Follow-ups from yesterday's postPosted by Incineroar
So in looking at the code, and in reading other best practices and coding suggestions, I realized many other ways I could fix this code in terms of mitigating the exploit that I found. I know it's not perfect, and I plan to make a lot more smaller back-end updates to tighten up security with the software as well before I publish the next version. One such thing I plan to change is using the PDO prepare statement
to prevent injection-based attacks from working rather than substituting values right into the query where things can very quickly go wrong as is currently being done. This will especially be necessary for post comments, because even with a captcha implementation there, it's still very much possible to exploit, it'll just be slower and the results can be more obvious as they need to actually be posted and cannot be deleted unless the administrator does so, where the exploit will be seen and the IP...Click here to read more...
Website Updates - May Critical Patch NotesPosted by Incineroar
So finding this vulnerability was actually the result of testing the newer, updated website that I'm working on (Yes, I really am working on the comments update, which will be coming soon!) and wanted to find a way to test sites for vulnerabilities so that I can ensure the safety of data on Pushing Buttons. Inadvertently I actually ended up discovering a bug in my code that was accessible on the older version of the software and was able to quickly roll out some additions and changes to the code to ensure that the vulnerability cannot be used. I will detail what the bug was, what the vulnerability was, how it worked, and how it was fixed. The code here is being disclosed due to the fact I plan to open-source this software in the future, and I welcome any and all suggestions on code improvement. I want to clean it up anyway, it's not the best code in the world I'll admit.
What's The Bug?
A issue was identified where you could use what's called an SQL Injection Attack to add...Click here to read more...
Policy Updates!Posted by Incineroar
So I've been quite lazy in actually managing this website, mostly because of time constraints. However, I decided to implement a couple new pages since they're somewhat necessary right now.
If you check at the bottom of any page now, you will see that we now have a privacy and cookies policy. Feel free to take a look, if you're so inclined to read legal crap. In reality they don't really mean too much (There's no login or registration systems on this site, although there are plans to add commenting down the road!) but they are required components for any website, so I decided to finally add them.
Also... This is the first post here in 2020, not that it's anything special given we're in the middle of a pandemic, but yay I suppose? Anyways, time to work on more things...Click here to read more...
A cup of joe never hurts!Posted by Incineroar
So the other day I made a tweet that asked about making a Ko-Fi account to allow people to show support to me for things I do (such as making the software for this site which I still plan to publish someday!) Doing all that isn't easy though. Based upon 11 respondents:
I decided to make a Ko-Fi page. If you do appreciate the work I do, you can donate at the link below:
Click here to read more...
A Small UpdatePosted by Incineroar
So today I finally got off my lazy depressed ass and finally went and got an SSL certificate for the site. We're now actually marginally more secure now.
And now, back to your regularly scheduled programming.Click here to read more...