Shreef

This security flaw affects LinkDSL’s messaging system. you have to be a LinkDSL subscriber to experiment this.

LinkDSL is using a messaging system to notify its users of the day of paying bills. the message appears automaticaly when you try to open any web page in your browser. to read the message, you will need to write the password in the field. (they don’t need “user name”, they already know you .. how??! ask a network guy [a real one] ).

okay, now we will get to the security flaw:
If you try to go through the “I forgot my password” page, you will be asked to provide the mobile number and Tel. number which you gave to LinkDSL when you were subscriping to the DSL service. also, you will be asked to provide a valid email so they can send you the password.
if you try filling the fields with any unvalid data and clicking the button, you will get a javascript alert() message telling you that this data isn’t valid.

JavaScript ?!!!
after seeing these JavaScript alert messages, I had to think about 2 things :
1. the submited data were sent to the server through XHR. then the response is displayed suing alert().
2. a security illiterate developer has embeded the Tel. and Mobile numbers in the javascript of this page.

I had to open the source of the page to check this by myself. and Oops …. I found the Tel. and Mobile numbers in the source of the page.

if you know somebody working at Link.net who can fix this, it will be nice to tell them about this flaw. I won’t report this to them by myself as it looks like that they don’t care about the bug reports sent to them.
I remember that I have sent them a mail 2 monthes ago about a bug in their another website (masrawy.com), and they didn’t even replay to me nor fix the bug till now.

you can see that the attacker can’t benefit from this security flaw else if he can access the computer of the victim. then, he will know some private information about the victim (Tel.#, Mobile # and DSL bills).

Happy Eid (eat allot of meat) lol

I couldn’t sign in msn messenger for 2 days. ….but WHY ???!!
it wasn’t a network problem. it was a problem with the date !!!

what happened is that 2 days ago, I was doing a quick and dirty test on some code and my laziness drove me to change the date and time properties of the system instead of setting this in my code. then I forgot to reset the date :) .

some guys were talking on IRC [#php.thinktank] about website called www.meebo.com . check it out. 

One of the things that’s I’m getting used to is staying at home for a long time (days, weeks ..). but I was breaking this rule for more than a week now. Guess what !! … no, not a new job. I’m just working on my military service papers.
I’m not expecting to be requested to start my military service now, maybe after 7 months minimum. what I want to know is “Am I allowed now to travel out of the country or not?”. this is the question.

what made me start working on these papers are 2 lost job opportunities. the first job opportunity was in a Polish web development company. they wanted to relocate me to work from their office in Poland, but the problem of my not finished military service came as a show stopper.
The other job opportunity was in a web development company located in Cairo, Egypt. through the interview, the interviewer  told me that they are in need for a programmer which can travel out of the country whenever needed. you know, they told me that they will call me for a second interview if they didn’t find the wanted man, but I’m not expecting them to call me – at least soon – (finding a PHP developer isn’t that hard thing in this country – I think -.
Losing 2 job opportunities in less than one month isn’t that simple thing. so I thought that working on this papers will give me a more clearer picture of what I should be doing now… and what I can’t do.

This is a very fresh news ;).
get Zend Framework 0.6.0 preview release and Zend Google Data Client preview 0.6.0 .

WARNING : there is a major changes in the Zend_Controller component.
fortunately it’s a good changes ;-).

Zend_Locale_Format::toNumberSystem( ) is our new baby static method. I was talking about this method here for weeks but without knowing it’s future name. it’s ready now. it’s a simple function converts between many notations of numbers. see the examples :

$string = “١٠٠”;   //the number 100 in Arabic notation
//this converts ١٠٠ to 100
$new = Zend_Locale_Format::toNumberSystem($string, ‘Arab’, null);
print ‘new : ‘ . $new . ‘<br>’;

//this converts 100 to ١٠٠
$old = Zend_Locale_Format::toNumberSystem($new, null, ‘Arab’);
print ‘old : ‘ . $old . ‘<br>’;

//this converts from Arabic notation to Bengali notation of numbers
$mystring = Zend_Locale_Format::toNumberSystem($string, ‘Arab’, ‘Beng’);
print ‘Arab to Beng : ‘ . $mystring . ‘<br>’ ;

the supported notations are :

• Arab [Arabic]
• Deva [Devanagari]
• Beng [Bengali]
• Guru [Gurmukhi]
• Gujr [Gujarati]
• Orya [Oriya]
• Taml [Tamil]
• Telu [Telugu]
• Knda [Kannada]
• Mlym [Malayalam]
• Tale [Thai]
• Laoo [Lao]
• Tibt [Tibetan]
• Mymr [Myanmar]
• Khmr [Khmer]
• Mong [Mongolian]
• Limb [Limbu]
• Talu [New_Tai_Lue]
• Bali [Balinese]
• Nkoo [Nko]

tell me if you see your language in this list as I don’t know any thing about most of this languages lol. anyway, what I’m sure about now is the Arabic part which was extensively tested.
you can get the code from SVN now from http://framework.zend.com . also, be ready for the 0.6.0 preview release on the middle of this month.