A lot of the support work that we do here at Anchor involves looking at websites. You could say that we’ve seen a few websites in our time. Something we come across pretty frequently is inadequate protection when it comes to handling user-submitted form data and URLs. This might not seem like a big deal, […]
We came across this interesting article recently, it’s about how an attacker can perform a denial-of-service attack by feeding perverse input to a system that uses weak hashing algorithms. This is referred to as a Hash DoS, and the specific target mentioned in the article is btrfs. btrfs is a next-gen filesystem that’s expected to […]
We came across this story last week, it’s particularly interesting and relevant to us as a webhosting company. The LWN writeup describes a kernel module that maliciously intercepts HTTP requests and injects iframe tags into the HTML. This sort of behaviour isn’t terribly new to us. We see code injection attacks fairly frequently, mostly against […]
Our IDS has proven itself to be extremely valuable several times so far, we thought we’d share something interesting that it picked up. What’s an IDS? In case you’ve not come across the term “IDS” before, and seeing as we haven’t mentioned it previously, we’ll go over that first. An Intrusion Detection System, or IDS […]
The dust from ekoparty, an Argentinian security conference, has settled, and we now have details on CRIME, an attack on the encryption widely used in web browsers. When we previously talked about CRIME the details of the attack were speculation. They now appear to have been correct. To recap, if the attacker can hijack your […]
I thought I’d take the opportunity to focus on something different for this post, we’re going to look at a recently announced attack against SSL/TLS called “CRIME”. To bring you up to speed, SSL (Secure Sockets Layer) is the original protocol that secures your connection whenever you use a URL beginning with “https://” in your […]
It can be a frustrating experience trying to get your web application to work. When the world seems to be working against you, and you get “permission denied” at every turn, it can be very tempting to break out the “chmod 777” — and give everyone on your server permission to write to your files. […]
One of our sysadmins picked up the disclosure of this PHP vulnerability last week. It’s kind of important, so we thought we’d share it with you. Eindbazen PHP-CGI advisory (CVE-2012-1823) It’s interesting because a default mod_php installation isn’t vulnerable, but a fairly common deployment technique using php-cgi is (because it’s sane and not a gaping […]
With all of the #antisec love going around, we felt was a good time to discuss some of the key principles in writing secure webcode. Today’s topic is unsanitised input. A great piece of philosophy for designing secure systems is that any piece of information that comes from an external source is inherently untrustworthy. This […]
As many people may have read today, a certain web hosting company which operates in Australia suffered an attack which resulted in significant amounts of data loss. Not only was their live production data lost, but all backups were also unrecoverably lost in the process. Whilst significant technical details have yet to be released as […]