prettyPhoto DOM XSS on Saton.org
Posted inWeb application security

prettyPhoto DOM based XSS

prettyPhoto DOM based XSS on Saotn.org... This evening, after tweeting about preventing cross site scripting vulnerabilities, I received a reply from Olivier Beg. His reply to my tweet contained an image, as you can see above. He alerted me that Saotn.org was vulnerable to a DOM based XSS vulnerability, hidden in prettyPhoto used by my WordPress theme. Whoops! So, I had work to do! But, what is prettyPhoto and what exactly is a DOM based XSS?
04/05/2014Posted inWeb application security
Posted inWordPress

Install WordPress plugins without WP-admin access

Install WordPress plugins without admin access, and automate your WordPress customization and plugin installation. WordPress has a little drop-in plugin option available in the form of /wp-content/install.php. This install.php file is not present at default, but when created it can be used to install plugins without wp-admin access. This might come in handy for unattended WordPress installations, customization, and so on.
30/04/2014Posted inWordPress
Posted inCode base

Set or remove the read-only attribute assigned to files with PHP chmod

Chmod.php, change file attributes with PHP, to make files read only or normally accessible on Windows IIS servers. Sometimes you need chmod to make files read only on your website, or make them normally accessible in case they already are read only. For instance Drupal's settings.php configuration file, or WordPress Contact Form 7 temporary captcha files, are examples of read-only files.
27/04/2014Posted inCode base
Security?
Posted inWordPress

Block WordPress comment spammers manually

Learn to block WordPress comment spammers manually. The less spammers hit your WordPress blog, the better your blog performs, is one of my opinions. A second is, the less unnecessary plugins you use on your WordPress blog, the better. So, a little while ago I decided to remove plugins like Stop Spammer Registration Plugin and do its work myself. Here is why & how.
30/11/2013Posted inWordPress
Posted inCode base

Don’t turn off CURLOPT_SSL_VERIFYPEER and fix your PHP configuration

Don't turn off CURLOPT_SSL_VERIFYPEER but fix your PHP configuration to resolve SSL errors in PHP. These errors are often caused by not having an up-to-date bundle of CA root certificates on your system. So please, don't turn off CURLOPT_SSL_VERIFYPEER in your PHP config, but fix the cURL errors by updating cURL's bundle of CA root certificates and your php.ini configuration.
10/06/2013Posted inCode base
magnifying glass near gray laptop computer
Posted inWeb application security

Grep for forensic log parsing and analysis on Windows Server IIS

How to use GnuWin32 ported tools like grep.exe and find.exe for forensic log file analysis in Windows Server. In this article I'll give some real live examples of using these ported GnuWin tools like grep.exe for logfile analysis on Windows servers. The article provides three example, as an alternative to LogParser, because finding spam scripts fast is often very important.
19/04/2013Posted inWeb application security