. */ # Known/outstanding issues: # [COSMETIC] If the ping services list is empty, the log file will report "not pinging services - disabled by administrator" even if pinging is enabled. # adds an options page to the options menu function SUP_add_options_page() { if(function_exists("add_options_page")) add_options_page("UP Smart Update Pinger", "UP Smart Update Pinger", 5, basename(__FILE__), "SUP_show_options_page"); } # shows the options page function SUP_show_options_page() { global $logfile; $ping = get_option("SUP_ping"); $pinglog = get_option("SUP_pinglog"); $uris = get_option("ping_sites"); $forcedpings = false; $SUP_output_log=''; $pingservicesnow = "Ping Services Now!"; $deletelogfile = "Delete Log File"; if(isset($_POST["ping"]) && $_POST["ping"] == $pingservicesnow){ $forcedpings = true; SUP_log(SUP_ping_services($forcedpings).strftime("%D %T")."\tForced pinging services (Homepage)\n\t─────\n"); }elseif(isset($_POST["submit"])){ $uris = $_POST["uris"]; $ping = 0; if($_POST["ping"] == 1) $ping = 1; $pinglog = 0; if($_POST["pinglog"] == 1) $pinglog = 1; update_option("SUP_ping", $ping); update_option("SUP_pinglog", $pinglog); update_option("ping_sites", $uris); echo '

Options saved.

'; }elseif(isset($_POST["delete"]) && $_POST["delete"] == $deletelogfile){ $fh = @fopen($logfile, "w"); if(false === @fwrite($fh, strftime("%D %T")."\tLog file deleted\n\t─────\n")){ update_option("SUP_error", 1); }else{ update_option("SUP_error", 0); } @fclose($fh); } $checked1 = ''; if($ping == 1) $checked1 = 'checked="checked"'; $checked2 = ''; if($pinglog == 1) $checked2 = 'checked="checked"'; echo '

Ultimate Plugins Smart Update Pinger

Click here for installation instructions

Click here for usage instructions

Click here for updated versions

Click here for comments and suggestions

URIs to Ping

The following services will automatically be pinged/notified when you publish normal or future timestamped posts. Not when you edit previously published posts, as WordPress does by default.

This plugin also fixes an issue with the default extended ping programming in Wordpress and pre-2.1 versions of Smart Update Pinger (it now includes the url of the new post).

NB: this list is synchronized with the original update services list.

Separate multiple service URIs with line breaks:

Ping log

These are the last 100 actions performed by the plugin. In reverse chronological order for easier reading (latest ping first).

'; SUP_get_last_log_entries(500); echo '

'; } # telling WordPress to ping if the post is new, but not if it's just been edited function SUP_ping_if_new($id){ global $wpdb, $post_title; $SUP_output_log="\t─────\n"; $SUP_ping_result=''; $forcedpings = false; if(get_option('SUP_ping') == 1 and get_option('ping_sites') != ""){ # fetches data directly from database; the function "get_post" is cached, # and using it here will get the post as is was before the last save $row = mysql_fetch_array(mysql_query( "SELECT post_date,post_modified,post_title,guid FROM $wpdb->posts WHERE id=$id")); # if time when created equals time when modified it is a new post, # otherwise the author has edited/modified it if(!$row["post_title"]){ $SUP_output_log=strftime("%D %T")."\tNOT Pinging services (ERROR: YOU HAVE FORGOTTEN TO ENTER A POST TITLE) ...\n".$SUP_output_log; }else{ if($row["post_date"] == $row["post_modified"]){ $SUP_output_log=strftime("%D %T")."\tPinging services (New normal post: “".$row["post_title"]."”) ...\n".$SUP_output_log; $SUP_output_log=SUP_ping_services($forcedpings,$row["guid"]).$SUP_output_log; # Try commenting the line above, and uncommenting this line below if pinging seems to be out of order. Please notify the author if it helps! # generic_ping(); }else{ // Post has been edited or it's a future post // If we have a post title it means that we are in the normal WP loop and therefore it was an edit (not a future post) if($post_title){ $SUP_output_log=strftime("%D %T")."\tNOT Pinging services (Existing post was edited: “".$row["post_title"]."”) ...\n".$SUP_output_log; }else{ $SUP_output_log=strftime("%D %T")."\tPinging services (New timestamped post: “".$row["post_title"]."”) ...\n".$SUP_output_log; $SUP_output_log=SUP_ping_services($forcedpings,$row["guid"]).$SUP_output_log; # Try commenting the line above, and uncommenting this line below if pinging seems to be out of order. Please notify the author if it helps! # generic_ping(); } } } }else{ $SUP_output_log=strftime("%D %T")."\tNOT Pinging services (WARNING: DISABLED BY ADMINISTRATOR)\n".$SUP_output_log; } SUP_log($SUP_output_log); } # More or less a copy of WP's "generic_ping" from functions.php, # but uses another function to send the actual XML-RPC messages. function SUP_ping_services($forcedpings,$SUP_guid = '') { $SUP_output_log=''; #$services = get_settings('ping_sites'); #UP - 17.07.07 - get_option is newer/better then get_settings $services = get_option('ping_sites'); $services = preg_replace("|(\s)+|", '$1', $services); // Kill dupe lines $services = trim($services); if ( '' != $services ) { $services = explode("\n", $services); foreach ($services as $service) $SUP_output_log=SUP_send_xmlrpc($forcedpings,$SUP_guid,$service).$SUP_output_log; } return $SUP_output_log; } # A slightly modified version of the WordPress built-in ping functionality ("weblog_ping" in functions.php). # Original version: #function weblog_ping($server = '', $path = '') { #global $wp_version; #include_once(ABSPATH . WPINC . '/class-IXR.php'); #// using a timeout of 3 seconds should be enough to cover slow servers #$client = new IXR_Client($server, ((!strlen(trim($path)) || ('/' == $path)) ? false : $path)); #$client->timeout = 3; #$client->useragent .= ' -- WordPress/'.$wp_version; #// when set to true, this outputs debug messages by itself #$client->debug = false; #$home = trailingslashit( get_option('home') ); #if ( !$client->query('weblogUpdates.extendedPing', get_option('blogname'), $home, get_bloginfo('rss2_url') ) ) // then try a normal ping #$client->query('weblogUpdates.ping', get_option('blogname'), $home); #} # This one uses correct extendedPing format (WP does not), and logs response from service. function SUP_send_xmlrpc($forcedpings,$SUP_guid = '',$server = '', $path = '') { global $wp_version; $SUP_output_log=''; include_once (ABSPATH . WPINC . '/class-IXR.php'); // using a timeout of 5 seconds should be enough to cover slow servers (changed from 3 to 5) $client = new IXR_Client($server, ((!strlen(trim($path)) || ('/' == $path)) ? false : $path)); $client->timeout = 5; $client->useragent .= ' -- WordPress/'.$wp_version; // when set to true, this outputs debug messages by itself $client->debug = false; $home = trailingslashit( get_option('home') ); # The extendedPing format should be "blog name", "blog url", "check url" (the new URL), and "feed url". # Related Website(s) # http://www.weblogs.com/api.html # An example: # Someblog - Title # http://spaces.msn.com/someblog - Home URL # http://spaces.msn.com/someblog/PersonalSpace.aspx?something - Check/New URL # http://spaces.msn.com/someblog/feed.rss - Feed # Changed the following line therefore: # if($client->query('weblogUpdates.extendedPing', get_settings('blogname'), $home, get_bloginfo('rss2_url'), get_bloginfo('rss2_url'))) if ($forcedpings){ # If this is a forced ping it's better to use a regular ping for the homepage without an update URL (safer) if($client->query('weblogUpdates.ping', get_option('blogname'), $home)){ $SUP_output_log=strftime("%D %T")."\t► [Regular Ping] ".$server." was successfully pinged\n".$SUP_output_log; if (get_option('SUP_pinglog') == 1){ $SUP_output_log=strftime("%D %T")."\t►► Blogname: '".get_option('blogname')."'\n".$SUP_output_log; $SUP_output_log=strftime("%D %T")."\t►► Homepage: '".$home."'\n".$SUP_output_log; } }else{ $SUP_output_log=strftime("%D %T")."\t► ".$server." could not be pinged. Error message: “".$client->error->message."”\n".$SUP_output_log; } }else{ if($client->query('weblogUpdates.extendedPing', get_option('blogname'), $home, $SUP_guid, get_bloginfo('rss2_url'))){ $SUP_output_log=strftime("%D %T")."\t► [Extended Ping] ".$server." was successfully pinged\n".$SUP_output_log; if (get_option('SUP_pinglog') == 1){ $SUP_output_log=strftime("%D %T")."\t►► Blogname: '".get_option('blogname')."'\n".$SUP_output_log; $SUP_output_log=strftime("%D %T")."\t►► Homepage: '".$home."'\n".$SUP_output_log; $SUP_output_log=strftime("%D %T")."\t►► Updated : '".$SUP_guid."'\n".$SUP_output_log; $SUP_output_log=strftime("%D %T")."\t►► RSS URL : '".get_bloginfo('rss2_url')."'\n".$SUP_output_log; } }else{ # pinging was unsuccessful, trying regular ping format if($client->query('weblogUpdates.ping', get_option('blogname'), $home)){ $SUP_output_log=strftime("%D %T")."\t► [Regular Ping] ".$server." was successfully pinged\n".$SUP_output_log; if (get_option('SUP_pinglog') == 1){ $SUP_output_log=strftime("%D %T")."\t►► Blogname: '".get_option('blogname')."'\n".$SUP_output_log; $SUP_output_log=strftime("%D %T")."\t►► Homepage: '".$home."'\n".$SUP_output_log; } }else{ $SUP_output_log=strftime("%D %T")."\t► ".$server." could not be pinged. Error message: “".$client->error->message."”\n".$SUP_output_log; } } } return $SUP_output_log; } $post_title = ""; # Receives the title of the post from a filter below function SUP_post_title($title){ global $post_title; $post_title = $title; return $title; } # Log $logfile = ABSPATH . 'wp-content/plugins/ultimate-plugins-smart-update-pinger/ultimate-plugins-smart-update-pinger.log'; function SUP_log($SUP_log_output) { global $logfile; $logerror = 0; $fh = @fopen($logfile, "a"); if(false === @fwrite($fh, $SUP_log_output)){ update_option("SUP_error", 1); }else{ update_option("SUP_error", 0); } @fclose($fh); } function SUP_get_last_log_entries($num) { global $logfile; $lines = @file($logfile); if(get_option("SUP_error") == 1){ $fh = @fopen($logfile, "a"); if(false === @fwrite($fh, "")){ echo "Error writing log file (".$logfile."). Most likely your logfile (".$logfile.") is write-protected and no log data can be saved (change the rights of this file to 777), or alternatively this could mean that you have manually removed the log file, or that you have changed the directory or file name of the plugin (they both should be 'ultimate-plugins-smart-update-pinger')"; }else{ // Original: $lines = array_slice($lines, count($lines) - $num); // Modified to show in reverse order (easier for reading) $lines = array_reverse(array_slice($lines, count($lines) - $num)); $msg = ""; foreach($lines as $line){ $msg.=trim($line)."
"; } echo $msg; } @fclose($fh); }else{ if($lines === false){ echo "Error reading log file (".$logfile."). Most likely you have manually removed the log file, or alternatively this could mean that the logfile (".$logfile.") is read-protected (change the rights of this file to 777), or that you have changed the directory or file name of the plugin (they both should be 'ultimate-plugins-smart-update-pinger')"; }else{ // Original: $lines = array_slice($lines, count($lines) - $num); // Modified to show in reverse order (easier for reading) $lines = array_reverse(array_slice($lines, count($lines) - $num)); $msg = ""; foreach($lines as $line){ $msg.=trim($line)."
"; } echo $msg; } } } # ----- # adds a filter to receive the title of the post before publishing add_filter("title_save_pre", "SUP_post_title"); # adds some hooks # shows the options in the administration panel add_action("admin_menu", "SUP_add_options_page"); # calls SUP_ping whenever a post is published add_action("publish_post", "SUP_ping_if_new"); # calls SUP_ping_draft when changing the status from private/draft to published # add_action("private_to_published', 'SUP_ping_draft'); # removes the "WordPress official" pinging hook remove_action("publish_post", "generic_ping"); # activates pinging if setting doesn't exist in database yet # (before the user has changed the settings the first time) if(get_option("SUP_ping") === false) { update_option("SUP_ping", 1); } if(get_option("SUP_pinglog") === false) { update_option("SUP_pinglog", 1); } if(get_option("SUP_error") === false) { update_option("SUP_error", 0); } ?> Interview with Yousif Yalda a former Kaspersky information security officer, and V.A.P.T. CEO and Founder
iEntry 10th Anniversary Technology Contact Us

Intology – Intelligent Technology News
Computers Technology Internet Arts Business Science Sports

Interview with Yousif Yalda a former Kaspersky information security officer, and V.A.P.T. CEO and Founder

May 12th, 2008 by Kiyani ~ No Comments

On the subject of web application security and testing, Intology sat down with Yousif Yalda, founder of Vulnerability Assessments and Penetration Testing (www.vapt-sec.com). He is a former Kaspersky information security officer and has wide experience in this field.

V.A.P.T. is a new starting provider of web application security services. It develops useful, easy-to-use, cost-effective solutions that enable companies to secure valuable customer data, meet federal compliance standards, and maintain customer confidence.
Let’s get started!

First of all we would like to thank you for taking the time to talk to us.
Our first question is: what is your opinion on the overall state of web application security in the world?

Thank you, it’s my pleasure. Currently, I believe we are facing issues that exist mainly on the state of web browser security. We have not found a solution (during the time of this writing) that has successfully eliminated the attacks of phishing or CSRF (Cross-Site Request Forgery) completely in a whole.
These attacks use the browser to perform their danger and the client (user) only faces a URL to work with. In other words, a URL can be quite confusing to determine if an attack derives from it, especially if it has been encoded in a format that a common user has no knowledge in understanding. We would like for every consumer to understand and be protected from such attacks, but that is not going to happen anytime soon. There are a few solutions you can implement to prevent both attacks as much as possible.

Firstly for phishing, you should try to analyze every URL you visit, or will visit, so that you may know where it is really taking you. Using Firefox, is one of the easiest decision you can make to help prevent these forms of attack. Currently it cannot be stopped 100%, but Firefox does try to discover patterns in the attack, and alert you if an attack is suspected. CSRF can be prevented by simply downloading an add-on to Firefox called ‘No Script’.

This will help prevent against both XSS (Cross-Site Scripting) and CSRF attacks by stripping the parameters out of any POST request generated by a suspicious site. I’ll leave the technical stuff out, because that’s for us to take care of. As for the consumers, just follow those steps and you’ll be safe for what you can do currently. Additionally, people still continue to believe that XSS is not of any concern or nuisance to the dangers of online usage. We have yet to recover from that, but since popular websites receive these attacks, people should start becoming a little more convinced. Not too long ago, did presidential candidate Barack Obama’s blog, get hit with XSS. (Read here).

It’s that precise ignorant behavior that leads these attacks. Also, since AJAX is using user-generated functionality, then we shall also expect to hear about user-generated issues. I’ve discussed about this issue in AJAX’s technology previously in my blog post (http://yousifyalda.blogspot.com/2008/02/organized-crime-20.html).

For what organizations is web application security a concern?

Everyone should consider web application security. Large corporations and small-medium Company’s/websites are in need of web application security more often than the rest. Personal websites should seek the same kind of treatment, preferably in an appropriate context, and not so much of an in-depth analysis security test. All websites need it simply because it has to do with reputation, credibility, and brand.

It’s important to remain a well-respected organization by not dishonoring your users’ online experience by undergoing maintenance due to a security breach. It’s also vital that anyone who seeks for recognition for whatever the cause may be, whether it’s developing research, or simply building a web presence, continues to do so without facing humiliation through the means of disruption of service. Plus, if a brand provides a product and/or a service, then it’s fair to say that if it has been compromised, it will be less-trusted, and thus decrease consumer confidence and furthermore degrade the company’s value in production.

What are the different methods hackers employ to break into an application?

Well, the main issue we have today that allows hackers to escalate their forms of attacks, is user-input. A vast majority of the vulnerabilities and exploits today come from the fact that developers write code that trusts user-controlled data. We must treat every input as evil, as we should not expect that every user has positive intentions. We must either deny certain input, or block it and further process it safely. Hackers use tools and modify the data they find on behalf of themselves to further understand the inner workings of an application.
Hackers may use brute forcing to rapidly find login credentials to access data, trick users into entering their login information, or guess for a “hidden” directory within the website, and find sensitive information to gather and later use to craft their attacks to gain even more access, and possibly abuse that privilege(s).

What services does V.A.P.T provide and how it differs from other providers?

We provide web application security and penetration testing. We use this process to find vulnerabilities and exploits within a web application and an operating system to determine where flaws exist, and then we venture to patch those insecurities. We differ from other providers because we don’t depend solely on tools to find issues, rather deploy manual techniques in affiliation with automated tools to grasp a scope as the total solution for web application security.

Furthermore, we provide SE (Social Engineering) prevention and training. Since hackers don’t depend on technical resources entirely, they may just call in to simply ‘ask’ for the data. We help to test against organizations in an effort to find the weakest employees that are most vulnerable to providing information that should otherwise, not be allowed to disclose of. V.A.P.T. provides training to employees at organizations who need to understand how to handle potential social engineer attacks and identify who may be trying to con their way to sensitive information.

What exactly is penetration testing?

Penetration testing is a process of assessing security of a computer system or network by constructing an attack by a malicious user, in some cases, a hacker.

How to check if an organizations’ web security has been compromised?

Allow for continuous security assessments daily, yearly, or every time code changes. As part of V.A.P.T.’s security solution, we seek to provide clients an additional 3 months of unlimited security assessments after subscription to either a full-blown penetration analysis of Black box testing or White box testing. You should also purchase WAF’s (Web Application Firewalls), and Anti-virus products to eliminate the threats of malware, spy ware, worms, trojans, viruses, and other un-wanted bugs. Also, changing passwords periodically is a great system in place for security.

Where do you think organizations normally lack in terms of web security? What are the main areas they neglect?

Organizations hire developers who don’t implement a security cycle in safely processing and storing information. Rather, they continuously push code in the form of massive functionality, instead of handling user input in a secure manner. Also, they tend to ignore people who report security issues, and thus shove away the security reporter to publish the problems to the public. Another problem is choosing who has access to what information. They also put aside the fact that most of the time when security researchers report flaws; they are doing you a favor. Instead, some company’s will prosecute you and take legal action as if you were causing harm.

How are you evolving in terms of new techniques like AJAX?

V.A.P.T. has staffs that are experts in understanding AJAX and know how to defend against its flaws. V.A.P.T. uses White box testing as a process to find and cure mistakes made by performing code overviews, debugging, and path testing for input and output. We modify data in terms of values, parameters, and strings to make sure the data is handled securely. We also consult in providing tips to allowing for dynamic content to stay user-generated to keep features in availability, but not to be abused in any fashion.

Is there a benefit of implementing web application security early in the development stage?

Yes, SDLC (Systems Development Life Cycle) is a great approach to the defense mechanism layer in developing software. They map out the foot prints needed to be constructed and analyzed before being released into use.

Are there any particular standards you follow?

I always use Firefox for the most secure online experience. I tend to make daily back-ups to ensure all my data will be kept safe. I don’t follow links to e-mails I do not trust, and double check the URL provided. I also use Mozilla Thunderbird and its filtering behavior to securely check my e-mail using SSH communication. My passwords are highly mixed with all sorts of characters including numbers, letters, ascii, and are case-sensitive, and of course long in length. Additionally, I disable unnecessary protocols, applications, and services that are not in use.

Where do you see web application security ten years from now on? How will it change?

I cannot predict that sort of change since it’s quite some time, but hopefully it will evolve for the good, and maybe required effectively. The years to come will push more research and deliver more innovation through automation, and I’m inclined to think that attacks will decrease with more help from the media for recognition of the issues, and the overall number of vulnerabilities will slowly decrease in websites.

Categories: Computers/Internet ~ Science/Technology

0 responses so far

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment