Sep 21 2010
Just to confirm, my picture post guessing at a potential XSS vulnerability from over 3 hours ago proved itself to be exactly that. The vulnerability is caused by URLs not being cleaned/escaped properly. By adding JavaScript to the end of a URL, you can effectively execute whatever you like as long as it’s within 140 … read more »
Sep 24 2009
A security issue has come to light in FanUpdate (2.2.1 specifically but likely affects previous versions). This only affects those who are still running with register_globals turned on (a very bad idea). The problem — for those interested — lies in show-cat.php relying on an unsanitised $listingid. In an ideal world, show-cat.php should only be … read more »
Aug 14 2008
Because you can never know too much, and it’s about time I wrote a follow-up to my PHP Script Checklist article. 1. Never include sensitive data in a .inc When I started my current job, one of the first things I did was move all of the database connection details (yes, that includes passwords) from … read more »
Jul 24 2008
Nov 24 2007
It seems almost ironic that just the other day I was ranting about Tesco’s seemingly mediocre approach to password security, and today we hear that Tesco online store ‘is infiltrated by insider card fraudster’. Customers shopping at Britain’s biggest Internet store — Tesco Direct — are feared to have had their card details stolen by … read more »
