Yesterday several PHP blogs and news sites announced the launch of ning, which is the newest project of Marc Andreesen and is meant to be a playground for building and using social applications. These applications are implemented in a stripped down (or sandboxed) version of PHP and can be created by cloning or merging already existing ning applications or by directly writing them with their PHP API.

After hearing about this, my first thoughts were: interesting, crazy, brave...

After having a look at their acknowledgement page, which lists the names of several members of a certain consortium and a blogposting by their leader, where he claims to have provided PHP security consulting for ning, I was very curious to have a look at it...

I must admit that I was very amused after I had put "><script>alert("Obviously very well audited...");</script><blub into any of the input fields on the register and password forgotten pages. It seems that not a single field on their page is protected against XSS attacks and therefore it is wide open to password and cookie snatching attacks.

With such obvious holes left open on their main page, I seriously doubt it is a good idea, that they allow the execution of PHP code from within their ning applications.

At this point I have to recommend getting PHP security consulting services from a different source.