Archive of May 2007
Monday, May 28, 2007
Tuesday, May 22, 2007
Friday, May 11, 2007
Wednesday, May 09, 2007
Chainsaw Suicide
This is kind of sad, but exactly how does one arrive at the conclusion to chop off your head with a chainsaw? One more down, many more to go. May 9, 2007 @ 04:24 pm | Category: Darwin's WorkSaturday, May 05, 2007
PolarBlog Potential Path Disclosure
Yesterday a friend at work found that he could force a path disclosure leak on some sites running PolarBlog (and many other application also I would think). This does not pose a danger to your PolarBlog installation, but can provide information which might be helpful if someone were to find a way into your site via a different application.The quickest and easiest way to prevent this from occurring is to stop PHP from displaying errors to the screen and saving them to a log file instead. This is a very good standard security practice that I've followed for a very long time, and you should too.
If you are running your own server and have access to your php.ini file you likely either are already doing this or should easily be able to make the appropriate changes there. But most people run in a shared hosting environment and will need to do this via a .htaccess file. Information for how to do this has long been in the PolarBlog documentation. It is highly recommended that you read and implement the changes in the .htaccess File section of the PolarBlog Documentation. This will prevent PHP errors from being displayed on your site when any PHP errors occur in any of your PHP applications. Again, this is a highly recommended security practice that will prevent all of your PHP application from leaking potentially exploitable information to those who may wish you ill.
I will release an update soon that will prevent this information leak, although I consider this to be a minor security issue, at least for PolarBlog. But being this information could be leveraged to help attack your system I will be closing this disclosure bug. May 5, 2007 @ 08:00 am | Category: Software Development