iBlog - Ilia Alshanetsky

Came across a rather interesting article by IBM on how to convert IE specific web apps to work with Mozilla. Aside from the obvious, by listing the different approaches each browser adopts it serves as an excellent resource for making a web app cross-browser complaint. I hope they will update article with the other two commonly (relatively) used browsers, Konqueror/Safari (KTHML Engine) and Opera.

With the release of PHP 5.1.0b3 the dev tree has been closed for new features, allowing only bug fixes to facilitate the stabilization of the code for the upcoming (don't ask me when) 5.1.0 stable. This however created a unfortunate situation where PHP does not have a development tree for feature enchantments, so any improvements remain lingering on developer's boxes until development tree is once again available...

In the past few weeks I've been doing some work, which involved using parse_url() and cURL extension quite a bit and in the process came up with few improvements.

parse_url() tweak [ patch ]

This patch adds a 2nd optional parameter to parse_url() which allows the function to return a particular URL component rather then an array. Ex:


cURL improvements [ patch ]

The patch does two things; first of all it allows the user to retrieve the request sent by cURL to the server. I found this to be very handy and necessary when trying to analyze the full content of the client to server communication.


The second part of the patch introduces the convenience function, curl_setopt_array() that allows setting of multiple configuration directives via a single PHP function call. The array of option is based on option name, numeric CURLINFO key and its value.

In the past few years FUDforum has grown quite a bit in both the offered functionality and the user base. However, aside from a few tweaks the layout of the forum has remained largely unchanged. While the current layout works quite well for most people, there is a clear want to update the layout to something more interesting. Hence this contest, the goal being to devise a new better, faster and prettier default theme (layout) for the forum, which would improve the user experience. Aside from a new and improved default template some additional templates maybe included in the stock distribution to give forum deployers greater flexibility as far as appearance out of the box.

So, if you have some spare time and would like to help to improve FUDforum please submit your design entries, more information can be found here:
http://fudforum.org/forum/index.php?t=msg&goto=26425

A few days ago I received a bug report from a FUDforum user about his forum members having trouble staying logged in when using the AOL 9 browser, herein to be referred to as POS. According to him after logging in and browsing a few pages, the user would suddenly find themselves being logged out from the FUDforum. This happened on seemingly random pages, with no common element in between making tracking down the problem ever so enjoyable. The following is a nightmarish tale of me trying to resolve this problem, which hopefully serve as a clue to the developers who encounter the same issue.
Continue reading "AOL Browser Woes"

In the past few days I've been testing a number of my own applications and scripts as well as various bits and pieces of applications written by others that I use, using an automated scanning tool I have written. One particular issue I came across, common to all applications is the inevitable "path disclosure vulnerability". The premise behind this so called vulnerability is that remote attackers by specifying certain value can make the script report it's own location on disk. Theoretically this combined with another vulnerability could be used to do *something* or rather then potentially could be bad. As you can probably tell, I don't see this as a something to be terribly concerned about in most cases.

To demonstrate consider the following, most PHP function that take strings as parameters, like our favorite validation functions such as htmlspecialchars(), addslashes(), and so on will raise warnings when values they are passed are arrays rather then strings. This means that to get the path of the script, you simply need to pass the arguments as arrays rather then expected strings and then simply read the warning message generated by PHP to see the error.



To solve this problem there are just two solutions:
1) Disable displaying of errors to screen and instead log them to a file, so if the Warning or Notice regarding array being used as a string is emitted, it won't be shown to the user using the site. This can be done within the script through:


2) Meticulously go through the code forcing PHP to cast the data to the desired type, via (int), (float) or (string) casts, this too will eliminate the Notice or Warning message.

After nearly 2 months of development FUDforum 2.6.14 is finally out. Aside from the usual bug fixes this release includes a number of important improvements, such as full support for PHP 5.1 and introduction of a PDO database driver support, which enables FUDforum to talk with SQLite in addition to MySQL and PostgreSQL.

In addition to all of the changes in found in RC1 and RC2 there is a small number of modification made since then, a list of which can be found below.

The installer and the upgrade script can be found at their usual locations at:
http://fudforum.org/download.php and all FUDforum users are encouraged to upgrade.
Continue reading "FUDforum 2.6.14 Released"

Spent the entire Sunday at the Molson Indy in Toronto, here is the
photographic evidence.

For the most part it was a rather enjoyable show, the main regret is the fact that this year another layer of netting was put up keeping the regular folk like me even further from the track, a closer look, costs $160+ a pop. Interestingly enough the best spot to see the most difficult track is from a non-paying zone on a little hill. Some of the latter photos were taken from there.

It seems web hosting companies are finally coming to grips with something most security experts have known for quite some time, phpBB is inherently insecure. According to Netcraft
some are taking the steps to prevent further exploitation via this application by banning its usage on their servers.

As per usual phpBB developer's response, they are denying blame and claim such moves are unwarranted, but given their security record during the past 6 months alone this is hardly surprising. Not only are new issues being found, because the developers can't seem to do an security audit, but new versions re-introduce bugs (2.0.15 re-introduced the flaw exploited by Santy worm) that have previously been solved.

I hope other hosting providers will take notice and adopt the same strategy, not only for phpBB2 but for any application with a consistent history of security faults for which the developers do not wish to take responsiblity for. As well as failing to take the time to conduct an extensive security audit of their code.