Now that I've encouraged my search cloud to filter out most of the myspace muppet search terms that I get hit with it's become a far more interesting read! Not that it needed much encouraging, it was practically begging me to put it out of it's misery.

• your country needs you - if it can survive blair it probably does
• un block sites - ok
• optomistic quotes - urm, does this mean you're looking for cheap insurance?
• unknown proxies - if it was unknown how would google know about it?
• my space un blocker - it's called age
• tit wankers - thank you for entertaining me
• "muathe.com" doesn't work - no, he spams
• un block pages - sure, just send me all your login details, your bank account number ..... actually, forget that, you're probably one of the muppets that filled in my form
• summary the eagle has landed - yay
• babbles games - I really should find out what this game is
• ttfn summary - it means "bye" then you leave
• m y s p a c e u n b l o c k e r - You really win muppet of the year, do you know how many sites there are with the letters "A B C E K L M N O P R S U Y" in the content?
• pond pumps yabba - I don't sell them, but my mate does
• link words - yay, next comes a complete sentence
• un blocker - try a plunger
• un block my space - no
• platform beds uk - platforms sleep!!!!!
• potting shed pics - I'll post some as soon as Ash visits the field
• un block un block - urm, why would unblocked be blocked?
• "scorched earth" band scorchio - must be a famous group, cos I've never heard of them
• clock quotes - I can sell you a nice grandfather for £3,000 ..... he even comes with a clock
• katspells - normally a cat spells ripped wallpaper, flattened plants, shit all over the place, and fleas
• potting sheds - the best bet is to pick a pot that's bigger than the shed, otherwise it'll never grow
• innervisions - lsd
• yabba flowers pond pumps - I have a pond pump plant?
• unknown web proxies - try 127.0.0.d0h
• un block - anything in particular?
• fitting kitchens - work best when they meet the walls
• potting shed - same as potting sheds but you only need one pot
• glass stones - whilst they look great don't try and make an axe out of one
• dying hair - red is the way forward
• bimble - *salutes* I do my best
• filter proxies - use a sieve
• silly quotes - EdB said "this sucks" and I will.
• un blocking sites - first pay for your own connection, computer, electricity, house ....
• bimboland - welcome to the right place
• b2evo $blog->disp( 'pingback_url', 'raw' ) - WOW, someone who knows how to use a search engine if you still need help then just holler
• url un block - any url in particular?
• un block all websites - if all websites are blocked then maybe you forgot to power up your modem?
• i am lucifer - yeah yeah

¥

This is a special message to all the people out there who're still looking for a way to access myspace from "my school" ....... I've tried telling you that you'll end up as some spammers bitch if you use a proxy but I still get a plethora of comments asking me how to unlock it.

So, I've decided that there's only one way to attempt to solve this situation. If you're trying to unlock myspace then just use the form below to login and I'll fulfil your wish

*note* To any teachers out there that are considering adding my blog to their filters, you might like to fill in the form and press submit before you jump to that conclusion, use a bogus u/p

¥

*edit* - comments are now fixed

XSS is one of those geeky terms that you see floating round the net, usually accompanied by some innocuous example where they point you at a link to a 3^rd party website and make a javascript alert() pop up saying 'XSS!'....... not very impressive huh? I mean, what use is a simple alert()? It couldn't possibly harm your website right?

WRONG!!!!! That innocuous little box is one of the worst thing that you could see on your site, especially if you have any form of membership, customers or database. If you see that then it means that you've just unlocked your door and left it wide open. It means that you've just failed misserably at the most basic rules of coding. NEVER TRUST INPUT and NEVER OUTPUT UNSANITISED INPUT

Now we all know, or we should all know, that you should never just shove information straight from $_GET/POST into a database ... hell, it's one of the quickest ways to unlock your database to the world, you might as well just put your connection details on your front page in <h1> tags. The very least you should do is escape the string, but that really isn't enough. Every single piece of data that your website uses should be verified against the type and contents that it allows. If you're asking for an ID make sure it's a number (sounds obvious, but you'd be amazed). Asking for a date? Either make sure she's hot or check the input is actually a date huh? A string? Only allow the characters you expect (and still escape it ). However, you shouldn't just be doing this if you're going to shove the data into a database, you should always do it, even if you're only echoing the values to the screen

Still unsure what that little box means? How about if instead of the box popping up the link called a malicious javascript file? What could happen then? For starters all of your cookies are available to the javascript, so if you're daft enough to store a username/password in them then it's just been hijacked, and if you're the admin that means the code now knows your login for the site and it's VERY simple for it to “call home” and pass these details on. Or it could incorporate a keylogger and watch everything you do ... pretty scary if you're entering your credit card details huh?

“ Yeah, but I never store the actual details in the cookies, I encrypt them! ” ..... that's really great ..... unfortunately as far as your code is concerned the javascript is your user and can easily make requests on that users behalf, either with something as simple as an image call or full blown ajax requests .... either way you're still screwed.

“ Yeah, but it only happens to crap coders who write shitty little websites that no one will use right? ” ..... urm, guess again ..... I spent the the last few days trawling round the web reading up on this and eventually ended up on this thread on sla.ckers.org which has a list full of some of the biggest names on the web, including several .gov websites! At the time the thread was 34 pages long and growing daily.

“ Yeah, but I filter out javascript from all inputs! ” ..... excellent ..... so did myspace.com and they got brought to their knees by the Sammy worm which was written in javascript.

Now, the boys at b2evolution are pretty hot when it comes to sanitising input and output, but that only works if you use their functions ( param() is there for a reason ) and if you code a plugin/hack that doesn't use them then you really need to make damn sure that you do your own checks/sanitisation. This is especially true if you're going to make your plugin a public release because then it's not just your blog that you've unlocked the door of, it's every blog that installs your plugin/hack.

If you want to read more about this then try some of the following links, there's a good deal of information about this and other security problems, including ways of blocking these holes :-
Full Disclosure - sla.ckers.org (highly recomended if you like horror stories)
PHP and Web Application Security - shiflett.org
Nitesh Dhanjani - dhanjani.com
PHP: Security - Manual - php.net

The moral of this story is very simple “ In God you trust ... just sanitise His input first ”

If anyone from sla.ckers.org happens to read this post, I'd like to thank you for your full disclosure forum. It certainly was an eyeopener!

¥

There's been a few mutterings on the dev list about converting the blacklist into a plugin because, as it stands at the moment, it's a bit like a dictatorship that has no regard for who or what it tells to sod off and thats something that the members have had problems with for a long time. So I've decided to have a look at it and see just how feasible it is to convert it into a plugin for 2.0. This isn't something that's going to happen immediately as the blacklist is deeply intwined in the core, and just to seperate it will take a fair amount of work, to say nothing of all the new hooks that will be required (yay, dAniels gonna love me ).

Apart from abstracting (geeky term for "put in another file") the blacklist into it's own plugin I'm also thinking of extending it's abilities. One of the main things I'm going to be aiming at is to make it differenciate between a member/editor/admin making a post or comment and a spamming wanker .... urm... visitor making a comment. I'm also looking at building in a whitelist and possibly reviving one of my old antispam hacks which checks for "flooding" by a url.

As well as all that I'm also looking into ways that blog admins can network individual installs so that they just need to add a url to a single install, either manually or by doing an evo update and have all of their installs update automatically. If this was done successfully enough then we could, at the very least, reduce the load on the central blacklist, or even get rid of it altogether!!

None of this is going to happen at any great rate though, in fact it might not happen at all, it's just something I'm looking into, but if you have any suggestions/features that you'd like adding then feel free to leave a comment on this post (or, if you don't want to register, send me a PM via the forums).

¥

Powered by LinkCentre, coded by AstonishMe & hosted by Happily Hosted ........ http://directory.lycos.co.uk.....

Code:

¥

It would appear that kiddie scripters are pissing around again. If you're running a b2evo blog I'd advise that you remove (or rename, whichever) /inc/control/imports/

They would appear to mostly just dump an index.html into your blog with their "I'm da nuts" tags, in which case just delete it (you may also need to reupload index.php), but they've also deleted a few blogs and left viruses in others.

You'll also want to check your folders for unknown or changed files and don't forget to change all your database passwords huh

¥