You don’t have to be a newbie to make stupid mistakes
November 2nd, 2005 by Ivo
I know my way around PHP. I've been working on frameworks, web applications and CMS'es for almost 6 years now. I'm even a Zend Certified Engineer.
Still, last week I amazed myself in how stupid I can be. 
ATK can be downloaded with a demo application. To aid the developer, most pages in the demo application have a 'view source' link. What was I thinking when I used __FILE__ to determine the source file and pass that to a viewer through the url, not checking the validity of the filename? I created a 'Local File Include Vulnerability': any logged in user was able to tamper with the URL, and for example use ?file=/etc/passwd to view any file that the webserver has read access to.
I've read numerous blogs about the subject, read slides and articles from security experts such as Chris Shiflett, but still, one unguarded moment of late night, sleep-deprived hacking and bang, there you have it.
Luckily, it was only the demo application, which is usually not installed in public places, and also, you still have to log in to actually be able to exploit anything, but still, given how relatively easy it is to make such mistakes is discomforting.
(A fix was immediately released of course, at http://www.achievo.org/atk/download you can find the 5.2.2 version which fixes this issue).
There is also some positive news about ATK. Boy wrote a new howto on custom record actions. This shows how to do a lot more with your app than the usual CRUD operations.
Guido did some excellent work last week on an Open Office template engine. It is now possible to generate Open Office documents right from an atkNode. As usual, documentation comes second, so it's undocumented right now, but it is already available in the nightly build. If you want to experiment with it, we can help you on IRC or in the forum. We will give a demonstration of this new functionality at our booth at the PHP Conference in Frankfurt next week.
Finally, Sandy created a new CRM module for Achievo. It's far from finished (it only works with Achievo 1.1, not yet with the development version), but it's a start. This one is available from Achievo's nightly build page.
November 02, 2005 at 9:46 am, Gavin Foster said:
The solution to the security issue you unwittingly introduced? Code review!
It adds time to a project (IMO a significant amount) but it’s worth it’s weight in gold. During code review I find myself numerous times thinking ‘why on earth did I do things in such an obviously flawed way’. It’s unrealistic to expect to do things right first time every time.
I keep a ‘code review’ list while developing a product, and add to the list as ideas/realizations come to me. Then when a good time presents itself I go through the list and for each issue I either find a solution or satisfy myself that it is a non-issue.
November 26, 2005 at 10:21 pm, Eduard Mells said:
ATK is great, but you should take care with quality of ATK: test it on several installations before to publish a new release. None of current releases can be used on my machine without bug hunting.;
November 29, 2005 at 8:56 pm, Ivo Jansch said:
You can actually help with stability by filing bug reports for the bugs you find.