This blog post is a follow-up to yesterday’s post: Security alert: pipdig insecure, DDoSing competitors. Firstly, to re-iterate, my accusations are as follows… pipdig did knowingly and with malicious intent: used other blogger’s servers to perform a DDoS on a competitor manipulated blogger’s content to… read full entry →
I love WordPress. I make my living from it. It’s no exaggeration to say that developing WordPress websites has changed my life: it provides me with an income that pays my mortgage and feeds my babies. However, every now and again something happens in the… read full entry →
* sorry, I couldn’t help myself. Yesterday I opened my work inbox first thing to a panicked email from a client (Sutton Community Farm) labelled “URGENT” – their website had gone down (again) with a Resource Limit Reached error. I quickly shot off a reply… read full entry →
Just to confirm, my picture post guessing at a potential XSS vulnerability from over 3 hours ago proved itself to be exactly that. The vulnerability is caused by URLs not being cleaned/escaped properly. By adding JavaScript to the end of a URL, you can effectively… read full entry →
A security issue has come to light in FanUpdate (2.2.1 specifically but likely affects previous versions). This only affects those who are still running with register_globals turned on (a very bad idea). The problem — for those interested — lies in show-cat.php relying on an… read full entry →
Because you can never know too much, and it’s about time I wrote a follow-up to my PHP Script Checklist article. 1. Never include sensitive data in a .inc When I started my current job, one of the first things I did was move all… read full entry →
I’ve added a short note about Cutenews on my Unsafe PHP Scripts page.
It seems almost ironic that just the other day I was ranting about Tesco’s seemingly mediocre approach to password security, and today we hear that Tesco online store ‘is infiltrated by insider card fraudster’. Customers shopping at Britain’s biggest Internet store — Tesco Direct —… read full entry →
Update 31st July 2012: Welcome, new visitors from The Register, Information Age, etc. If you like this post, you may also like my related posts on security. I am a PHP web dev with an interest in scripting, security (XSS, SQL injection etc) and WordPress.… read full entry →
Some chick called “Safire” has republished my Safe Dynamic Includes snippet on her tutorial site. (Fingers in mouth gagging here; I thought people had stopped creating these lame tutorial sites.) Alongside the code is the advice that, in normal dynamic includes “it’s just the x=… read full entry →
Because you can never know too much, and it’s about time I wrote a follow-up to my PHP Script Checklist article. 1. Never include sensitive data in a .inc When I started my current job, one of the first things I did was move all… read full entry →
Usually if I don’t have the time to review a script I advise people to Google for security issues. Except, with the recent problem surrounding the false reports of a login issue with my scripts, it’s becoming more and more apparent that we can’t rely… read full entry →