Security

no comment ...

WWDC time means announcement time. This time, Steve Jobs did not announce that much, but spared one special highlight for the end of his keynote: The Safari browser (version 3) is available for download as a beta — for both Mac OS X and Windows. I have to admit that I am not too fond of Safari 2, especially in comparison to the competition. However Safari 3 looks really nice. I also like that there are several Windows plugins available, including various media players, Flash, Java, and Adobe Reader (the plugin site still linking to 8.0, not 8.1, btw).
In the end, the market will decide whether Safari 3 will get a greater market share than Safari 2 managed to achieve. This, in turn, will either make many web developers still ignore Safari, or will start taking it seriously. Of course, a more robust JavaScript implementation would not hurt, either

Update: Apple's infamous security track record (not that all other companies do a better job, of course) is undeniable, since Thor Larholm claims it took him two hours to find a security vulnerability, other researchers also announced that they would present their findings soon. So do not use this on a production machine (yet)!

Two weeks ago, the SANS Institute has released its annual Top 20 Internet Security Attack Targets list. Of course you can debate how such a Top list came together and what the real value behind that is, but there are two specific points in this year's list that I found quite interesting.
First of all, there is a new entry: Users (H2). This shows that phishing, social engineering and related attacks are getting more and more prevalent. User education is therefore more important than ever.
Second, PHP is specifically mentioned a couple of times (one wonders why). In entry C2 of the SANS Top 20 (Web Applications), the institute gives some very specific advice:

From the PHP system administration and hosting perspective:

• Always test and deploy patches and new versions of PHP as they are released
• Frequent web scanning is recommended in environments where a large number of PHP applications are in use
• Consider using the following PHP configuration:
  • register_globals (should be off, will break insecure apps)
  • allow_url_fopen (should be off, will break apps that rely on this feature, but protect against a very active exploit vector)
  • magic_quotes_gpc (should be off, will break older insecure apps)
  • open_basedir (should be enabled and correctly configured)
  • Consider using least privilege execution features like PHPsuexec or suPHP
  • Consider using Suhosin to control the execution environment of PHP scripts
• Use Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests. Consider using Apache's mod_security to block known PHP attacks
• As a last resort, consider banning applications which have a track record of active exploitation, and slow response times to fix known security issues.

From the developer perspective:

• If you use PHP, migrate your application to PHP 5.2 as a matter of urgency.
• To avoid the coding issues above:
  • Develop with the latest PHP release and a hardened configuration (see above)
  • Validate all input appropriately
  • Encode all output using htmlentities() or a similar mechanism to avoid XSS attacks
  • Migrate your data layer to PDO - do not use the old style mysql_*() functions as they are known faulty
  • Do not use user-supplied input with file functions to avoid remote file inclusion attacks

You could argue whether the PDO migration is superior to using, say, prepared statements (and why no other databases are mentioned). You could also argue why there is such an emphasis on PHP and that all advice is somehow well-known. But fact of the matter is, there are still so many PHP installations and PHP developers that do not follow these guidelines, as for instance Damien's survey shows. In my opinion, there is only one possible solution: Continue to talk with developers, continue to talk with hosting providers.

As other people have already noted, the LiveHTTPHeaders Mozilla extension does not work on Firefox 2.0 (yet), since it has not been marked compatible with the new version yet. However there are two ways in which you can "force" Firefox 2.0 to activate the extension. Both are of course to be considered as hacks until a new version of the extension is released.
The first way is to change the extension itself. Download the XPI package and unzip it (yes, it's a ZIP file; if you are using a GUI tool you may want to change the file extension to .zip first). The contents of the package will look like this:



Open the install.rdf file (it's XML). There you will find the following XML element (around line 16):

<em:maxVersion>1.5+</em:maxVersion>

Change the maximum version number to 2.0+, zip all files, provide an .xpi file extension, and you are ready to install the extension.

The second way is easier yet potentially more dangerous: Just tell Firefox to install extensions regardless of the minimum/maximum required version numbers they supply in the install.rdf file. In order to do so, call the special URL about:config in Firefox and create a new boolean setting called extensions.checkCompatibility with a value of false. This then obviously applies to all extensions.
Of course the best way is to wait till a new LiveHTTPHeaders version for Firefox 2.0 has been released, since there is no guarantee that the current version (0.12) is fully compatible with the new browser version. However on one of my test systems it seems to run quite nicely (using the first workaround from this entry).

Just a short recap from last week's OSCON, while I am on the plane back home (I really love on-plane WiFi). After a terrible travel to Portland (including delays, rebooking on other flights, and finally the information that my hotel reservation could not be found, *again*), I faced the usual issue with large and well-organized conferences: too many interesting presentations at the same time. So I missed quite a lot of the PHP content, some of which I had already seen elsewhere, but also new stuff like Adam Trachtenberg's advanced SOAP presentation which I was looking forward to (but I was lured into an OSCamp session titled "Why we suck", by Microsoft, which was quite interesting, but sometimes on the verge of escalation). Among the presentations I did see were one on upcoming changes in Perl 6 (both entertaining and confirming why I quit using Perl altogether eight years ago), Andrew van der Stock about AJAX security (which I find an overrated topic, but he showed nice examples and also did not rant about PHP too much this time ), Luke's & Laura's tutorial featuring a poker application, some of the other OmniTI presentations (too many to mention ), and some other AJAX-related stuff (mostly regarding cross-site applications). As usual, there were some quite bad speakers, but the majority was excellent.
Another scheduling problem was Thursday night which three overlapping events: PDXPHP, a Microsoft sponsored dinner, and Powell´s technical bookstore. I tried to attend both, but after meeting Patrick Reilly at the MS dinner and chatting about PHP, other technologies, and the movie industry, I completely lost track of time. Sorry. When I returned back to the hotel later after over four hours of eating and drinking, I even ran into half of the PHP crew, but declined going for cocktails again. Conferences obviously take their toll on me
My Atlas presentation, by the way, went very well. Only half of the attendees were actually using ASP.NET 2.0 (who wonders at OSCON). Contrary to popular beliefs, "the guy" was not in the audience; I only got intelligent questions, from people sitting in the middle.
Already looking forward to next year!

I have posted similar stories before, but this new entry on thedailywtf.com just beats them all. Oh. My. God.

Frightning.

Update: Nice roundup and commentary (via Stefan)

MamboForge goes MamboXchange, and the first news entry is an important one: Some security issues have been found and were fixed for Mambo 4.5.3 and Mambo 4.5.3h. I do not understand yet why they did not create Mambo 4.5.3i and also have not checked yet whether a similar issue exists in Joomla!, as well, but anyway updating any installation is highly recommended.

I have blogged about a SQL Injection posting on The Daily WTF before, but this posting beats it all. Never has SQL Injection been used in such a clever way

I keep on mentioning in security-related talks that using stored procedures does not generally avoid the dangers of SQL Injection, but just limits the number of sloppy programmers that can mess it up. This entry in The Daily WTF proves me right -- in a very funny way.

At this week's BlackHat conference, OWASP released the much anticipated version 2.0 of their "Guide to Building Secure Web Applications" (and one day later, they added some changes by Microsoft's Michael Howard and released version 2.0.1). A huge leap forward form the Top Ten, 293 pages packed with valuable information about various aspects of Web Application Security. It will come out as a book later this year.

Microsoft is making serious with their Genuine Advantage "offering". I just did a Vanilla install of Windows XP with SP2 and then went to Windows Update. As usual, I was prompted to install an ActiveX control and then to install mandatory components. Usually, these only consist of Windows Installer 3.1, but this time it also installed something else ... (click image to enlarge)

Then, I was prompted to validate my Windows. (click image to enlarge)

No problem, I thought. Until I got this message: (click image to enlarge)

And this is, in my opinion, a real bummer. Of course I do have a license, but I am using this specific license to do tests. Which means that I reinstall the OS quite often and therefore usually do not activate it, the 60 days grace period are more than enough. However what should I do now? Either I activate Windows over and over again (including nice chats with hotline people when I activate "too often"), or I can just sit back, relax, and wait till the 20-30 minutes are over.

On July 12th, Updates for Firefox (to 1.0.5) and Thunderbird (to 1.0.5, as well) were released. Unfortunately, as of now, only the English language versions. As the download pages for Firefox and Thunderbird show, all the other language versions are at 1.0.4 (for Firefox) and 1.0.2 or less (for Thunderbird).
Also, in various forums, people complain about issues with the new releases. Some even speculate about a version 1.0.6 being released soon.
Now this is a tough situation: On one hand, several security vulnerabilities were fixed, but on the other hand, people report about crashes or mail filters vanishing. In this case, I usually do a full backup and then upgrade (being able to revert back when things get bad). But let's hope the Mozilla Foundation gets an official statment (and maybe a new version) out soon.

Update 2005-07-16: Uh-oh. I was right.

Update 2005-07-20: Firefox 1.0.6 ist now available for other languages. Thunderbird 1.0.6 is currently only available in English.

Update 2005-07-23: Finally, Thunderbird 1.0.6 is available for other languages.

Update 2005-07-26: A couple of days ago, a new Mozilla version (1.7.10) was released ... and sucks. Read more here.

I am happy to announce that Damir from INETA gave me the opportunity to give a BoF session at this year's Tech Ed Europe. The topic: "Web Security: What Can I Do?". Here is the complete list. Looking forward to seeing you there!

... is available for download. As some of you know, I have been a part of the closed beta test and so much has changed since the first versions we had a look at. I am still not yet convinced about the (optional, on-demand) integration of the IE engine, but it's a neat browser with nice features. Go have a look! I am however curious which Firefox version was the basis, since 1.0.4 is relatively new.

Update: Now it's 8.0.1, because they found out that version 8.0 based on Firefox 1.0.3 which has some security vulnerabilities. The download address for the new, full version is the same; no patch from 8.0 to 8.0.1 is available yet.