During the last days a lot of blog entries, forum posts and even articles in IT magazines were made about a potential phpBB mass hack in preparation. From what is reported it seems to me that FuntKlakow is only a spambot and that the whole situation is a little bit overhyped. In the end it seems enough to enable the visual confirmation in the registration form (captcha) to keep FuntKlakow out, although the captcha is so bad that it should not be hard to break it.
So why am I writing about this. Yes I do believe that FuntKlakow is only a spambot but “all warfare is based upon deception” and therefore this might only be a trick. What I do know on the other hand is, that I recently found another way to bypass phpBB’s register_globals deregistration layer. This time my trick works on all PHP versions and is therefore a lot more dangerous than the tricks that I reported together with the signature_bbcode_uid remote code execution exploit. Of course it still means the phpBB host needs register_globals turned on, but I guess a worm will find enough of such hosts.
It is also noteworthy that the fact that signature_bbcode_uid is still exploitable is simply caused by the fact, that the phpBB did not use the patch supplied by me to fix the issue. Instead they used their own patch. This is why I blame them for still beeing vulnerable to modified signature_bbcode_uid exploits, although the trick I use is not their fault.
And of course it is also their fault, that they still do not mention the remote code execution vulnerability in their security tracker at all…
Original post by blog-admin@nopiracy.de (Stefan Esser)
Steve Yegge compares Perl and Java usage in Amazon in Is Weak Typing Strong Enough? An interesting read from someone who is a Java proponent.
I still have some doubts. Do weakly-typed systems have inherently lower scalability? Do they tend to dissolve into vast typeless traps at a certain size, as the static camp would have you believe? Do the runtime type-error rates get out of hand, even with rigorous unit testing and software-engineering discipline?
At this juncture, I think enforced static typing (e.g. what you find in Java, C++, OCaml, Ada, etc.) is detrimental to progress and flexibility. I also think that a complete lack of support for it (e.g. what you find in Ruby and today’s Python) is problematic for being able to selectively tighten up systems as their usage patterns become established. I think Lisp’s solution, where you can add in static types as needed, is close to ideal.
But I’m still a bit timid about trying to write something really significant in Ruby (my weakly-typed language of choice), on account of its performance and its lack of native threading. I’m equally timid about trying Common Lisp, mostly because the package contributions on Cliki seem fairly paltry; the language doesn’t appear to have enough momentum for me to commit to it. I have similar reservations about all the other viable options (e.g. Python, Erlang, Scheme, Lua).
The key is not to argue about abandoning one for the other, but use the strengths of both. For core code where speed and threading is critical, use strongly typed compiled code. At the periphery, for user interface and rapidly changing business rules, use a dynamically typed language.
Original post by PHP Everywhere - By John Lim
The benefits of online learning are open to every one. There are hundreds of sites offering online training as well as study guides regarding latest courses like 640-863 as well as 350-018. The helping materials about Microsoft exams such as 70-554 are also accessible online. These online courses and exams not only benefit students from all over the world but also help the working people. As employees of any web hosting firms providing reliable services of domain hosting and domain parking can improve their services through passing these exams and can offer more steadfast backup along advanced hosting plans.