Date: 12/05/05 (PHP Community)    Keywords: mysql, sql, security

I was just asked to take a look at a form here at work. The purpose of it is to allow people to sign up for a mailing list: first name, last name, email. It takes the details from the form and just adds it to a MySQL db without doing any error checking. The client has just said that they're getting all kinds of weird entries. What's showing up look like pieces from email headers. I just took a look at the script (which I didn't write) and there doesn't seem to be any security on it to restrict access to the form script to just the client's domain. All of the weird entries seem to be coming from the same email address (onemoreaddress@hotpop.com)

My guess is that someone is submitting info to the form through another domain or otherwise hacking the form/db. Has anyone had a problem like this before or have any other opinions on what might be causing it?

I'm going to add in some error checking and see if I can set up something to only allow the form to be processed if submitted on the client's domain. Anything else I should think about?

Source: http://www.livejournal.com/community/php/374052.html

Date: 12/07/05 (Security)    Keywords: software, security

Record label fixes hole in copy-protection software exposed by digital rights group, security researchers.

Source: http://news.zdnet.com/2100-1009_22-5984764.html

Date: 12/08/05 (Security)    Keywords: software, security, virus, antivirus

Some 81 percent lack at least one of three critical types of security, but use of firewalls and antivirus software is improving.

Source: http://news.zdnet.com/2100-1009_22-5986344.html

Date: 12/08/05 (Mozilla)    Keywords: browser, java, security, virus, linux

News of a new security vulnerability has been posted for Firefox 1.5 (my testing confirms it also affects Firefox 1.0.7) that allows for Denial of Service or potentially arbitrary code execution. It has to do with a buffer overflow in the parsing of history.dat, which stores browser history.

Basically, if you visit a malcious site using this vulnerability, the next time you try to start Firefox it will run the malicious code, which could be as minor as causing Firefox not to work (such as the Proof of Concept) or as serious as executing arbitrary code (i.e. it could install a virus or other malware). Fortunately, there is a simple workaround: just set Firefox to keep browser history for 0 (zero) days, essentially setting it not to keep history, and then restart Firefox to make the change take effect. Note that disabling JavaScript DOES NOT mitigate this vulnerability; only disabling browser history does, since that prevents the creation of history.dat. Also note that the malcious code would run each time you attempt to start Firefox, until you delete history.dat from your profile folder.

I don't believe Mozilla has announced anything about this yet, but proof of concept code is available, and I confirmed with my own testing that it works as I described on both Mac OS X and Windows, using both Firefox 1.5 and Firefox 1.0.7, meaning that all versions are probably affected (or at least all recent versions).

Here are the steps to mitigate this vulnerability until a patch is released (for Firefox 1.5):

1. Open Firefox Options (Tools->Options on Windows) or Preferences (Edit->Preferences on Linux, Firefox->Preferences on Mac OS X).
2. Choose "Privacy" from the top button bar, and choose the "History" tab.
3. Set "Remember visited pages for the last ____ days." to 0 (zero).
4. On Windows, click OK to close the Options window. On Linux or Mac, simply close the Preferences window.
5. Restart Firefox to make sure the setting takes effect.

The same steps apply to Firefox 1.0.x, it's just that the options/preferences window is different. Basically, for step 2 the "Privacy" button is on the left side button bar, and history is the top section on that pane.

More details for the technically minded...

X-posted to firefoxusers

Source: http://www.livejournal.com/community/mozilla/341566.html

Date: 12/08/05 (Security)    Keywords: security, microsoft

Microsoft plans to release two security alerts with patches for an unspecified number of flaws in the operating system.

Source: http://news.zdnet.com/2100-1009_22-5987630.html

Date: 12/09/05 (Security)    Keywords: software, security, microsoft

Bidding stopped on sale of information about software security hole, which Microsoft says it is investigating.

Source: http://news.zdnet.com/2100-1009_22-5989078.html

Date: 12/10/05 (Mozilla)    Keywords: java, security

.. or has anyone else who upgraded to Firefox 1.5 last week found it buggy and bloated?

It crashes every once in a while (not related to the recent security hole) and java 5.0 is really bad. I installed it and it makes my computer unresponsive requiring a reboot sometimes. Firefox will make my computer unresponsive to a ctrl+alt+del for 2-3 minutes until its closed if I leave my computer on all night. Normally when a process in WIndows2000 is using %100 of the cpu it should at least remain responsive.


I hope some bug fixes come soon. Its that or my registry is corrupt perhaps? Anyone else have the same problems?

Source: http://www.livejournal.com/community/mozilla/341918.html

Date: 12/13/05 (Security)    Keywords: technology, security, virus, antivirus

eEye Digital Security may adopt and improve the open-source Clam AntiVirus technology to add to its intrusion-prevention product.

Source: http://news.zdnet.com/2100-1009_22-5992194.html

Date: 12/13/05 (Security)    Keywords: security

Q&A Travis Schluessler, an Intel security architect, explains how the chipmaker's labs plan to take on sophisticated threats.

Source: http://news.zdnet.com/2100-1009_22-5992837.html

Date: 12/13/05 (Computer Help)    Keywords: security, web, yahoo

ok, i went back through all of the old entries a few months back, and didn't see this particular question posted. if this is a repeat question, i apologize... here is my issue:

i cannot access any of my e-mail accounts (yahoo, hotmail, or gmail) on my computer. i have a cable modem, and so my computer is on-line 24/7. i can access Livejournal, and various other sites just fine, but there are some sites (including the e-mail servers) that i can't seem to access. when i go into, for example, Yahoo e-mail, i type my username and password, hit "enter" and i just keep getting "the page cannot be displayed." i have tried everything that others have suggested (i am not so good at this stuff on my own):

1) reseting the computer

2) adjusting the security settings (in the "internet options" selection under "tools"

3) clearing the cache

4) going into the "advanced" tab in "internet options" under "tools" and making sure both the SSL 2.0 and the SSL 3.0 boxes were checked (they were)

5)i've gone into the "connection" tab in "internet options" and selected the LAN button to see if the "Automatically detect settings" button was checked- it didn't work checked or unchecked- still not able to access my e-mail accounts

6) and last but not least, i've even tried restoring to former settings (since this problem only started about 3 days ago), i set the computer back a week through selecting Start menu, Programs, Accessories, System tools, and restoring to an earlier date prior to this limitation in accessing the web.

is there anything else i can do to fix this issue short of having a tech come in and take care of it???

thanks in advance for any advice- x-posted to all relevant communties.

--m

Source: http://www.livejournal.com/community/computer_help/546901.html

Date: 12/16/05 (Security)    Keywords: security

Tool is designed to identify bugs related to a security feature in Windows Vista that lets users run with fewer privileges.

Source: http://news.zdnet.com/2100-1009_22-5998726.html

Date: 12/17/05 (Security)    Keywords: browser, security

Tuesday's security update for Internet Explorer is causing trouble for people who have been testing the new IE 7 browser.

Source: http://news.zdnet.com/2100-1009_22-5999193.html

Date: 12/19/05 (Java Web)    Keywords: software, security

A critical vulnerability, found in some versions of Apple's popular iTunes software, could enable attackers to remotely take over a user's computer, according to a warning issued by eEye. This flaw existed on the earlier version of iTunes 6 for Windows and was not addressed by the latest security update. eEye is currently testing Mac for [...]

Source: http://blog.taragana.com/index.php/archive/critical-vulnerability-in-apples-itunes-for-windows/

Date: 12/19/05 (PHP Community)    Keywords: php, html, security

This forum post got me thinking more about security. (yes, that is me with a similar question there)

http://forum.hardened-php.net/viewtopic.php?id=20

After trying the methods in this blog post got me thinking and looking for an alternative.

http://blog.phpdoc.info/archives/13-XSS-Woes.html

So I started thinking of a safer way to accomplish the same thing. I was looking at the manual at http://php.net/ and came across $_SERVER['SCRIPT_FILENAME'] and did a little playing with it. I did a simple echo statement, and it returned the path for the script and nothing else, even using injection methods. Is this a good substitute for PHP_SELF? Anyone know any security issues with this superglobal? I have several scripts that use PHP_SELF, and would like a safe alternative.

*edit*
I just noticed I accidentally made this friends only post, so I removed that

Source: http://www.livejournal.com/community/php/380992.html

Date: 12/20/05 (Security)    Keywords: security

Fix comes after security expert finds clues in online profiles that could let intruders reset passwords.

Source: http://news.zdnet.com/2100-1009_22-6002882.html

Date: 12/21/05 (Web Technology)    Keywords: security, spam

Security firms report spam increase--but the FTC says 2003 law regulating junk e-mail is effective.

Source: http://news.zdnet.com/2100-9588_22-6003071.html

Date: 12/21/05 (Security)    Keywords: security, web

Web site security flaws could have enabled phishing scams, accounts hijacks and other attacks.

Source: http://news.zdnet.com/2100-1009_22-6004471.html

Date: 12/21/05 (Security)    Keywords: software, security

If new software gets perfected, forget trying to use that severed finger to get past the security gate.

Source: http://news.zdnet.com/2100-1009_22-6003440.html

Date: 12/22/05 (Web Technology)    Keywords: security

Memory cards present security concerns that require additional evaluation, state officials say.

Source: http://news.zdnet.com/2100-9588_22-6004615.html

Date: 12/22/05 (Security)    Keywords: security

Flaw could put systems running Windows and Mac OS X at risk of attack, warns security researcher.

Source: http://news.zdnet.com/2100-1009_22-6004635.html