somebody's been php'in ... - Dangers of source code disclosure for web site security

-

Menzis: somebody's been php'in ...


A `$` is not always a positive thing to see, especially in the title of your favourite website not be rendered, but a value replaced where this variable $name appears). So, hopefully the general health of the website is otherwise acceptable...

More seriously, such Source code disclosure ('code leak thru') bugs can indicate security faults: when code fails to render, it may inadvertently leak algorithm details or even worse connection strings and other sensitive details that a hacker may exploit...


Comments

Post a Comment

Popular posts from this blog

null++ and its alternatives - NULL as an anti-pattern and some alternatives - stateless functional code

-
Image
  Notepad++ is a great and free text editor with many practical features, such as line-sorting, multi-file and directory find-and-replace, and excellent encoding support. However, programming is hard, and even the noble Notepad++ has been caught off guard in the war on bugs:  To NULL or not to NULL... A display full of NULLs is not that desirable, but on the other hand is better than random, uninitialized data, or worse, reading beyond assigned buffers into memory regions containing data this user is not supposed to see.  The history of NULL is a controversial one: it was, somewhat like JavaScript, cheap to implement at the time and seemed a good idea. However, notoriously, even the inventor of NULL considers the invention to be a mistake . At first glance, and when used in a very limited scope, NULL seems a sensible construct: a global kind of default 'this is not set' value, that is reliably detectable, as opposed to some random memory garbage. Issues arise when the NULL val
Read more

whoa! Chrome crash! - UX challenge of presenting a catastrophic failure

-
Image
A kind of California style, cool and casual way to tell the user that something truly bad has happened to the Google Chrome browser.   why ask? Although this is a "mere browser" and not the OS (there is still a difference, right?) - this does not seem so much different or better than Microsoft's prompting the user when the dotnet platform exhausts memory . Such an error seems unrecoverable - like a catastrophic failure, there is no choice to be made - so why ask? The user really does not have much choice - so why prompt? and why should the user need to decide what to do with your bug?
Read more

Google has Googaplexes but not Gigabytes - Good Enough software?

-
Image
  Google has its large numbers such as googaplex : " Googleplex " is a portmanteau of Google and complex (meaning a complex of buildings) and a reference to googolplex, the name given to the large number 10 (10 100 ) There are further such curt identifiers for big, big numbers: A googol seconds is about a sexvigintillion (10 81 ) times the estimated age of the universe. A googol angstroms is approximately 100 trevigintillion light-years. It takes approximately  317 novemvigintillion years  to count to a googol one integer at a time. Unfortunately, at least part of the Google enterprise is still getting to grips with rather smaller numbers, such as the Gigabyte: Since when has a gigabyte just 1000 megabytes? Perhaps this is some kind of IT equivalent of a move toward the metric system? Yet it looks more like a bug. In software there are always trade-offs, the most obvious being Quality vs Productivity, and this seems such an example...  OR is this a case of "good enough&q
Read more