This board is begging for RO5.

So far, I’m less convinced of the ease or benefit of getting rid of frames, but I’m willing to be persuaded.

Frames are fine. Only good reason to scrap them would be to support search engines that find your site or for users coming from search engines to find no navigation to the rest of it.

There probably should have been a big “sarcasm” flag after that to make the meaning clear.

My bad.

I was under the distinct impression that Martin developed and maintained RISCOScode in bog standard HTML, not PHP.

I’m sure you’re right, and I did say " I don’t know if they used PHP or not, but it does highlight how naive a lot of people in the RO community are concerning online security."

For the record, I used to be a PHP devloper. I used it extensively in creating webUI systems and complicated server-side applications for powerful db-driven sites. I moved into enterprise applications for intranets. I have also coached and mentored a lot of people who are still PHP developers to this day. I did stop using PHP back round 2009ish and a lot of those people I coached are much better developers with PHP than I am by now. They easily took over me by 2011-2012. I say this in case you think I’m some opinionated troll who just so happened to stumble upon ROOL a decided to torture you all.

In my 15 years of website development, I have never been hacked/breached/defaced or whatever but hands-down PHP was the hardest to keep secure and I always felt like I was one mistake away from the hackers ruining my reputation. This is why I abandoned it and I honestly have not seen it improve since.

There is no such thing as absolute security

You’re right Rick, there is no absolute security

we just need to try our best and hope fixes turn up faster than the zero-days.

Sometimes, but most of the time it is because of lazy or shockingly bad programming that a lot of zero-day vulnerabilities are even possible. It seems hard to get people to think with security in mind, and that is the biggest flaw, imo.

but it’s easily worked around just by validating the returned value before using it.

If you have a certain reasonable selection of pages, then the best approach might be to do a simple string match and discard anything else. Alternatively, if the commands you give match the HTML filenames, you could iterate through the HTML files to build your match list on the fly. But… I’d say work on a fixed list for now, get the basics working, then flesh out the nice parts afterwards.

Oh, and I’d check the string length first and reject it immediately as being bogus if it is unreasonably long. But that might be tinfoil hat time…

I’ve now fixed part of my site to use PHP for the ? instead of Javascript. So the original link won’t work any more, but this will:

http://clive.semmens.org.uk/RISCOS/index.php?Desk2017 – and won’t depend on you having scripts enabled.

I’ll be fixing the rest of the site similarly shortly, but that’s the RISCOS pages done!

Many thanks all, especially Rick Murray.

I’d check the string length first and reject it immediately as being bogus if it is unreasonably long.

That is exactly what I’d already done. I don’t care if people go searching for other files in the same directory – they’re all exposed openly anyway. The longest thing that makes any sense is just 9 characters, there’s bugger all they can do with that!

Sometimes, but most of the time it is because of lazy or shockingly bad programming that a lot of zero-day vulnerabilities are even possible. It seems hard to get people to think with security in mind, and that is the biggest flaw, imo.

I’ll point you to my little IP camera. If you perform a request as GET /system.ini then you’ll be asked to log in. However a freaky bizarre bug in the GoAhead server means that if you request GET system.ini (no / prefix), then it’ll serve the file with no questions asked. The file in question? Holds all the passwords, settings, and WiFi auth password. Wonderful.

Off to Josselin now, for an English-Breton thing with an open market. I’m hoping to pick up some of my guilty pleasure – a Frey Bentos pies…..

a Frey Bentos pies…..

There isn’t much I miss since going vegetarian, but Frey Bentos pies is definitely one.

simply responding to John’s assertion that no sites had encountered security issues recently.

I was under the impression that I asked a question, not asserting anything.

I wasn’t impressed. xD

…waste of time. Lots of people selling handicrafts (read: tat), and a bunch of stalls that might be selling fish and chips, maybe sometime this evening when they unpack.
Still, got to go through some places I’ve not been before.

I notice from the Wayback Machine that Piccolo Systems’ site does/did contain quite a lot of JS – whether or not any of it is generated with PHP, I couldn’t say!

Or, indeed, make any observations on its security except that it apparently failed a determined attack!

I can’t understand the motivation for such attacks in the same way I can’t see why people bother spamming this forum. It all seems rather pointless!

I’m hoping to pick up some of my guilty pleasure – a Frey Bentos pies…

I had to buy a special jabby opener here in the UK, but luckily recently found a suitable device on an old forces-style penknife that we bought with the French house. The sort with the black plasticky (?) handle patterned with little pyramids like a pistol butt.

What do you use?

You know they sell them in U – but they are exorbitantly priced!

If it was in bog standard HTML, then “My father who ran the site had a lot of trouble keeping it secure” from here is a little puzzling.

There are other ways a site could be compromised, so I don’t find that puzzling in the slightest.

Okay, I’ll change that: One very small thing that puzzles me is that Martin didn’t mention security issues when I contacted him a few weeks ago – and even that I only find puzzling in a very small way because he had no real reason to tell me anything at all.

However, the rest of what his son said in that post – most notably that he closed the site down because “it was becoming more trouble than it was worth” is entirely in keeping with what Martin did tell me: A case of hosting costs + effort to update vs limited visits.

I don’t know if PHP was used (and whether it affected the Piccolo site, either), but was simply responding to John’s assertion that no sites had encountered security issues recently.

I was actually replying to James’ reply to John – I’d read his reply and not yours as yet at that point.

Either way, the thread leading up to it, and the quoting in John’s post, makes it quite clear that his question was being asked in the context of PHP being used.

So in essence, up to that point and the two posts immediately following it – James’ and yours – we have:

• PHP is insecure.
• No it isn’t.
• Yes it is.
• No it isn’t.
• Yes it is – and because of that it’s no wonder RISC OS sites keep getting compromised.
• Which sites?
• Here’s two. They may not have used PHP, but they definitely prove my point. Look, a unicorn.

You know how to beat a dead horse, Vince.

I said “It’s a real nuisance and I’m not surprised RO sites drop left, right and centre from trying to avoid malware and defacing script kiddies if PHP is your “preference.””

Vince has abridged this into

Yes it is – and because of that it’s no wonder RISC OS sites keep getting compromised.

I understand the miscommunications and I could have explained myself better. I was referring to the security competence of the community as well as PHP security.

Here’s two. They may not have used PHP, but they definitely prove my point. Look, a unicorn.

Again, poorly explained by me. Piccolo did run PHP. I wasn’t sure about RiscOS code, but I felt the example still spoke to the security IQ, so to speak, or RO community.

I must say, though, it was hardly “Look, a unicorn” post. I also highlighted how I have the impression that more example exists, but I have a terrible memory and also have no intention of collecting a catalogue of failures for other people. Still, you spun it well.

PS. @Vince You probably shouldn’t abridge other people’s words if you fail to grab the essence of what is being said or you fail to see things from somebodies point of view. I don’t appreciate people putting words in my mouth and the mature thing would’ve been to ask for a clarification rather than say “James is saying this, look a unicorn”

PPS. @Vince If you’re “look a unicorn” quip was because I stopped talking about PHP, it’s because I was getting tired of expending myself trying to convince people when what I was saying was falling on deaf ears. At the end of the day, I was expressing my opinion. I wasn’t forcing my opinion on others. If they want to keep their own opinion, that’s their right and I respect that. So that’s why I dropped it. You decided to bring it back up.

What do you use?

A little electric can opener from the 60s that I got for €1 at a vide grenier.

You know they sell them in U – but they are exorbitantly priced!

Where? None around here. We just get beans for a shocking price and branston pickle for an even scarier price…

Look, a unicorn.

ROTFL. ;-)

James – reading your messages, it seems to carry the implication that sites were hurt because PHP is just bad…. without, it seems, even knowing what back end technology was used for the sites in question. But hey, PHP is bad therefore it woz PHP wot did it…
Maybe I’m misunderstanding too, but that’s how it seems to me.

reading your messages, it seems to carry the implication that sites were hurt because PHP is just bad

I was referring to PHP being hard to secure.

without, it seems, even knowing what back end technology was used for the sites in question

I knew Piccolo have used PHP. I didn’t know about Riscoscode

There is one example of a RISC OS-related website being hacked which used PHP: my RISC OS blog at riscosblog.huber-net.de. The hackers didn’t like unfinished business and manipulated all four Wordpress installations and the Drupal installation. The legacy stuff (pure HTML) was not manipulated :-)

So I could blame PHP for it. But actually, I don’t know. It might as well be that my hoster’s server where my presence is hosted had been hacked. Back then, I always kept the Wordpress and Drupal versions up to date. Now, I no longer do that – and I haven’t been hacked again. Not sure what to make of that fact.

So I could blame PHP for it. But actually, I don’t know.

It was more likely wordpress than a PHP vulnerability. (wordpress sites are constantly getting defaced) It may attest to the difficulty in making PHP secure, but to be honest, I wouldn’t say wordpress attracts top shelf scripters. I feel that if PHP was super secure, wordpress would still keep getting hacked. lol

You know how to beat a dead horse, Vince.

In what way have I done that? You will note that in my grand total of two posts to this thread prior to this one, I have made precisely zero comments on whether or not I consider PHP to be secure or insecure.

I pointed out that I don’t think one of the two sites that were seemingly offered as an example of PHP being insecure was, in fact, using PHP. Not an unreasonable point to make. I then commented further on that in reply to Steve, and summed up this thread as I saw it.

So your objection that you “don’t appreciate people putting words in my mouth” looks quite ironic.

So that’s why I dropped it. You decided to bring it back up.

Ah, there’s an arbitrary statute of limitations on replying to, commenting on, or referring to your posts that can be measured in mere hours. Noted. Hope I haven’t exceeded the time limit for this reply.

I’m sorry. Maybe I have male PMS. T.T

To be fair, we probably have that in common. ;)

You know it’s bad when it’s sometimes worse than your wife’s.

Pre-Mental Speech :)

It’s more of a Fi dump.

It was more likely wordpress than a PHP vulnerability.

I would exclude that possibility for the Drupal case :-)