This article walks through the brainstorming stage of planning for what is in this instance, a hypothetical user-centric web application. Although you won't be left with a complete project '" nor a market ready framework, my hope is that each of you, when faced with future workloads, may muse on the better practices described. So, without further ado...Are you sitting comfortably?

The tutorial is broken up into a few sections based around an example with a few points of failure (about book information). They work through the thought process behind the code, using the $_REQUEST variables correctly, preventing SQL injections, filtering the HTML output and a sample code download for you to see how it's all tied together.

Do you have multiple Wordpress self-hosted blogs? If so, you've likely run into a scenario where you just can't remember your password. With Wordpress 2.5 and 2.5.1 there's an annoying bug that sometimes generates passwords that don't work when you click the "Forgot Password" option. [...] Wordpress resets the password internally (in the MySQL database) but the link that it sent you to activate that password fails to connect with the database effectively locking you out of your blog. In this scenario, at least for me, all the potentially viable solutions lead to dead ends.

His six step process involves an external script (use with caution, especially before you read the source) that reaches into your WordPress install and updates your admin account and sends out an email with the resulting password.

More than half a million websites have been compromised in a new round of attacks that hacked domains in order to infect unsuspecting users' PCs with a variety of trojans. This ongoing campaign includes new malware hosting domains and new trojans variations. All of the sites are running older or misconfigured versions of "phpBB," an open-source message forum manager. Open-source popular applications like phpBB tend to be often targeted by mass scanning and exploiting tools.

The hack redirected visitors through several steps ultimately ending up on a page that tried to take advantage of errors in older Internet Explorer and RealPlayer versions. The article talks about exactly which viruses could have caused the problems and the wide range of sites (both in topic and location) that were effected.

The best way to protect you and your PHPBB install from something like this happening is to get the latest version of the software and learn how to configure it correctly.

Now, the installation is fairly easy but there was a weird bug that was appearing, where a check to see if you are running a licensed copy of Mint kept getting triggered when I tried to access my feeds via a feed alias. The solution? An ugly hack, if you ask me.

The problem was with a Pepper for Mint called Bird Feeder Pepper that helps track RSS feed usage. The solution he found was a snippet of PHP code you'll need to insert into several of the feed scripts WordPress offers (as provided).

I've had problem with Zend Framework not being able to find its files, which is usually not good. The "workaround" of adding the realpath works, but would be overwritten when updating. Besides, going through the files just to add realpath locations is a hassle.

The php_value only works with mod_php, so good luck if you are running PHP using CGI/FastCGI. Actually, you'll have no luck, because it won't work using CGI.

Essentially, it uses the ihi_set function to define the correct include path. Check out the comments of the post for some other suggestions.

Okay, there is some considerable hacking involved to get this working, and the solution is only a workaround until "sometime before the end of 2006", which was quoted to me by Zend as the time they expect to get the Zend debugger working for the mactel platform. No rush there guys.

His solution involved using Parallels Desktop, Zend Studio, a hack on the installer to get it working, ensuring it finds the right php.ini (a problem he had) and customizing the setup to work with the buttons of your choosing.

A Wellington, New Zealand, Web hosting company may seek compensation from a client that it claims is responsible for the worst hacking attack in the company's history. IServe blames lax security on their client's part for the hacking job that resulted in the defacing of hundreds of Websites.

The hack forced iServe to shut down all its FTP servers for 28 hours, while it replaced many of its customers' websites with back-ups that were made a few days before the incident.

Joy Cottle, iServe's general manager estimates the problem cost about $20,000 to repair. Clients with dedicated servers were not affected by the hack.

They report that the attack happened because of a flaw in the content management system that allowed the user to overwrite websites of other customers on the machine. They are even considering trying to recoup some of the costs from the customer that allowed it to happen. The hole was one found in the older version of PHPNuke the customer had uploaded.

Due to the incident, iServe is now considering banning cleints from running PHPNuke

During the last days a lot of blog entries, forum posts and even articles in IT magazines were made about a potential phpBB mass hack in preparation. From what is reported it seems to me that FuntKlakow is only a spambot and that the whole situation is a little bit overhyped. In the end it seems enough to enable the visual confirmation in the registration form (captcha) to keep FuntKlakow out, although the captcha is so bad that it should not be hard to break it.

Despite the comment made above, he doesn't suggest dismissing the issue just yet. It's quite possible that the "deception" of FuntKlakow being a spam bot is just that, and it could turn into a massive tool for some developer out there to flip a switch and have a huge amount of server-level access across the world.

Stefan also briefly mentions a patch that he submitted to the phpBB team concerning an issue with the signature_bbcode_uid remote code execution exploit - which wasn't used. Instead, an internal patch was applied that still didn't quite cover the issue.]]> Mon, 27 Mar 2006 07:14:55 -0600 http://www.phpdeveloper.org/news/5020 http://www.phpdeveloper.org/news/5020 this posting included on the Issociate.de site's Newsreader, there's talk of a "massive phpBB hack" that might be taking place.

During the last few days a bot using a name FuntKlakow, has been registering to at least hundreds (maybe thousands) of phpBB forums.

Ok, what is a danger? Next time the phpBB announces a critical vulnerability, the bot would have everything ready (just a post click away) from attacking thousands of sites/forums.

It's an interesting situation and, as suggested in some of the comments on this digg post, will be interesting to see what happens. It is a little odd for that many items to come up on a search for the name that are only profiles for phpBB boards, especially given phpBB's track record...]]> Mon, 20 Mar 2006 07:51:03 -0600