Archive for the “Homepage” Category

All about changes and progress for PhSoftware.de

I’ve seen in within my two years of JS progamming some weird things, about browser behaviour. But the one I’ve discovered yesterday tops them all. Some JS class uses in the Init function the document.createElement function. The Script is working fine built in within one Website even with IE. But when the Script is added to another Website, IE complaints that document.createElement isn’t supported by this Object. An alert directly before the call is executed shows:
function createElement() {
[native Code]
}

But it still doesn’t work in IE.
Someone ever encountered that problem? I’m currently missing a solutin except the try to manually create the HTML-Node.

Tags: none

Tags: document.createElement, IE, Js

Comments 2 Comments »

Ever got Comments you don’t understand, because they’re in some language you’re not able to speak? Ever asked why someone writes a Comment in Russian to some post, which is let’s say written in english, german, french or whatever( at the same time I want to notice that I don’t talk about Comments made to some .de, .fr, .ru Blog, in the depending language where the owner of the Blog is able to speak that language as well. Where a commenter could believe it would be better to write in their native language as possible missunderstandings could be avoided because of better knowledge of this language).
What could be the reason to behave like that? In general they should be able to write some basic text in english, german, french, as it seems that they’re able to read the text, quite good enough to be able to add their own comment/opinion. So why don’t they do so?

Let’s try to get behind the reason. Following I’ll show you how I handle comments in languages I don’t understand, with an example I received the last day:

The Comment

So let’s take a look at the given Comment(to avoid contribution to this Spammer/Hacker, I replaced some Data):
1000 Ñ„?¾Ñ€Ñƒ?¼?¾?² 2 ?´?¾?»?»?°Ñ€?° 5000 Ñ„?¾Ñ€Ñƒ?¼?¾?² 8 ?´?¾?»?»?°Ñ€?¾?² 10000 Ñ„?¾Ñ€Ñƒ?¼?¾?² 13 ?´?¾?»?»?°Ñ€?¾?² 50000 Ñ„?¾Ñ€Ñƒ?¼?¾?² 50 ?´?¾?»?»?°Ñ€?¾?²
?‘?¾?½ÑƒÑ? ?¿Ñ€?µ?´?»?¾?¶?µ?½?¸?µ ?´?»Ñ? Ñ‚?µÑ… ?ºÑ‚?¾ ?·?°?º?°?¶?µÑ‚ 20000 Ñ„?¾Ñ€Ñƒ?¼?¾?² ч?µÑ€?µ?· ?½?µ?´?µ?»ÑŽ ?¿?¾?²Ñ‚?¾Ñ€?½?°Ñ? ?¾Ñ‚?¿Ñ€?°?²?º?°
? ?µÑ„?¿Ñ€?µ?´?»?¾?¶?µ?½?¸?µ: ч?µ?»?¾?²?µ?º ?º?¾Ñ‚?¾Ñ€Ñ‹?¹ ?¿Ñ€?¸?²?µ?´?µÑ‚ ?¼?½?µ ?º?»?¸?µ?½Ñ‚?° ?±Ñƒ?´?µÑ‚ ?¿?¾?»ÑƒÑ‡?°Ñ‚ÑŒ 10% ?¾Ñ‚ ?·?°?º?°?·?° ?º?»?¸?µ?½?º?°!!!
?ž?±Ñ€?°Ñ‰?°Ñ‚ÑŒÑ?Ñ? ?² ?°Ñ?ÑŽ 3?¿Ñ?Ñ‚ÑŒ3-8ш?µÑ?Ñ‚ÑŒ7-0?½?¾?»ÑŒ1 ?¼Ñ‹?»?¾ mymail(?³?°?²)example.com

That one made me curious as there are quite some numbers added, as well as an additional email is added which doesn’t fit to the input in the Email field. Let’s check that Comment by translating it in our native language or some language we understand.

Translating the Comment

In general I can recommend to translate it into your native language, as you mostly understand that one best. On the other hand the chosen translator, has maybe your language not available(or the dictionary is quite limited), or it’s not possible to translate between these languages directly.

You should avoid to have the text translated more than once before it’s in some language you understand, as the general problem with automatic translations are: that not the best sentence structure and word choosing is done. So you could end upon two or three translations steps within some nonsense text(that wouldn’t be better). The best way maybe, to let it translate to English, and if you don’t understand some english words let them be translated to your native language.

for the example above we would get something like that:
1000 forums 2 dollars of 5000 forums of 8 dollars of 10000 forums of 13 dollars of 50000 forums of 50 dollars the Bonus the offer for those who will order 20000 forums in a week repeated sending ? ?µÑ„?¿Ñ€?µ?´?»?¾?¶?µ?½?¸?µ: the person which will result to me the client will receive 10 % from the order ?º?»?¸?µ?½?º?°!!! To address in ?°Ñ?ÑŽ 3»nÃ?ý3-8ÞÑßÃ?ý7-0¡«½ý1 soap mymail (?³?°?²) example.com
That makes now quite more sense, doesn’t it? It seems as that’s the pricelist for Spamming of Forums, we even see that we get 10% of the profit from something!

Translate unknown words

Now we know quite surely that this is a Spam comment, but as you can see as well, we have some not translated words, like ?º?»?¸?µ?½?º?°(these can be sometimes important) so let’s have them translated as well, don’t we want to know how to receive our 10%?

If you’re using some good Translator, you should have the option to have unknown words transliterated into the target language. So for our ?º?»?¸?µ?½?º?° we would get something like:klienka that sounds like client. Let’s guess that we receive 10% of the Money the client pay for his contract.

Deciding dropping or keeping?

Now you should have enough information to decide if it’s a Spam comment or some legit one. If it’s Spammy it shouldn’t be hard to decide, if it’s some legit Comment I advice to keep the initial comment and add below it the translation. If you like you can as well improve the comment, but note explicit where you made changes!

Some good online Translators

Where can I get my text translated to some other language?
Just search for some Translate/Translation From-Language to-language and you should find some useful result. A good translator is PROMT, there you’re able to translate some texts as whole(no word for word translations) of some languages, or Babelfish. If you need to get some words translated into your language search for some dictionary for the given languages.

Conclusion

As you see, it’s better to prove comments of other languages as well(these will often pass Spamfilter) for Spam. If you can’t get the comment translated, it’s mostly better to keep the comment back or to drop it. From my point of view it’s better to have one or two legit comments less than to have one Spammy.

Tags: none
Tags: approve, Comment, Language, SPAM

Comments No Comments »

I never thought about such an step by myself, maybe as I never encountered such a thing upto date.
But if you run your own Webspace you should never steal any ones content or bandwidth. Then as soon as he notice it you can get some real problems, maybe he starts a lawsuite against yours(you maybe ignored some copyright laws, you caused some additional costs for him(bandwidth)). What does happen if he simply replaces the content/redirects your website to something which does harm your visitors, or does blame you?

On the Following WordPress Topic you’ll can read that someone linked to some JS of Website_A. This JS is the Output of some public free available WP Plugin, the JS code even mentions that it’s generated by some Plugin. But somehow the owner of Website_B was too lazy, or wanted to save some bandwidth that he simply linked to this JS file, on Website_A.
After the owner of Website_A recognized that someone was stealing his Bandwidth he created some mod_Rewrite Rule which redirected the Request from this JS to some other JS file, which contained an alertbox which appeared in front of the Visitor and told him that this Website steals some Traffic from another one. After one month the owner of Website_B discovered that JS change and removed the JS.

But it’s important to say that theoretically the owner of Website_A could have written any JS code into that file. So he could steal some Cookies of the Users of Website_B or anything else he would like, he could even start some Phishing attack.
The owner of Website_B made his website vulnerable because he was to lazy to get the script itself.

Every good Webmaster/Site owner does not steal any content, as this is unethical and maybe more important dangerous!

Tags: none
Tags: mod_Rewrite, Steal, Webmaster, Wordpress

Comments 1 Comment »

As there’s currently some discussion ongoing if WP 2.3 should send your plain URL to WP.org (while checking for some newer versions of your plugins you use), or not.
I would like to mention one alternative, at the same time I’ll cover some lacks of this one as well.

WP-Plugins DB

The WordPress Plugins DB is quite new, but already some big resource for Plugin Versions. It’s created and managed by Sugan Shan. You need to install some additional Plugin from the Website in order to use this Website, you can grab your copy here. After you activated that Plugin you can let your Plugin Versions be checked for the latest release, by visiting the Plugin admin page.

Now we reach already some currently big problem of that Project. It’s managed fully by Sugan, so if he hasn’t enough time to update the Plugin versions, you may think you run the latest version, while you don’t do. Maybe it doesn’t even needs to be a lack of time, from what he suffers. He may only don’t know about some never Version of a given Plugin. You can create as well your own Developer account on that Website, but it doesn’t offer the features WP.org does, nor what WP-Plugins.org does.
But this fact doesn’t need to mean anything as the project is quite new, and many exciting features may come with the time.

WP 2.3 Build-in

As mentioned above WP Plugins DB, suffers under the lack of some features, which are offered on WP.org for Plugin developers. Maybe it’s not intended to be anything like WP.org or WP-Plugins. So you can’t keep track upon your Plugin Downloads and you’re not able to compare them with your competitors. But the Plugin doesn’t sends anything home, except your Plugins name and Version, and mostly that data isn’t even stored. Where WP.org does store your URL as well, in plain text. So that may be the biggest pro for that Plugin. Matt doesn’t even know for what these URL data could be useful, so why don’t he add that step if it would be needed(or at least useful)?

How to get rid of it

So if you don’t like to have your Blog URL stored on WP.org and don’t want to use that function at all you can disable it, by doing some change to one WP core file. The file you need to edit is wp-admin/includes/update.php.
After you opened the file move to this line of code:

43 function wp_update_plugins()

Now add after that line this one:


return false;

Save the file. Now your blog doesn’t use the Update Checker from WP any more(as long as you apply the change to every newer Version of that file).

If you only want to prevent it from submitting your real Blog Url, change this line from the same file:
85 $http_request .= 'User-Agent: WordPress/' . $wp_version . '; ' . get_bloginfo('url') . "\r\n";
To something like:
85 $http_request .= 'User-Agent: WordPress/' . $wp_version . '; http://example.com \r\n";

Why WP suffers too

Anyway WP.org repository of Plugins, isn’t anything near to be a complete snapshot of all WP Plugins out there. As only Plugins get added who are under a GPL compatible license released.

And even that isn’t a guarantor to be added.
So it may be that you be better with using WP-Plugins Tracker than the build-in WP function.

Conclusion

So as you see there’s no perfect Solution available currently which covers every area fully. But from my point of view the WP-Plugins DB is the better way for it as everything can get added, equal under which license it’s published or if there’s a commercial Pro Version of it. And why should security checking stop by borders like license or Money?
As the Plugins DB isn’t perfect at it’s current state, we maybe need to use both versions in order to keep track with our Plugins and security.

Update:I just found these Plugins which disable the Core Update and Plugin Update functions.

Tags: none
Tags: Auto Update, Phone Home, Plugins, Security, Wordpress

Comments No Comments »

I just recognized by checking some parts of WPIDS that it does as well block some Spam entries from getting posted to your Website. As PHPIDS checks for HTML tags, unsanitized ones, within the strings it removes these Requests…The only problem is that this applies as well for legit comments who hold allowed xhtml tags…Let’s see maybe we can get around that problem…Anyway a nice feature and when no xhtml tags are allowed within your Blog it’s even better as it only blocks SPAM comments :)
One thing which is for sure is that Akismet has a bit less to do than before :)

Tags: none
Tags: Akismet, PHPIDS, SPAM, WPIDS

Comments No Comments »

Some of you have maybe noticed that I joined the Team of BlogSecurity(BS), I found that site just after its release and I had some luck to discover David Kierznowskis Website before(which lead me to BlogSecurity). The first contribution was just in the way to tell my opinion about the covered themes at BS, as well as submitting new flaws found within WordPress. David asked me if I would like to join his team and I agreed, as I ever was interested in the security area. After some discussions about what we can do, I started working on the first Plugin for BS.
The WP Prefix Table changers aim is it to change your WordPress table prefix from wp_ to something different, which should be as much as possible randomly to prevent possible attackers from SQL injections as they don’t know your table names. Or at least you can improve the security, as no 100% guarantee can be given. The tool changes automatically your table prefixes to your new given value, as well as some hardcoded values within the table. If possible the wp-config.php file is updated as well, if that’s not possible you get all needed information to change it manually.
With that tool it’s quite easy to improve your security, and keep it at least in this area quite secure as if something ever should cause a wp-database Error and you saw it/got noticed you can change the prefix in the same step as you fix the reason for the problem.
If you like the plugin, let it us know. Also comment if you dislike something or want something added.

PS: Add BlogSecurity to your favourite websites, as we just started to improve the wp-community security! The next plugin is comming soon!

Tags: none
Tags: BlogSecurity, Security, SQL Injection, Table Prefix, Wordpress

Comments No Comments »

As I just read over at BlogSecurity.com it seems that many users which host their blog independently from wordpress.com. Doesn’t really care about keeping it up to date, and therefore secure. From the scanned 50 blogs where around 46 vulnerable, some do run with versions which are a year and older. Some may now claim that just 50 Blogs can’t represent around 2-3 Million of WP blogs, they may even be right. But if they’re just 300 of them which run with real old, vulnerable versions, that are 300 too much. And I can tell you from my experience with updating other blogs, that there are quite alot of them out.

The Advantage

I will just name one advantage to update your old 1.5 Blog to the current version 2.2, You can use Akismet! I had once an old 1.5 blog, where the owner stopped to use it even, as there where around 60k Spam posts and just 4 legit ones. With Akismet you need just one click to flush all spam away. I had to work with phpMyAdmin to get rid off all Spam, without deleting some maybe hidden, within spam comments, new legit comment. With Akismet this doesn’t happen again!

And there are so many other advantages to profit from, who does still develop plugins for WP 1.5?

It’s Easy!

Most times it’s just as 1,2,3 to update your blog. You make a backup of all your wp files and tables, kill all WP files and upload the new files and the last step is to run the update script and your blog is running the latest version. It cost you just 5 minutes. And how often does it happen that something will broke up with a newer WP version? I would say it’s worth to spend some time to keep your blog updated.

You’re no NERD?

For sure it can be that you’re not too much into PHP and Apache and so forth. For all of yours I’ll offer my help! You want to upgrade your blog but don’t know how to do it? No problem contact me and I’ll take a look where I can help you.
The service will be free(no template adopting to newer versions is supported), but if you like you can handle a small donation, details are handled as soon as the work is done/or will start.

Tags: none
Tags: Update, Vulnerable, Wordpress

Comments No Comments »

The Team around BlogSecurity plans to launch something like an award or recognition system for blogs, themes and/or plugins which are secure. In my eyes this seems to be a real good idea. As if this would be widely spread out you can go out and look for plugins or themes which are secure, and prefer them for unproofen and even unsecure one. Who of us wants his blog cracked into? It would take so much work to gain access again and redo everything(Depending on what the attacker did).

In the current step they’re collecting at first opinions and as well as ideas you have directed to it. I would let my components approve, to grant you that these are secure and you can use them without any strange feeling within your stomach, As these Plugins don’t only interact with wordpress as well they do it with phpbb and Joomla, it seems even more important to show security.

As of the current level of this thought, nothing big is done currently. So there’s currently nothing about if it will cost something and how it will be done available, but if the wordpress community shows real desire for such a service it will come as well as we will see soon deeper informations on this theme. So watch this blog!

Tags: none
Tags: Award, Plugin, Security, Theme, Wordpress

Comments 1 Comment »

Normal CAPTCHAs just protect you from Spam, and already some of the easier ones can be read by Bots or are breakable without even using OCR technology, so they aren’t protect you any more. Daily, Internet user solve 60 million CAPTCHAs which sum up to a total time consume of 150 thousand hours a day.
And as a current trend within the Internet to share work to get it done faster, it just was a question of time when someone invents a CAPTCHA which not only protects you from Spam, it also uses this time useful.

Read the rest of this entry »

Tags: none
Tags: CAPTCHA, ReCAPTCHA, SPAM

Comments No Comments »

Aren’t you bugged of all this evil around you and in the world? Not Even the Internet is a nice place.
Everywhere are phisher, Spammer, Harvester, Viruses, Trojans and so on. But that’s no reason not to give some love to your visitors by handling them over some sweet( for sure in digital kind!).
I mean if no one starts to be nice, the web never changes.

Read the rest of this entry »

Tags: none
Tags: http:BL, Project Honey Pot, Spam fight

Comments No Comments »

Bad Behavior has blocked 1253 access attempts in the last 7 days.