CSRF: It's not trivial  Tags: security, webdevelopment, websites.
In the past few weeks I've found two websites with CSRF vulnerabilities. I wasn't really looking for it, but when they don't require me to enter my current password to change the password (or e-mail address, by which the password can be reset), it raises flags.

So what can you do with a CSRF vulnerability?
In one case, I could easily have gained myself admin permissions on a website with thousands of visitors a day.
The other, I'm not entirely sure what the extent was, but certainly get myself access to FTP accounts from websites.

CSRF stands for Cross-Site Request Forgery. It works like this:

Why didn't they tell me this during driving lessons?  Tags: real life, other.
There is a "too long; didn't read" at the bottom of this post. In the first paragraph I already get to one of the two points I want to make, but they're both summed up at the end.
---

In the category 'good to know': Don't start a car, drive 10 meters, and switch off the engine again (for example to get it out of the way for something). If you do, you might have some trouble starting it next time. It's especially annoying when you want to rob a bank, but on the other hand it can be advantageous against car thieves.

Invalid JSON  Tags: webdevelopment, programming.
I've written about XML versus JSON before, praising JSON far above XML. I still stand by this, but I must say that there is an incredible lot of invalid JSON out there.

Most applications using JSON are client-server setups where the client downloads data from the server. Since JSON is native Javascript, you can just throw it in there along with any sort of Javscript instructions, and it'll work. Yeah, for you application only that is.

For example for my website playbylyrics.com I wanted to enable users to download the MP3 of what they were listening.

PHP functions to be disabled on shared hosting  Tags: webhosting, security.
There are plenty of websites giving you advice on which PHP functions to disable in a shared hosting environment. Trying like 15 blogs and websites, all of them got it wrong, including (to my surprise) the Security Stack Exchange**.

I don't know who or when, but someone once posted a list with PHP functions to be disabled and everyone copied it. There are roughly 3 variants on this, which block random functions like mysql_pconnect (but not mysql_connect or sockets themselves), FTP functions, or even string manipulation functions which are obviously totally benign.
Time to set things right.

So I got hacked  Tags: security, my blog, my server.
I must say well done to Robbert Camps for hacking my website :)

Due to my inattentiveness when writing scripts in the randomprojects folder, I missed a leak which gave him access to my blog and read-only access to any file on the system.

Ironically I was watching the website statistics right the moment before he discovered the leak, and realized there was an issue with a file someone was browsing.