During the last weeks I was wondering why the download counter for Suhosin-Patch was increasing so fast. Today I most probably learned the reason when I was browsing through the FreeBSD ports. For 3 weeks now Suhosin-Patch is activated in FreeBSD's PHP ports by default.
This means that every FreeBSD user that installs PHP from ports will be Suhosin-Patch protected unless he disables it. Really good news for us and really bad news for Zend, because now they have to fix Zend Optimizer. After my ignored bugreport maybe their users can force them to stop Zend Optimizer from accessing already freed memory.
Unfortunately the mozilla family still refuses to implement httpOnly cookies in Firefox and therefore their newest release: Firefox 2.0 still comes without support for httpOnly cookies. Luckily an annoying bug within the Firefox internals was fixed in Firefox 2.0 which enables an extension to correctly intercept incoming and outgoing cookies. In previous Firefox versions it was not possible to intercept incoming cookies, because the Cookie header was already parsed before the examine response hook was called.
Therefore I sat down during the last hours and wrote my little httpOnly extension. This extension adds transparent httpOnly cookie support to Firefox by using a funny hack.
With this little hack it is now possible to have httpOnly cookies in Firefox 2.0. You can download this little extension from here. Be warned that this was a hack of only a few hours. Therefore you should only consider it a proof of concept. However I am planning on improving it in the near future.
During the last weeks several researchers have spent their time hunting and warning people that have not read the Flash documentation carefully and therefore exposed their domains to cross domain Flash access. You will even find statistics about the number of Fortune 500 sites affected by this.
Well, I did not participate in such witchhunts, mainly because I do not consider it security research to use google to find crossdomain.xml files or to draw sweet looking statistics. On the other hand these Flash policies were interesting enough for me to test and exploit.
Therefore I researched a bit and have released a mini article about a new class of holes this obscure Flash feature pokes into web applications.
Today I noticed that calling Wikipedia directly with an URL like http://en.wikipedia.org/+ADw-SCRIPT+AD4-alert(/XSS/)+ADw-/SCRIPT+AD4- results in a 404 error page that contains an HTML redirect. The special thing about this page was that did not send a charset in it's content-type header.
Unfortunately several browsers can be tricked to assume UTF-7 as charset when no charset header is given by the server or from within the HTML. Because the UTF-7 encoding uses only characters usually considered safe for HTML output user input is usually not correctly escaped when it gets printed which results in Cross Site Scripting vulnerabilities.
Luckily the Wikipedia admins were ultra fast in fixing this issue. After I sent my notification email it was fixed in less than 3 hours. This is a responsetime you would like to see everytime your report a security hole.
A similar UTF-7 injection vulnerability in the popular ViewVC CVS/SVN viewer was disclosed by me today in a new Hardened-PHP Project advisory. In this advisory I also disclose the fact that the popular belief among web-application security people that this problem only affects Internet Explorer is wrong. There is a vulnerability in browsers of the Mozilla family that allows this kind of attack...
(Details will be disclosed when a fixed Firefox is released)