About the Author

Chris Shiflett

Hi, I’m Chris: web craftsman, community leader, husband, father, and partner at Fictive Kin.


All posts for Aug 2006

Zend Gets Another $20 Million

According to this report, Zend has received "a $20 million boost through a fourth round of funding." According to Zend's own press release:

The new funds will enable us to expand faster in emerging geographical markets, accelerate our product development and extend the services organization to meet the demands of our growing number of enterprise PHP customers.

With the attrition Zend has suffered this past year, it's nice to see some positive news. Many people associate Zend with PHP's commercial presence, so a strong Zend is good for all of us.

Web APIs with PHP

Congrats to Paul Reinheimer whose book on Web APIs with PHP is now available. I haven't read it yet, but I know Paul has been working on it for well over a year, and it has already received a positive review from Nathan Smith:

If you are looking for a good book describing how to make use of the various web services out there, look no further. Professional Web APIs with PHP is a compliation of several helpful tutorials covering the more popular web application programming interfaces (API) available.

My copy is in the mail.

Social Design Patterns

Tim O'Reilly has an interesting post about dial tone. Yeah, I know, it doesn't sound that interesting, but it is one of those things like Web 2.0 and Ajax - a new word that describes an old idea:

Dial tone is a fabulous metaphor for one of the key principles of Web 2.0, which I've called "the architecture of participation," but which might also simply be described as the design of systems that leverage customer self-service.

One thing I've found interesting about these types of metaphors (buzzwords?) is the contempt that many people have for them. How many Ajax developers actually like to use the word Ajax? In one of Terry's talks, he describes Ajax as a design pattern, which I think is a pretty good description. Most people I know can appreciate design patterns - by applying new names to old ideas, we can better categorize our solutions to common problems. This has a number of advantages, including the fact that it gives us a common vocabulary to describe abstract ideas. For some reason, however, these same people despise Ajax.

Tim is adept at identifying social design patterns - ideas like Web 2.0, where many people are thinking the same thing, but no one can describe it clearly and succinctly. Labels like Web 2.0 are catalysts for discussion and the spread of knowledge. Good ones stick. Bad ones don't.

I'm not sure whether dial tone is a good metaphor or not, but it makes a lot of sense in context:

You can regard the history of the computer industry as pushing "dial tone" further and further up the stack.

This is almost exactly how David described Ning during his interview on the Pro-PHP Podcast.

Interesting Security Blogs

I blog about a number of topics here at shiflett.org, and a favorite one is web application security. A reader recently asked for some other security blog recommendations, so I thought I'd mention a few of the ones I try to keep up with.

Although not always the most exciting, Schneier tends to produce a steady stream of relevant content. Here are some others that I've found interesting:

There is also a blog about Usable Security as well as a Planet Security that aggregates a number of security blogs.

Blood, Sweat, and Swear: Terry Chay on Pro-PHP Podcast

I just finished listening to Terry Chay on the Pro-PHP Podcast. Terry never hesitates to share his opinion, and it's always fun to listen to a smart guy who is passionate about what he does. You're also sure to walk away with several new quotes, such as "blood, sweat, and swear" being the key ingredients of web application development. Terry also speaks a bit about Ruby:

Ruby is really good at what it does. The problem is, for what Ruby does really well, I can download Wordpress. [Ruby is] really good at building those apps that have already been built before. PHP is good at finding out what the next Wordpress is.

On Terry's blog, he also comments on the podcast itself and the positive impact Marcus has had on the community:

The community is so disjointed because you have so many people working on so many things. From core C coding (The PHP Group), to business services and CYA documents (Zend), to consulting (OmniTI), to developers of open source and closed source application software and services. What PHP Podcast does is provide the sense of community that connects those disparate groups together.

The interview with Terry Chay is available from the Pro-PHP Podcast site.

PHP Gets HttpOnly Cookies

Via Ilia, Scott MacVicar has provided a patch that adds support for HttpOnly to setcookie() and setrawcookie(). This has been possible with header() all along, but this patch (applied by Ilia) makes things much easier.

Andrew has more information about browser compatibility, and he links to a potential solution for (and further discussion about) Mozilla/Firefox's lack of support.

Cal Evans Interviews George Schlossnagle

Cal Evans has posted another interview, this time with George Schlossnagle. They discuss George's background, a little bit of OmniTI history, and some of George's opinions about PHP and scalability.

When asked which technology has him most excited, George mentions DTrace by Bryan Cantrill (and Adam and Mike). Speaking of DTrace, Apple announced at WWDC this week that it's going to come with Mac OS X Leopard. Sweet!

Rails Security and Nondisclosure

Since the announcement of a "serious security concern" in Rails yesterday, many people have taken the opportunity to criticize the Rails project as being too immature for "enterprise" use.

I think that's overly harsh, but there are some very valid concerns about the way this issue has been handled by the Rails team. The original announcement describes the issue as follows:

The issue is in fact of such a criticality that we're not going to dig into the specifics. No need to arm would-be assalients.

A comment on Slashdot responds to this by stating:

I'm not that afraid of kiddies who lack the clue to run diff.

On the Ruby Forum, Paul Legato states:

The handling of the recent vulnerability in Rails has proven somewhat problematic for us. We have recently adopted Rails as our web platform of choice; previously, we used J2EE. We love Rails. We hate J2EE. We don't want to go back. It took a lot of effort and convincing to get the management teams of our various projects to sign off on the use of Rails. The nondisclosure policy in handling this vulnerability has seriously jeopardized our (and many other people's) ability to use Rails in a commercial environment, so we would like to suggest that it be changed.

Others have pointed to explanations from Evan Weaver and Kristian Koehntopp as proof that nondisclosure doesn't keep the details a secret.

I wish the Rails team the best of luck in addressing this issue (the social one), and I hope they can see through some of the pointless criticism without missing the valid points that have been raised.

Cross-Domain Ajax Insecurity

I might turn this into a more coherent article. For now, this ad hoc explanation will have to suffice.

Since the birth of Ajax (the name, not the technology), there has been an increased interest in various client-side technologies, especially JavaScript. Those who have forged ahead in an attempt to innovate new ways of applying Ajax have inevitably run into the same-origin security policy of XMLHttpRequest(). As a result, there has been an increasing demand for cross-domain Ajax, and there are several creative techniques in use today to get around the same-origin restriction (none of which I consider cross-domain Ajax).

Today, I read a post from a Ruby developer who claims to debunk misconceptions about the security implications of cross-domain Ajax:

Quite a number of people have been discussing possible cross-domain Ajax security issues recently. These are smart people that generally know their technologies very well, but for some reason are missing some fundamental aspects about Ajax.

He goes on to explain why he thinks cross-domain Ajax is safe. A followup retraction attempts to point out a reason why cross-domain Ajax can be unsafe, a port scanner that has access to your local network.

We don't need cross-domain Ajax for that. I wrote an article three years ago (and was giving talks before that) that demonstrates how XSS and CSRF can be used to penetrate local networks. Jeremiah Grossman recently demonstrated how to use XSS to scan a local network. We even have an example that uses CSRF to make configuration changes to a local Linksys WRTG54G (wireless router). These things are already possible today.

A much more important concern is that cross-domain Ajax effectively eliminates the CSRF safeguard implemented by many web applications. (The rest are probably vulnerable.) To help explain this, consider the recent story that Diggs itself, a clever CSRF attack that causes all visitors to automatically Digg a particular story:

<script type="text/javascript"> 
function fillframe() { 
    mf = window.frames["myframe"]; 
     
    html = '<form name="diggform" action="http://digg.com/diginfull" method="post">'; 
    html = html + ' <input type="hidden" name="id" value="367034"/>'; 
    html = html + ' <input type="hidden" name="orderchange" value="2"/>'; 
    html = html + ' <input type="hidden" name="target" value="http%3A//digg.com/"/>'; 
    html = html + ' <input type="hidden" name="category" value="0"/>'; 
    html = html + ' <input type="hidden" name="page" value="0"/>'; 
    html = html + ' <input type="hidden" name="t" value="undefined"/>'; 
    html = html + ' <input type="hidden" name="row" value="1"/>'; 
    html = html + '</form>'; 
     
    mf.document.body.innerHTML = html; 
    mf.document.diggform.submit(); 
} 
</script></head> 
<body onload="fillframe();"> 
<iframe name="myframe" style="width:0px;height:0px;border:0px"></iframe>

There are easier ways to craft this exploit, but that's too off-topic for now.

This exploit no longer works, because Digg fixed it. How did they do that? The request that this generates comes from a valid user and appears to be legitimate, because it abides by the rules imposed by the application. If you spend some time thinking about it, you might be able to come up with a solution, and it will probably be similar to what most people call an anti-CSRF token. Digg now adds a token to its forms. If you Digg a story, your request includes digcheck in addition to the other pieces of relevant information:

id=12345&orderchange=0&target=http%3A//digg.com/&category=security&page=1&t=1&row=1&digcheck=412e11d5317627e48a4b0615c84b9a8f

This value changes and is not valid for any other user or any other story. If digcheck doesn't match, the action is considered invalid. Problem solved.

If you want to exploit Digg in the same way today, you'd need to be able to obtain the digcheck token of another user. If you want to exploit many users (which you probably do, if you want your story to be popular), you'd need to be able to automatically get another user's token, so that it's easy to repeat the process. If you visit Digg and view source, you'll find these tokens in the links to Digg a story. Of course, the tokens you see are only valid for requests from you.

<a href="javascript:wrapper_full(0,5,12345,0,'Security',1,1,'412e11d5317627e48a4b0615c84b9a8f')">digg it</a>

Now, imagine if XMLHttpRequest() allowed cross-domain requests. Because it is JavaScript and executes on the client, you could use it to generate requests to Digg from every user who visits a page that you create elsewhere. You'd also be able to parse the results of those requests, so you could determine each user's digcheck token for the story you wish to have them Digg. The result? The exact same scenario would be possible, and there is nothing Digg could do about it. In fact, there's nothing any web application could do about it.

I don't expect browser developers to dismiss the same-origin security policy without a thorough understanding of the consequences, so my only purpose in blogging this is to clear up some of the misinformation that has been published in various places. It's worth noting that XSS vulnerabilities allow malicious JavaScript to execute within your domain, thereby avoiding the same-domain restrictions. This can have catastrophic consequences. Just ask Myspace.

I'll probably be writing more about Ajax security in the coming months. In the meantime, you should peruse Andrew's Ajax Security PDF.

Kevin Yank Discusses CSRF

Kevin Yank has written a pretty good description of CSRF (cross-site request forgeries) in a SitePoint Newsletter from a couple of weeks ago.

If you've read my CSRF article and don't quite get it, check out Kevin's description. I think he explains it very well.

Six Reasons PHP Sucks

Theo has posted the slides of his PHP lightning talk in PDF format. The topic? Why PHP sucks.

I've never disputed the fact that PHP has problems, but for some reason, everyone who tries to explain why PHP sucks misses most of the actual reasons it does. It's astonishing.

Theo doesn't give six reasons I agree with (one or two are there for comic relief), but he starts off with three solid points. More importantly, he notes that Java sucks more, but he can't cover that in five minutes. :-)

OSCON People and Random Tidbits

One of the great things about OSCON is how it brings people together, and this year's conference was no different. I had the privilege of meeting a number of people for the first time:

I may have forgotten a few people, and if so, I apologize.

Laura blogged about her T-Shirt Index, an idea that uses the number of free t-shirts available at OSCON as a rough approximation of the economic health of the industry. If more vendors would realize that XL shirts don't fit everyone, I might have picked up more than two. :-)

Ted Leung mentioned a cool idea from Zak:

Zak Greant of the Mozilla foundation discussed how he is using a bug/issue tracker to deal with community issues. This sounds like a no brainer kind of activity, particularly for open source projects, but I am not aware of any other community that is making use of this practice.

This reminds me of another tip from Zak's blog, Don't get pwn3d: Why Professionalism Matters In Community Discussions.

Other topics of interest from OSCON include the PHP trading card game (which you can now download), the PDXPHP meeting, the PHP Security Hoedown, the OmniTI book signing (another photo), and sponsored events at establishments like American Cowgirls.

Cal Evans Interviews Laura Thomson

Cal Evans has posted his interview with Laura Thomson:

While at OSCON, I had the privilege of talking with Laura Thomson. Laura is the Director of Web Development at OmniTI.

It's an interesting read and presumably the first of many, as Cal was busy interviewing people all week.

OSCON 2006 Redux

Several of my colleagues at OmniTI and I just returned from our trip to Portland for this year's OSCON. It's difficult to summarize such a conference in a single blog post, so I'll probably be blogging quite a bit over the next couple of weeks in an attempt to catch up as well as expand on a few things.

On Monday morning, Theo presented Scalable Internet Architectures, one of the best-selling tutorials at OSCON (and ApacheCon) each year. Theo's book on the topic debuted at the conference, but it sold out quickly, so I only saw the cover.

Geoff and I presented Power PHP Testing that afternoon. We have received mostly positive reviews, some of which have been very complimentary. Cal seems to think we don't like PHPUnit, so perhaps our attempt at humor was perceived as being a bit too snarky. :-)

George presented High Performance PHP on Tuesday morning, but I was busy tweaking my slides, so I missed it. (Cal has a brief review of the tutorial.) I gave Essential PHP Security that afternoon. Unfortunately, this caused me to miss Andrew's Secure Your Web Apps: OWASP Top 10 2007 and Luke and Laura's Building an Asynchronous Multiuser Web App for Fun and Maybe Profit, two other tutorials being given at the same time. The nice side-effect of this scheduling conflict was that I had a slightly smaller audience than in years past, and the feedback I've received has been stellar, so maybe the more intimate environment was valuable.

Wednesday morning, Theo presented Big Bad PostgreSQL: A Case Study, but I went to see Handling Cross-Domain XMLHttpRequests. This is a topic that I'll blog more about soon, because there is a lot of hype and misinformation surrounding the various techniques and security implications. Adam presented Dirty Secrets of PHP 5's Ext/SOAP Extension, which was a practical walkthrough of the new SOAP extension based on his extensive experience with it at eBay. The PHP Lightning Talks followed, so I missed Luke's Measuring Open Source Popularity talk and Andrew's The Madness of Ajax talk. The PHP Lightning Talks were a lot of fun, and I'm sure I'll blog more about them soon.

I missed Andrei's PHP 6 and Unicode: The Tower of Babel, Next Generation talk, because I was giving The Truth about XSS. This is a new talk that gives some real-world examples of XSS as well as attacks that combine XSS with CSRF and Ajax techniques. (I'll be giving a refined version of this talk at php|works in September.)

Wez gave his PDO: PHP Data Objects talk as Brian Fitzpatrick and Ben Collins-Sussman were giving How Open Source Projects Survive Poisonous People (And You Can Too). Ted Leung had this to say about the latter:

The best talk of the entire conference was Brian Fitzpatrick and Ben Collins-Sussman's talk How Open Source Projects Survive Poisonous People (And You Can Too). This was a hugely practical talk on dealing with difficult people. Part of the reason that their talk was so practical is their opinion that a strong community is the best defense when dealing with difficult people.

Thursday morning, I was busy with slides, so I missed Rasmus presenting PHP and Web 2.0 (which he calls Getting Rich with PHP 5). You can read reviews by Niall Kennedy and Cal Evans, and you can also listen to the talk. I also missed David presenting I'm 200; You're 200: Codependency in the Age of the Mash-Up, a talk that is presumably based on his experiences at Ning.

I gave PHP Security Testing (my fourth and final talk) at the same time Michael gave Hacking Apache HTTP Server at Yahoo.

The PHP track continued with Laura's Writing Maintainable Code with PHP and John's Understanding ZFramework, a talk about the Zend Framework. (This was the first time I had heard it called ZFramework.)

Terry ended the day with one of the most entertaining talks of the conference. The Underpants Gnomes Strategy Guide: An eCards Case Study was a hilarious talk that showcased Terry's outlandish personality and unparalleled Keynote skills as much as it did the technology behind eCards.

On Friday, I woke up in time to catch George's Practical PHP Patterns talk, then it was time for the annual beer festival, capping off another excellent conference from the folks at O'Reilly.