Personalised Homepages

Memeflow Goto is an AJAX-based service that allows you to build your own homepage. It’s a little bit cluttered in my view (why see URL, title, X and # on every single item – it’s so visually dense) but still promising.

There seems to be an appetite for this homepage stuff, and Microsoft, Google and Yahoo! already know that. Look forward to plenty more of these kinds of services from eager programmers in the coming months.

Some thoughts

Purely random thoughts today – it’s one of those days.

  • Have you ever noticed (maybe this is a South of England thing) how people say ‘I mean…’ all the time. It’s a bit like the word ‘like’ that seems to be injected into fairly random places in some American speakers’ sentences.
  • On the back of car park and cinema tickets there’s always a note that says ‘advertise in this space, call….’ and almost never an actual advert. That seems like a pretty bad sign (if they never have any actual advertisers), and surely discourages others from taking up ads there?
  • Do petrol tanker lorries run out of petrol very often? If so, are they allowed to use their own supplies?

Been incredibly busy lately creating websites (or rather, the system to create websites… the mother of all systems). Back to blogging shortly.

 

MIME Injection in web forms

I’m now getting daily (or more frequent) attacks on various web forms I have around the Internet. The characteristics are always the same: an automated bot seeks out a form that looks vaguely like a contact form. It then tries to iterate through each field, injecting a newline character and some MIME headers. An AOL address is BCC’ed, so the attacker can see which exploits were successful.

Presumably, once the attacker hits a vulnerable form, the spam begins. Fortunately this has yet to happen here, but it’s undoubtedly going on all over the place.

Rather interestingly, MIME headers are put in – this could have the action (if done the right way) of hiding the original webform from the spam recipient, getting straight to the spammer’s message instead.

To date, I’ve had attacks with BCCs going back to jrubin3546@aol.com, bergkoch8@aol.com and mhkoch321@aol.com

To protect yourself against these attacks, make sure that any web forms you use remove newlines from user input – particularly those that might reappear in headers. In PHP, for example use something like $usermail=str_replace("\n","",$usermail); (and similarly for \r).

Elsewhere on the Internet, this recent ‘wave’ has been discussed, and a quick Google finds a few articles of interest: