Tag: security

Using a system like Symfony for your website creation needs has a lot of advantages, no doubt about that.

But you also need to be aware that you’re unwillingly creating a pattern that can be abused when you aren’t paying attention. I got caught by one of these myself for a few weeks now.. πŸ™‚

Let me explain.. For a couple of weeks, one of my sites was cursed with some strange voodoo. I had a list of some items on a page, and 1 of these items ( always the same one ) kept disappearing on a daily basis, while i was the only one with access to the database. I was puzzled until some mysql logging cleared things up. Some asian IP was executing my website like this: http://mysite.be/item/delete/id/$nr where $nr are the id’s from the list. ( Basic and easy-to-try standard crud thing, available from most frameworks, so if you know Symfony, you could guess that item had a delete, create, edit, show and list action πŸ™‚ )

Because the item module was forgotten in my security.yml frenzy, everyone could browse to that URL, and delete my items πŸ™‚ But why did only one item disappear? Well, the other delete requests were denied because of foreign keys, while the deleted one wasn’t coupled to any other field, so it was successfully removed every time.

Anyways, i plugged the hole with a security.yml as follows:

delete:
is_secure: on
credentials: admin

create:
is_secure: on
credentials: admin

edit:
is_secure: on
credentials: admin

One less thing to worry about πŸ˜‰

Firefox 3 has new “invalid SSL certificate” warning screens. All fine and dandy, but pretty confusing, and way too much work to allow the certificate.

When you browse to a site with an invalid/unknown ssl certificate ( such as self-signed certificates ), you see this screen:

FF3 SSL Cert Step 1

At first glance, it seemed the site was down, and i checked whether i typed the URL correctly. Yep, it was. Then i reread the message more clearly, and noticed it was in fact the SSL stuffs. This is where your Joe Schmoe and Jane Doe sits in front of the screen, wondering why their beloved site is down, and go on surfing to another place.

To actually allow you to view the site, it gets even more cumbersome. You need to go to 3 obscure steps to allow the page to be viewed, as seen below:

FF3 SSL Cert Step 2

Clicking “Add Exception” brings you to this page:

FF3 SSL Cert Step 3

Next, “Get Certificate” :

FF3 SSL Cert Step 4

And, finally, the last button, “Confirm Security Exception”. And then we are able to see the page we intended to view πŸ™‚

Ofcourse, this is just a beta ( 3 to be exact ), so I’m pretty sure some GUI master will improve the situation πŸ™‚

For the rest, I’m absolutely LOVING Firefox 3, sure is heading to be a big winner πŸ™‚ Now if only the plugins/addons follow soon.. πŸ™‚