web-goddess

Hm. I was all excited to plant a Three Sisters Garden (corn, beans, squash) til I read the bit about needing a minimum plot of 10’x10′ to ensure good corn pollination. Huh. I guess that’s why it pretty much sucked the last time I tried to grow it.

osCommerce Session Vulnerability
I’d just like to note for the sake of future Googlers that osCommerce has a huge whacking security hole in the way that it handles sessions. I found this on Saturday when the new Morris & Sons site launched and a fellow Raveler told me she was seeing “other people’s stuff” in her shopping cart. “Huh?” I thought. “That’s not possible.” Half a dozen people had tested the new site and not one of them reported anything like that. It was only after emailing back and forth with her and doing some digging that I discovered the problem. She was following a link from a recent newsletter, a link that happened to include a session id. I’d noticed a few links like that before but didn’t think it was a problem. “After all,” I thought, “surely osCommerce creates a new session when you come to the site anyway.” WRONG. It looks for the session in the link, and when it doesn’t find anything it RECREATES IT. Then if someone else follows the same link in the next 5-10 minutes, BAM. Two people with the same session. Huge, huge security hole. The solution ended up being pretty simple, in that I simply changed the site to require cookies for session handling. (I then tested and confirmed that two separate people following a link with the same session id end up with different session ids in their cookies.) Still, it’s a pretty big issue and it’s not well-publicised. The Snook was pretty livid when we figured it out. “The amount of fail in that implementation still amazes me,” he said. “The fact that I could invent a session ID, email it to you, and then snoop everything you’re doing on the site and get access to your account once you log in.” Yep. If you have an osCommerce install, lock it down, kids.

Congratulations to Tracey and Regan on the birth of their daughter Jovie! But man, reading that birth story actually made me light-headed.

The Male Programmer Privilege Checklist. Wow, I found myself nodding along at SO MANY of those:

• Not having to wonder whether you’re well-known in your community simply for being “the female one”.
• The freedom to make mistakes or say stupid things without worrying about it getting added to the pile of “why women suck at computer stuff”.
• If you’re married, having people take you to lunch without them speculating on how your spouse would feel about them taking you to lunch.
• Having interests that are stereotypical for your gender without having to worry you’ll be taken less seriously because of it.
• Having interests that are unstereotypical for your gender and getting seen as cool and progressive rather than freaky and asexual for it.
• Not having to choose between dressing/acting stereotypically for your gender and being thought unprofessional (or not a Real Geek) for it, and dressing/acting un-stereotypically and being thought unseemly.
• The freedom to switch to a less technical career without feeling like you’re betraying the cause of gender equality.

That last one floored me. I actually said that one out loud in a performance review last year. I knew that my heart wasn’t in development, but I felt this insane desire to keep doing something I didn’t enjoy because I wanted there to be some girls doing it. I wish my male friends in IT would read through that list and realize just how good they have it.