Yesterday, I was forced to do some work, at work, when Pidgin failed to connect to MSN. It has a hard day.
I use Ubuntu Maverick on my desktop, and started out using the ‘stock’ Ubuntu version. As this wasn’t working, my first thought was to upgrade to the latest Pidgin release. Before I’ve compiled it from source, but this time I just used a PPA (see here)
But still, it didn’t work.
Time to rummage some more – and I found the following bug report – so I added in my 2p, and waited. Eventually the following solution came up :
Within Pidgin, go to Tools -> Certificates and delete the one for omega.contacts.msn.com
Visit https://omega.contacts.msn.com and download the SSL certificate (e.g. if using Firefox, click on the SSL icon in the URL bar and then export it (save to file)).
From within pidgin’s ‘tools -> certificates’ Certificate Manager click add, and add in the SSL certificate you’ve just saved.
Now it works again.
What is vaguely curious is why Adium (which I use on my Macbook at home) didn’t have a problem – I thought they [Pidgin + Adium] were built off the same code base, and expected it to break, but it didn’t.
Without trying to repeat too much others may have already, this afternoon on the #PHPWM IRC channel one resident seemed to be having a ‘lolwut’ competition, well – posting links which showed ‘lolwut’s (In english: highlighting security problems in web sites).
Sure, you might think, so what ? There will always be a website somewhere with a security flaw…. Except the websites in ‘todays’ list were from the top 10-15 google results when searching for ‘PHP Development UK’. The sites returned should reflect companies or individuals who are offering (one would assume) professional PHP development, and should therefore be clueful about such issues….
SQL Injection / XSS in a 'professional' website
We came across someone claiming 6 years of professional web development experience – who was vulnerable to an XSS attack (subsequently fixed as I write this post, so there’s little point in me including a screenshot).
Of course, Akrabat then chipped in with a “I hope my work site isn’t vulnerable” type comment – so obviously we had to have a go at breaking it, just to put his mind at rest … and we nearly succeeded – I found an error message in an error page which outputted mostly unescaped input – it seemed to have some filtering in place, but we worked around this by inputting %3D type characters, converting IP addresses to integers and so on – which was an amusing experience.
The rest of us seem to be running WordPress, and as funny as this may sound, I suspect it’s more secure (at least out of the box) due to the fact more people have tried poking and breaking it. Unless your hosting is with 123-reg …. in which case it seems you’re going to be in trouble.
<rant>
If you want to avoid Cross Site Scripting (XSS) holes – make sure you escape or filter what you’re writing out – using either something like htmlentities or strip_tags or htmlpurifier. This must include error messages – if they contain any user supplied data. Every code base we have audited for third parties have contained Cross Site Scripting or SQL Injection vulnerabilities. This sucks. I’ve blogged in the past (although this was probably on my old drupal based website) about how easy this is to fix from an architecture point of view, if you’re writing something bespoke (which the sites in question seemed to be) – follow the MVC design pattern and when assigning data to the ‘view’ make it so that it is escaped by default (e.g. override Smarty::assign()). To avoid SQL Injection’s either use prepared statements everywhere, or use an ORM layer like Propel.
</rant>
(For the record – all sites were informed ….)
One vaguely interesting outcome from the above is that it seems obvious to me that I need to re-do the Pale Purple website – as it’s not really changed in 2-3 years now… which is perhaps not good. This time I think I’ll use WordPress, as it’ll mean I can stop supporting Drupal
I would start with saying that not a huge amount happened in August… but then having thought about it, I’d be lying.
My right ankle is still in a state of disrepair – after hurting my achilles tendon … so no running, and I’m feeling fat / unfit as a result. I have got my mountain bike out of the shed and started to cycle again and found a few interesting routes around Dodford.
No running, means no Nottingham Marathon. They did however send me the running top – so I can at least pretend to people that I did it – “Look! I have the t-shirt to prove it!”. I am hoping to start running again within the next week …
In other news, Bromsgrove Hockey club started to do some stuff again, although my one big toe appears to have been broken in the first game back (hint: keep your feet out of the way). The second time out (last weekend) was on grass, which bought back some memories and was quite enjoyable (if only 30 minutes play in total).
Pale Purple moved office (yes, so don’t ask: “Did you do anything nice on the August bank holiday weekend?” …). The cost of the office is effectively the same, but now we have more room and it’s a far nicer (not dim and dingy).
I’ve also joined the local RoundTable group – although I’ve not coughed up any membership fees yet, so perhaps I’m premature in saying “joined”. The first event involved driving a motor bike around a rough field in the rain (good fun) and the second involved playing Discus Golf. All good stuff, and the guys seem a great bunch.
Rowan’s started to potty train; Anya smiles and makes cute noises. I’ve had a hair cut. Fun times.
Oh, and work’s been busy and somewhat stressful, but that’s all hopefully over with now (as $site_migration is complete).
