Clickjacking exploit on Facebook

I spotted a post today on Facebook which looked rather suspicious. The link was titled “EMBARRASSING: Father caught daughter on WEBCAM!!!” and was obviously designed to lure people in to clicking on the link. It went to the URL qok7.info which claimed to have a YouTube security verification notice (a CAPTCHA) you had to fill in before viewing the video.

In fact, it’s a clickjacking exploit that contains a hidden form which submits a public comment on your Facebook account with a link back to this site. I first came across clickjacking exploits on Chris Shiflett’s blog, it’s a cunning method of hiding a real form within an iframe behind something like an image that usually has something clickable on it. In this case it has a fake CAPTCHA form whose fake form elements are lined up to submit the real Facebook status update form hidden in the iframe.

This exploit may be related to the daughter on webcam issue reported by Sophos or this might just be an example of very successful keywords used by scammers.

I see it’s been reported on Facebook’s security pages, I don’t know if it’s something Facebook can technically fix but I would hope they can ban links from this website to avoid users inadvertently spreading this exploit.

So if you’re a Facebook user don’t go clicking on links about daughters on webcams. Or any suspicious links for that matter. Always check URLs and if it looks dodgy, get out of there!

Checking your Zend Framework route order

The order that you create your routes in Zend Framework is important, with the last route defined in your code being matched first. This allows you to set up custom routes and if these aren’t matched Zend Framework helpfully falls back to the default route which is set up first. If you have a lot of routes though, set up in different places, it can get difficult to verify the order of your routes.

Just use this snippet of code in your controller to return a list of route names set up in your ZF application in the order they are matched via the routing system (i.e. the route at number 1 is matched first, then route 2, etc).

// Output list of routes, in the order they are matched
echo '<ol>';
$routes = array_reverse($this->getFrontController()->getRouter()->getRoutes());
foreach ($routes as $name => $route) {
    echo "	<li>$name</li>\n";
}
echo '</ol>';

Find out more about the ZF Router at the ZF manual.

Understanding the stack index for Zend Framework Controller plugins

Zend Framework Controller plugins are a powerful way to inject logic into your controller system at various points, such as before and after an action dispatch. Plugins are run in the order they are added, though it is possible to change the order by defining a custom stack index. ZF internal plugins such as Zend_Controller_Plugin_ErrorHandler, which displays a nice Error 404 page, has a stack index of 100 to ensure it runs near the end of any plugin cycle. However, it’s not so obvious from the ZF manual how to set a custom stack index.
Continue reading “Understanding the stack index for Zend Framework Controller plugins”

Sub-modules in Zend Framework

Following on from my post on Admin sub-modules I’ve refactored the code into a more generic sub-modules system. And fixed some bugs!

Its main features are:

  • Organise modules into sub-folders where you need to support a complex collection of controllers, views, models, etc
  • Supports URLs in the format: /sub-module/module/controller/action
  • Supports ID route: /sub-module/module/controller/action/id
  • Registers controller folder to support above URLs
  • Autoloads module resources (using Zend_Application_Module_Autoloader) in the format: submodulenameModulename_Resource (i.e. AdminUser_Form_Registration)

This supports URL routes such as:

www.domain.com/admin/user/ ->
application/admin-modules/user/controllers/IndexController.php

www.domain.com/cms/news ->
application/cms-modules/news/controllers/IndexController.php

It’s a bootstrap resource that can be enabled in your application.ini file as so:

; 'admin' key is the name of sub-module group = path to sub-modules directory
resources.subModules.admin.directory = APPLICATION_PATH "/admin-modules"

Zend Framework Application Patterns at DPC10

I’m currently in the fine city of Amsterdam enjoying what is incredibly my first PHP conference in ten years of developing with the language! Yesterday was tutorial day, with the full conference starting today, and I sat in Zend Framework Application Patterns by the informative and engaging Matthew Weier O’Phinney and Rob Allen.

The session was excellent, well worth attending, and dipped into many areas of ZF. Some of which I knew already, but there was certainly enough good tips on how to organise applications efficiently in ZF which I’ll be telling my team all about when I get back to the UK.

My notes from the tutorial day appear below, be warned they are rather long! You can also review the Zend Framework Workshop slides over at Slideshare.
Continue reading “Zend Framework Application Patterns at DPC10”

Admin sub-modules in Zend Framework

Modules in Zend Framework essentially allow us to organise a collection of controllers into sub-folders, giving URL to filesystem mapping such as:

domain.com/user/register -> app/modules/user/RegisterController.php

While useful when we need to expand our URLs (and organisation of code) beyond one set of controllers, there are a few things they don’t currently solve which I think would make them first-class citizens within ZF.
Continue reading “Admin sub-modules in Zend Framework”