security archive

Alarmist rhetoric from news organizations about the web is nothing new, but today's front-page headline on the New York Times still caught my eye: "Web Code Offers New Ways to See What Users do Online." It's about HTML5 privacy risks, and it's a load of crap. Read More…

URL shorteners (such as bit.ly and tinyurl) have been called the "herpes of the web". Beyond just link-rot, a public shortening service is per se an open redirect vulnerability. Their ubiquity makes them an easy vector for spammers, phishers, and cross-site forgery attacks. Joshua Schachter writes: With a shortening service, you're adding something that acts like a third DNS resolver, except one that is assembled out of unvetted PHP and MySQL, without the benevolent oversight of luminaries like Dan Kaminsky and St. Postel. Luckily, you don't have to contribute to this scourge. Read More…

JSONP is a way to make cross-domain requests through javascript. It takes advantage of a loophole in the browser's same-origin policy: <script src="http://anywhere.com/data.jsonp"></script> tags are allowed to load files from any domain. This differs from normal AJAX requests, which are only allowed to make requests to the same domain as the page you are viewing. Unfortunately, many guides to implementing this technique in PHP contain a dangerous security flaw. Can you spot it? Read More…

If you plan to use the securepages module behind a proxy that terminates SSL, there are some additional server configuration steps you need to take. In order to detect what the protocol is in use, securepages tests the value of $_SERVER['HTTPS']. Out of the box, this merely reflects the immediate connection to your proxy. If this protocol differs from that used by the original client, then securepages can't work (the most likely outcome is a redirect loop). To resolve this, you'll need to ask your proxy to send the X-Forwarded-Proto header. While you're free to use any header label you choose, X-Forwarded-Proto seems to have become the de facto standard. Read More…

If you are using Ubercart to do ecommerce with Drupal, be sure to use one of the mainstream payment gatways: Authorize.net or Paypal. While Ubercart does support a number of alternative payment gateways, the dangers in going with these alternatives are significant. Here's an example of a single day where two of the less well known Ubercart payment modules were exposed as having flaws that allow people to checkout without needing to pay: SA-CONTRIB-2010-062 - Ogone | Ubercart payment - Access Bypass SA-CONTRIB-2010-064 - Ubercart MIGS Payment Gateway - Web Parameter Tampering Read More…

When discussing the benefits of open-source frameworks (especially Drupal), I've often heard, "But if everyone has access to the source code, how secure can it possibly be?" My standard response would be to discuss the platforms maturity and how it's been hardened by years of real world use. Read More…