Tag Archives: security
Useful resources we’ve shared recently
Are you connected with us on Twitter? We love sharing daily tech tips, useful tutorials, interesting content, and more on Twitter @Pixafy. Be sure to follow and tweet us!
In case you missed them, here are a few of our fave tweets: (more…)
Recent links shared on Twitter
Hopefully by now you’re following us on Twitter, but if not, you’re missing out on quick tips, great tutorials and news items that are worth a look! Here are some examples of content we’ve shared recently: (more…)
Your PHP site may be exposing information
Are you aware of PHP easter eggs? PHP easter eggs are query strings that are added to the end of a PHP site. If you’re not familiar with them then chances are your PHP site is exposing information that could help a determined hacker.
To see if easter eggs are turned on, go to any PHP site and add this to the end of the URL:
?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
Do you see the PHP credits page? If som then your PHP site is exposing sensitive information to your visitors. While the page itself does not contain anything harmful, the server is actually broadcasting the PHP version to your visitors in the headers. To see how easy it would be to “hack” your site, inspect the current page and look at the header information. You should see a line that looks similar to this:
X-Powered-By: PHP/5.3.13
A clever visitor could use this information to look up known security exploits associated with the version of PHP you’re running. If you’re running Apache, this too could be alerting your guests of its current version.
As such, it’s good practice to always make sure
|
1 |
expose_php = off |
is set in your php.ini file to disable this feature.
If you are using a shared server and don’t have access to php.ini, you can deny access by adding the following line to your .htaccess file:
|
1 |
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC] RewriteRule .* - [F] |
Note that in the instance of a shared server, other sites would still be exposing the information, so it’s best to report it to whoever maintains your server.
Cross-domain Ajax, part 2: Using cross-origin resource sharing
In my last post I gave an example of how JSON-P can provide a solution to the restrictions that the same-origin policy places on asynchronous requests. In the event when a developer wants to place an AJAX call between two different domains that she owns, JSON-P will allow this, but what if I want to allow others to access my content using AJAX? (more…)
When there isn’t safety in numbers: A security lesson
Pixafy staff listen to the introduction to the security lesson.
An oft-repeated statement is “trust no one.” When it comes to securing something in the world of IT, it’s especially important, and has been the subject of much discussion.
That was the subject of a session on security of web applications led by President Uri Foox. Two-thirds of the company’s staff attended the voluntary session and broke into teams to learn how one simple decision can lead to a complete breakdown in a website’s efforts to keep people out. (more…)
The password is… STOLEN!
Password thefts have been popping up in the news lately. In recent months, a number of high profile database breaches have resulted in passwords being stolen from sites like LinkedIn, last.fm and Yahoo! Voices. A couple of things become obvious with the thefts. (more…)
