NYCPHP Meetup

[inforequest]

Well, after an excellent 2.5 hours of practical PHP security training 
from Mr. Shiflett last night (thanks tgaconnect!), I check my email and 
learn that a server exploit has injected malicious js code into footers 
of website pages, with the js designed to exploit an M$ IE flaw, 
secretely downloading the Scob trojan

http://www.microsoft.com/security/incident/download_ject.mspx
and http://www.f-secure.com/weblog/

Wow.... talk about timing!  In hour 2 last night Chris Shiflett 
explained and demonstrated cross site scripting vulnerabilities and 
cross site request forgeries - along with several clever means used by 
villains to get the js code onto  so-called "secure" systems so it could 
be unknowingly redistributed (and of course, we learned how to prevent 
that with good PHP practices :-).

Now I  see a real world example with my morning coffee - that appears to 
have been spawned either just before or during the security course! 
How's that for "enhancing cognitive perseverance" !

(yes, I know this example exploits a server flaw and a crappy browser as 
opposed to sub-optimal PHP coding, but it is remarkable to see a js 
injection so similar to what we went over last night, and it drives home 
the importance of putting the proper PHP in place on our PHP systems - 
to prevent the same attacks)

-=john