Date: 06/13/07 (PHP Community)    Keywords: php, security, web

Windows 2003 server with the latest updates
PHP v5.2.0

I have the following setup:

In...

D:\FTPRoot\Data

there are logons names in there which is linked to their account, i.e. when they log on via FTP, they go straight to their directory, i.e.

D:\FTPRoot\Data\USERNAME

Each directory have the security set to their own account, i.e.

USERNAME (SERVER\USERNAME)

Recently, one of the user did something naughty and wrote an code where they can see someone else's directory and put some ranmdom generated files in there. The code in question is;

&opFile = "./../username1/hello" . & random . ".txt";

Obviously I'm not going to post the full code but this should be a start.

As you can see, the user managed to wrote some files in someone else's directory, even that their security setup doesn't allow it, which I suspect is part of a 'system' account. However under the "D" drive, there is no "SYSTEM" account in there, it has been totally removed. The only thing left are

Administrator
CREATOR OWNERS

and the D:\FTPRoot\Data has the security setup as:

Administrator
CREATOR OWNERS
FTP User Admin (FTP admin acess for webmasters)
IIS_WPG
Internet Guest Account

In php.ini I also have these line:

disable_functions = "phpinfo, passthru, system, popen, escapeshellarg, escapeshellcmd"

But it is not working.

So, what am I missing and how do I stop these pesky user from doing this?

Many thanks

Source: http://community.livejournal.com/php/571097.html

Date: 06/13/07 (Web Technology)    Keywords: security

Commentary--Before you use next-generation Internet apps to collaborate and communicate, keep these security measures in mind, says Secure Computing's CTO Paul Henry.

Source: http://news.zdnet.com/2100-9588_22-6190771.html

Date: 06/14/07 (Computer Help)    Keywords: security

I recently inherited a laptop that my late uncle (insert euphemism for "stole" here) from his old workplace.

It is running Windows 2000 Professional and seems to have a lot of added security measures to prevent the computer from being stolen (oh, the irony). The BIOS is even set so that I can't change the boot order and boot from my XP installation CD. Ergo, I don't think there's a way for me to boot from the CD.

When I run setup, it won't let me delete the main (and only) partition because it "has necessary setup files on it"- and I can't install on said partition because it already has Windows 2000 on it.

With that said, two questions:

1) When accessing WinXP setup while already logged in on Win2k, I have the option to "upgrade" instead of doing an advanced setup- but do I even want to do that, since it will keep the existing programs, settings, etc.?

2) Is there some other way to reformat this computer? I don't have the CD to restore it to factory settings.

Source: http://community.livejournal.com/computer_help/788091.html

Date: 06/18/07 (Security)    Keywords: security

Hidden cameras planted on security staff could beam video to control room, adding to U.K.'s closed-circuit TV system.

Source: http://news.zdnet.com/2100-1009_22-6191522.html

Date: 06/20/07 (PHP Community)    Keywords: php, security

Hello Friends

I needed a unit test that would tell me if all files in a given directory contained a call to a specific function within the first few lines. This function's purpose was to reassure me that all files are being properly authenticated.

The function had to provide a whitelist feature. It makes use of common Unix commands and has been tested in Cygwin on the command line.

I was pretty happy with my results, and thought I might share them.

Constructive criticism very welcome.

167     public function test_file_security() {
168         $admin_search_path = '../admin/';
169         $user_search_path = '../users/';
170         $search_target = 'Util::validate_user';
171         
172         //The grep expression matches the ==> arrow returned by xargs
173         //It also matches calls to the search target preceeded by zero or more whitespace characters only                                                  
174         $grep_command = "grep -E \"(==>|^([ ]+)?$search_target)\"";                                                                                        
175         
176         $command = "find $admin_search_path $user_search_path -maxdepth 1 -name \"*.php\" -print0 | xargs -0 head -n 3 | $grep_command";
177         //echo $command;
178         
179         $security_info = array();
180         $unsecured_files = '';
181         
182         $whitelist = array(
183             $admin_search_path . 'index.php',
184             $admin_search_path . 'login_page_bottom.php',
185             $admin_search_path . 'login_page_top.php'
186         );
187         
188         exec($command, $security_info, $return_val);
189         
190         $this->assertTrue($return_val === 0);
191         $this->assertTrue(count($security_info) > 0);
192         
193         //echo print_r($security_info, TRUE) . "\n";
194         //echo print_r($return_val, TRUE) . "\n";
195         
196         for ($i = 0; $i < count($security_info); $i++) {
197             //Strip out arrows returned by xargs
198             $current_token = trim(ereg_replace('([ <])?==([ >])?', '', $security_info[$i]));
199             $next_token = trim(@$security_info[$i + 1]);
200             
201             if (preg_match("/$search_target/", $current_token) > 0) {
202                 //Skip non-file tokens
203                 continue;
204             }   
205             elseif (array_search($current_token, $whitelist) !== FALSE) {
206                 //Skip whitelisted files
207                 continue;
208             }   
209             elseif ((empty($next_token)) || ((preg_match("/$search_target/", $next_token) == 0))) {
210                 $unsecured_files .= $current_token . "\n";
211             }
212         }
213 
214         $security_issue_found = (empty($unsecured_files)) ? FALSE : TRUE;
215         echo ($security_issue_found) ? "\n\n$unsecured_files\n" : '';
216         
217         $this->assertFalse($security_issue_found);
218     }   
219 }

Source: http://community.livejournal.com/php/572617.html

Date: 06/20/07 (Security)    Keywords: security

Top Democrat suggests CIO isn't fit to keep his job amid reports of security-related "incidents." CIO points to "significant progress."

Source: http://news.zdnet.com/2100-1009_22-6192255.html

Date: 06/28/07 (Security)    Keywords: security, web, google

Leading the charge in Web security at Google, vice president of engineering stands at the forefront of a critical period.

Source: http://news.zdnet.com/2100-1009_22-6193944.html

Date: 06/28/07 (Security)    Keywords: security, web, microsoft

While similar rules apply to Web security, the differences are crucial and the stakes are high, says Microsoft senior security director.

Source: http://news.zdnet.com/2100-1009_22-6193942.html

Date: 06/28/07 (Javascript Community)    Keywords: css, java, security

Hi, I'm working with a team creating kind a site where anyone can pretty much create their own youtube/myspace/social network. Right now, we let users enter in their own code in the bottom and top of the body of a page (as well as customize other settings using an interface.)

We'd like to add another field where a user can enter in their own javascript/css in the header of their pages. Do you think allowing users to write in any js code they want in the header of there pages is dangerous? I know the user can do things like redirect the page and stuff - but it's really their site and currently if they want to do that they can. Are there any other dangers I should know about? Right now the user can pretty much put anything in the < body > including any JS so I don't see it opening up any more security holes than there are currently. Please enlighten me.

(Eventually we will block users from entering certain code, such as diplaying: none text ads, etc.)

I know that this is a shaky area that could possibly open us up to being hacked but we're really trying to give affiliates as much control as possible.

Source: http://community.livejournal.com/javascript/134741.html

Date: 06/29/07 (Computer Help)    Keywords: software, security, virus, spam

Also posted in computerhelp

I am at my wits end here, I hope you guys can help. I am running a Vista system that is about 3 months old. My cable internet provider hasn't bothered to upgrade their security suite to be Vista compatible but pointed me to free trials I could use until they do.

After exhausting two free trials I made the HUGE mistake of trying CA's Internet Security Suite 2007. It has been nothing but a nightmare since I installed it. Causing blue screen o' doom errors many times a day. I went out today and purchased Micro Trend PC-cillin Internet Security software today, because it was one of the trials I tried and I like the way it works.

I went in to try and uninstall the CA program it uninstalled the anti-virus, spam blocker and anti-phishing components bet then it proceeded to tell me that I do not have enough privileges to install or uninstall Personal Firewall and to try logging in as an administrator. I am the only profile on this machine which by default makes me an administrator, and just to be sure I went in and checked, yep, I'm an admin. However, that doesn't solve the problem of how to get this crappy program the hell off of my computer so I can actually have a suite that is effective and doesn't cause blue screen errors.

I went to their support site, all of their "knowledge base" articles time out when I try to open them and they aren't responding to my email inquiry, but somehow I don't think I will be at the top of their list of people to get back to quickly since I pretty much told them I am getting rid of their software and using a competitors suite. Any help on how to manually purge my system of this beast or whatever, as long as it is no longer on my system would be greatly greatly appreciated.

Source: http://community.livejournal.com/computer_help/793535.html

Date: 07/03/07 (PHP Community)    Keywords: security

I was thinking of how to add a "always keep me logged in on this computer" function for my users when logging in. First I figured just putting the password and username would be good enough, then I relised the security implications of that and I'm out of ideas...

What ways do other projects use?

Source: http://community.livejournal.com/php/574461.html

Date: 07/05/07 (Open Source)    Keywords: security

Even with paid updates on signatures and code we're talking here about a security solution small businesses can finally afford, from which small VARs can finally profit.

Source: http://feeds.feedburner.com/~r/zdnet/open-source/~3/130744894/

Date: 07/08/07 (Computer Help)    Keywords: security, virus, antivirus, spyware, google

I recently downloaded BitTorrent to try my hand at torrents. I ended up getting the very first thing I wanted very quickly and was enthused. I tried for something else - got it, but couldn't get it to work on my computer, so I deleted it. Then the pop-ups started... Mostly in IE (which I haven't used since, oh, 2002, I use Firefox and rarely Opera) - a page saying I need, um, WinAntiSpyware 2006 or something similar (forgive me).

Right now I have:

• McAfee Security Center
  
• Avast
  
• Spyware Doctor (free version that came with the Google Pack)

• Spybot Search & Destroy (something I had used years ago)
  
• Advanced WindowsCare V2 Personal (which had good enough reviews)
  
• Ad-Aware 2007

• Spy Catcher Express 2007
  
• Avira AntiVir Personal Edition
  
• Zone Alarm 7.0
  
• AVG AntiVirus Free Edition

Source: http://community.livejournal.com/computer_help/796084.html

Date: 07/09/07 (Security)    Keywords: security

The Internet giant gobbles up Postini, which supplies on-demand communications security and compliance products to more than 35,000 businesses.

Source: http://news.zdnet.com/2100-1009_22-6195408.html

Date: 07/12/07 (Computer Help)    Keywords: security, web

My laptops got Windows Vista Home. In the last few days I've had trouble logging onto a lot of websites I've never had problems with. First it started as not being able to have my user name and password saved due to some sort of cookie error. I tried deleting the offending cookies so they could reset the next time I logged into the sites. Now in the past few days whenever I try to log into a site, from Netflix to my bank website to my Hotmail account, I get "Certificate Error: Navigation Blocked" and "There is a problem with this website's security certificate. This organization's certificate has been revoked. Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server." I can't even get answers from Windows Live Help because I can't log in with my Windows ID, I get the same damned error. What can I do to fix this?

Source: http://community.livejournal.com/computer_help/798270.html

Date: 07/13/07 (Security)    Keywords: java, security

Vulnerabilities in the Sun Java Runtime Environment are described by one security expert as being "as bad as it gets."

Source: http://news.zdnet.com/2100-1009_22-6196493.html

Date: 07/17/07 (Security)    Keywords: security

A recent court case dealing with key loggers installed by the feds invites the question: will security companies put the interests of their customers first?

Source: http://news.zdnet.com/2100-1009_22-6197020.html

Date: 07/23/07 (Computer Geeks)    Keywords: security, virus, web, spam

I have my own domain, djmattb241.com. I use it mainly to host my out of date website and for my email address. Lately, I've been getting a bunch of emails like the following:
------------------------------------------------------------------------------
This is the server7.web4a.de program at host server7.web4a.de.

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please send mail to

If you do so, please include this problem report. You can
delete your own text from the message returned below.

The server7.web4a.de program

: host mx0.gmx.net[213.165.64.100] said: 551 5.2.3 Your mail shows
indications of viruses or spam. We cannot accept your mail. {mx092} (in
reply to end of DATA command)



Reporting-MTA: dns; server7.web4a.de
Arrival-Date: Mon, 23 Jul 2007 10:37:40 +0200 (CEST)
Content-Type: text/plain

Final-Recipient: rfc822; tt48@gmx.de
Action: failed
Status: 5.0.0
Diagnostic-Code: X-server7-web4a-de; host mx0.gmx.net[213.165.64.100] said: 551
5.2.3 Your mail shows indications of viruses or spam. We cannot accept your
mail. {mx092} (in reply to end of DATA command)



Subject:
Emailing: detail report.zip
From:
"Janine manalang"
Date:
Mon, 23 Jul 2007 16:36:56 +0800
To:
mail@bultmann-net.de


The message is ready to be sent with the following file or link attachments:
detail report.zip

Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled.
-----------------------------------------------------------------------------------

This one came from manalangiduz@djmattb241.com. I've seen ones from billing@djmattb241.com and others. Is this ad-ware on my machine? (I use Thunderbird) Or is it something to do with my server? I know I can shut off the feature where all email going to djmattb241.com goes to me, but that's not really solving the problem.

Help? :(

Source: http://community.livejournal.com/computergeeks/1090475.html

Date: 07/24/07 (Java Web)    Keywords: security, web

Security researchers Charlie Miller, Jake Honoroff & Joshua Mason claimed and then demonstrated a prrof-of-concept vulnerability in iPhone which can be used by any website to inject codes in iPhone which will allow full remote control of your iPhone over the internet. The hackers can do everything you can do with your iPhone remotely. They [...]

Source: http://blog.taragana.com/index.php/archive/iphone-hacking-security-vulnerability-allows-full-remote-control-from-malicious-web-sites/

Date: 07/24/07 (Security)    Keywords: security

House of Representatives panel chairman says peer-to-peer networks pose a "national security threat," new laws needed.

Source: http://news.zdnet.com/2100-1009_22-6198585.html