Posts Tagged advisory

Poking holes in PHP object privacy

Get it? Holes? Cheese?PHP provides a decent model of class member visibility, with public, private, and protected members to help you define tight APIs for your objects and show other developers how your object is supposed to be used. But used naively, PHP’s ‘magic methods’ can easily and subtly subvert this system, making everything public.

If you’re still new to object oriented programming in PHP5, think of “public” as roughly analogous to “my function’s arguments” and “private” as “local variables inside the function”. You wouldn’t want someone calling your function and messing with the local vars, and you wouldn’t want someone using your object messing with its private members.

Magic methods provide functionality like catching references to methods and properties which are not visible to us, and doing special things with them. Magic methods have always struck me as a bit weird, and whenever you bring them up in discussions online, there’s always a few people with reservations about them – efficiency, clarity, use-cases and so on.

I’m still in two minds; they can be useful in some circumstances, but here’s one reason why they could be considered harmful: Used carelessly, they can easily enable an OOP antipattern where all class members become public, even those declared as private or protected in the class definition. Read the rest of this entry »

, , , , , , , , , ,


WordPress Security Flaw – Admin Password Reset

It is possible to reset the admin password in all versions of wordpress up to and including the most recent version 2.8.3.

This information comes from a milw0rm exploit.
Read the rest of this entry »

, , , , ,


Breaking CAPTCHA without OCR

Breaking CAPTCHAs Without Using OCR
For my own PHP CAPTCHA implementation, click here.

This article details a method I have discovered to bypass CAPTCHA security, without having to use Optical Character Recognition software. It depends on an implementation problem that was quite common among CAPTCHA scripts when I originally published this in May 2005.
Read the rest of this entry »

, , , , , ,