APC [php.net]: Alternative PHP Cache. Of course, APC was already available a long time ago (01-07-2003), but the PHP developers have decided to include this extension in the core as the default caching framework.
OO FunctionalityThe improved OO model was probably the biggest improvement to PHP in version 5.0. PHP 6 tries to improve this even further by adding namespaces. If youre familiar with XMLs namespaces or maybe C++, you will probably have an idea of how namespaces work. If not: Namespaces can group variables, functions or objects under a certain name. This allows the developer to use the same name for a variable, function or object multiple times. In case youd like to learn more about the possibilities of namespaces, I find this C++ tutorial [cplusplus.com] about namespaces quite useful.
Changes to the extensionsPHP is basically a collection of extensions which are all put together to form what we have now. However, these extensions change and so does the collection. Take, for instance, the XML Writer extension. A great extension to write XML files. Its brother, XML Reader, was already added and enabled in the core distribution in PHP 5.1, and now XML Writer will follow its example in PHP 6, forming a great duo to easily work with XML files.
Another change in the core distribution is the removal of the ereg regular expressions library which is going to be made an extension. ereg is currently used as an competitor of PCRE (preg_match, etc.), but apparently its causing some problems. Therefore, the developers decided to remove it from the core and make it an extension.
Yet another change we see is the Fileinfo extension which will be dealing with media type detection. At the moment, media type detection isnt very good in PHP. We have the mime_magic [php.net] extension, but that isnt really reliable. So in PHP 6, the Fileinfo extension will take over mime_magics place and become part of the core while mime_magic will be moved from the core and made into an extension.
So weve seen quite some interesting changes so far. To me, PHP 6 doesnt really look like a massive feature update, but more as a big cleanup while improving a lot of existing functions along the way. And I think thats good! Im working with PHP on an almost daily basis and looking at the things noted above, Im only seeing improvements. So hopefully developers of popular applications like phpBB [phpbb.com] will make their applications work properly on PHP 5 making it easier for web hosts to switch their servers to PHP 5. But at the current state of PHP 5 support, I dont see PHP 6 becoming widely adopted if it were released today. So hopefully this will change by the time PHP 6 will be released.
Source : slashdot
