It looks like my first two conferences for 2007 are finalized. Things will start in March with the annual PHP Quebec conference where I'll be giving a tutorial on Securing PHP Applications and a session on Migration to PHP 5.2. The conference has an excellent selection of speakers, which includes Rasmus, Derick, Andrei, Marcus and many others and a slew of interesting topics. I'd definitely recommend attending it, especially to Canadians for whom this is probably going to be the closest conference this year. The next conference, PHP|Tek is about two month later in Chicago, organized by PHP|Architect, who are trying a new city every year :-). I have a fairly full agenda, courtesy of Sean, with two tutorials and a session, so I fully expect to lose my voice after the first day. The tutorials will be on High Performance PHP & Securing PHP Applications and will be followed by a quick session on PHP Security Pitfalls two days later. A lot of great speakers during this conference as well, with Sa...

Damien has published the November stats for PHP usage and the year to date summary and a few interesting trends emerge. It would seem that despite a 300% growth (from 12%) in PHP 5.X usage in 2006, it still only commands about 12% of the entire PHP user base. Majority of people still use PHP 4 and when it comes to upgrading (as you can see from a drop in

With the release of IE7 many web developers were faced with a need to test their applications on the different versions of IE, but had no means to do so since only one IE can run on Windows. Now there were different hacks available around it, but in most instances you ended up using portion of IE7 libs for IE6 emulation and thereby not getting quite the same behavior. Today on IE blog a much better solution was offered by Microsoft (kudos guys). Basically they've allowed Windows owners (after genuine advantage check, which now can be done via Firefox as well) to download WinXP SP2 image with IE6 and run via a free download of "Virtual PC 2004". This means you can safely upgrade you WinXP box to IE7 and run IE6 via an image, thus giving you 2 versions of IE on the same machine this minimum amount of hassle.

The concept of doing network scanning via JavaScript is hardly new and is quite easy for anyone with even cursory knowledge of JavaScript. However, the assumption was that as long as you browse the web with JavaScript disabled you are safe from hostile sites from scanning your network. Alas, this was not to be, in a very interesting post Jeremiah Grossman shows how can this be done with plain HTML using no JavaScript what so ever. His methodology relies on Firefox's quirk, whereby the page loading would wait for the tag to be processed before rendering the rest of the page. This means you could use the link tag to reference local IPs and use a subsequent image to see how long did it take for the IP to respond. If the response was very quick, then you know the host has something listening on a given port and if it does not, well then the port is being blocked or filtered. The problem with his approach is that to scan an entire network would be rather slow and require multiple iframes to perform th...

There was a very interesting article posted on the Securiteam blog which talks about anonimizing code injection attacks. The approach is quite simple and yet rather ingenious, simply submit to Google the vulnerable application URL with the attack payload passed via the GET parameters. And within a short period of time Googlebot will dutifuly trying to index the URL, effectively executing the attack. Stefan had also explored this issue on his blog with some examples showing how to ensure more rapid indexing, so you wouldn't have to wait weeks for exploit to be triggered. However, everybody seemed to have focus on Google, which maybe a bit unfair to them since other search engines suffer the same kind of problems. For example if we take MSN (Microsoft's Search) and run the "inurl:cmd.gif" query that SecuriTeam folks used to test Google, we find a fair number of results. Which tells us that hackers believe in equal opportunity and use MSN as much as Google to propagate their attacks. But there are...