EHS Blog


	Previous 10 Posts

	- Komodo 101

	- Adding Fresh Blood to the Bleeding Edge of Web Development with Komodo 4.1.1

	- ActiveState Hackathon: Get Your Boss to Do This!

	- Google hack to instantly search for files

	- 10 JSP tag libraries no programmer should be without

	- Learning the JavaFX way of doing things

	- Using JavaFX Script for UI Declarations

	- Unicode support in JavaFX Script

	- Could you cut your development time in half?

	- Cookie Handling

	Categories > Web Hosting > Website Design > PHP > Perl > JSP

	Archives No Records !!!

7 8 9 10 11 12 13 14 15 16 17 18

More CSRF Redirectors
at 2007-08-12 15:10:20

Today I learned about another CSRF redirector by another group of people in web application security called GNUCITIZEN.

Similar to the previous CSRF redirector it contains the same XSS vulnerability through the javascript URI scheme.

Example:

http://www.gnucitizen.org/util/csrf?..._url=javascript:alert(/.../);

Update: The bug is fixed for now...

MOPB Exploits taken down
at 2007-08-12 15:10:20

Unfortunately I had to take down all the proof of concept exploits that were developed during the Month of PHP Bugs. The reason for this is a new law in germany that is official since today. This new law renders the creation and distribution of software illegal that could be used by someone to break into a computer system or could be used to prepare a break in. This includes port scanners like nmap, security scanners like nessus and of course proof of concept exploits.

HTML Purifier
at 2007-08-12 15:10:18

I've been focusing on work and neglecting my blog lately, but I want to take a moment to highlight HTML Purifier, a tool developed by Edward Yang. Edward contacted me a few days ago to let me know that he has just released version 2.0, and because this post is tardy, version 2.0.1 is already available.

What is HTML Purifier? In Edward's own words:

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.

...read more

Planet Web Security
at 2007-08-12 15:10:18
If you want to keep up with the latest in web application security, you might want to add Planet Web Security to your reading list. In his announcement, Christian Matthies offers this brief description:

I am pleased to announce the launch of Planet Web Security, founded with the intention to bring together similarly themed news and rants related to web security and to display them in one place.

It's still in its infancy, so I'm sure it will only get better as more relevant blogs are added. Comparing it to my own planet (not specific to web application security), I can already identify a few blogs that should probably be added:

Andrew van der Stock

iPhone Security Concern
at 2007-08-12 15:10:18
Nitesh Dhanjani just posted a reminder of an AT&T/Cingular vulnerability he first mentioned over a year ago. If you've recently purchased an iPhone, here's the scary part:

The AT&T/Cingular voicemail system is configured by default not to ask for a password when you check your voicemail from the handset. Unfortunately, the AT&T/Cingular voicemail system trusts Caller ID to determine if the handset is calling it.

I'm not going to claim that Caller ID spoofing is easy, but Paris Hilton can do it. I'm just saying.

Until this vulnerability is fixed, Nitesh recomme

...read more

7 8 9 10 11 12 13 14 15 16 17 18

Check Out Amazon