Archive for the “Programming” Category

All about the progress of the programming from PhSoftware.

About Cross Site Scripting is currently often read about. It’s no wonder as each day new Webservices appear to catch some fame and traffic of web 2.0. Often they push the product out of the pipe as soon as possible, the security is in this moment just secondary( if they care even about it). After the release of the product, the motivation to hunt XSS flaws is minimal( I know this for myself on bug hunting). And when you send them an Email about it, it seems from time to time that they don’t even care about them when they get notified about some XSS flaw(see http://milw0rm.com for what I mean).

What are XSS flaws

As about XSS flaws is already often enough written I’ll keep this short. A XSS flaw occurs if a PHP script(or some other scripting language) uses an User submission without further checking, or a checking is based on Client side Verifications through JavaScript or similar. This submitted code is then Outputted to the User again. Where the JavaScript can read out cookies and send them to an attacker.

Persistent and Non-Persisten XSS

Read the rest of this entry »

Tags: none

Tags: Cross Site Scripting, Vulnerable code, XSS

Comments No Comments »

Some of you have maybe noticed that I joined the Team of BlogSecurity(BS), I found that site just after its release and I had some luck to discover David Kierznowskis Website before(which lead me to BlogSecurity). The first contribution was just in the way to tell my opinion about the covered themes at BS, as well as submitting new flaws found within WordPress. David asked me if I would like to join his team and I agreed, as I ever was interested in the security area. After some discussions about what we can do, I started working on the first Plugin for BS.
The WP Prefix Table changers aim is it to change your WordPress table prefix from wp_ to something different, which should be as much as possible randomly to prevent possible attackers from SQL injections as they don’t know your table names. Or at least you can improve the security, as no 100% guarantee can be given. The tool changes automatically your table prefixes to your new given value, as well as some hardcoded values within the table. If possible the wp-config.php file is updated as well, if that’s not possible you get all needed information to change it manually.
With that tool it’s quite easy to improve your security, and keep it at least in this area quite secure as if something ever should cause a wp-database Error and you saw it/got noticed you can change the prefix in the same step as you fix the reason for the problem.
If you like the plugin, let it us know. Also comment if you dislike something or want something added.

PS: Add BlogSecurity to your favourite websites, as we just started to improve the wp-community security! The next plugin is comming soon!

Tags: none
Tags: BlogSecurity, Security, SQL Injection, Table Prefix, Wordpress

Comments No Comments »

As phpbb 3 comes even more close I’ll start porting Bad Behavior to phpbb 3. The first release will be available at the end of April.
The Support for phBad Behave 2 for Version phpbb 2.0.x versions will just be supported to the end of the year(maximum). Which will be only Bug-fixing and updates to the latest Version of Bad Behavior. For the phpbb Version some new features will be build in. Maybe some Ajax, mostly features which make the working easier.
Have you any wish which shall be implemented? Feel free to comment about it here.

Tags: Bad Behavior, phBad Behave, phpBB

Comments 11 Comments »

I just uploaded the latest BETA version of phBad Behave, which is working well although I currently didn’t add an admin Panel nor is the Install.mod file the best one :( . Anyway I recommend that you prefer already this version as this one blocks alot more than the old phBad Behave.

The current version can be grabbed here.
Please report any problems with it.

Comments 3 Comments »

Long time has taken place since the last update of PhBad Behave. As well of the tries to get PhBad Behave 2 working but now I’m proud to announce the first public beta of PhBad Behavior. It’s really just a early beta, and does mostly just block the spammers. Other parts like the admin panel will follow in the next time. Please feel free to install it on your forums and send me back your experience with it.
Does it work better than the first one, or worse? Is it easy to install, and clearly described?

You can grab it here.(The current version is based on Bad Behavior 2.0.8.)

Edit:There’s currently a problem which can course problems with postings and registration, therefor it’s not recommend to use the software within your website.

Comments No Comments »

After along time without any progress, I was able to start working on phpbbBad Behave 2. I run it currently on my forum for testings to see if it protects the admin and if everything is working as it’s supposed to be. I hope that a public release will follow soon.

Comments 5 Comments »

I just finished the latest work of mine. The implementation of Bad Behavior for phpbb2. And it’s working just fine. Except one spammer which does the spamming manually or just in an outstanding way got through it. Anyway he is now blacklisted and won’t come in…
Read the rest of this entry »

Comments No Comments »

Yesterday, I released a new Version of phphpBB Latest Entries which offers you now to show avatars and to show only posts which are bellow or the same level you set(phpBB offers you some access levels for the forums depending on the userlevel). But as usual my testsystem was too new or the test enviroment wasn’t near to the usual reality. So I did not hit these problems. But if you’re using the new version 1.0.6 the bugs are fixed.

Comments No Comments »

After I did read about the public release of the widgets sidebar, I couldn’t stop to create just one for it.
And after a night of work..as usual trail&error :) , I got it done.

Edit: the Information page is now up here

It shows you the latest phpbb Forum entries of your Website within your Weblog. It’s highly customizeable, you can change nearly everything in the way you want it to be!
You can download it here. If you have any problems with it post it to the forum or email me under poophil[at]yahoo.de

Happy playing!

Comments No Comments »

A new version which is still showed as v0.9 is out, done are two small Fixes which did fuck up(sorry for that word but didn’t got another one) the html, one is that for normal text span the closing ” was forgotten and so the html code wasn’t valid.
I did also update the vb.cth file I did add a few words: ByVal, ByRef, Select, Lib and Alias
I did also see that I need to revise the posted tips a bit. Which will be done soon

Tags: none

Comments No Comments »

Bad Behavior has blocked 1253 access attempts in the last 7 days.