In the last year, there’s been a wave of helpful placeholder services. What’s a placeholder? Well, when you’re working on a new website, isn’t it a waste of time to use stock images, cropped to the right dimensions? A placeholder service allows you to automatically use a random image at the desired dimensions with minimal effort.

Jeffrey Way covers up nice Image Placeholder Services such as Place Kitten for Web Designers.

Read „The Top 8 Placeholder Services for Web Designers“

Indexhibit...

... is some weird kind of minimalistic Hipster-CMS for designers, artists, grandmas or all kind of hip people. I wont put a link up here for pagerank reasons and because as the title sais: It's a piece of crap! People, who know me, know that i dont have any respect for that Hipster/Artish-Field. Anyhow, so when I first saw a website build with it I was like "lol i have to take a look at that things source code". So i downloaded the "latest" (see below) release and started laughing. This is the top 7 List i strongly advise you or any inteligent individual to not use this piece of software and furthermore why.

#1 (weird) Code Documentation

It seems to me that some kid or designer female has written that stuff because every line of code as banal as you can think it is, is commented (im serious!). Ok, i'm a documentation fan, but the comments are kind of childisch in some way. You can jumpstart at a conclusion about this software yourself. Here are my favorite ones:

#2 Deprecated

The software is totally deprecated. Im not speaking about the use of the (very) old mysql Library in php. No! The software is so old, that i cannot even install it on my windows machine with the newest xampp-Version. And even after 30 minutes of fiddling i get around 3-4 deprecated-notices on each page

#3 Code Bullshit

The software seems to follow some paradigmas (some pseudo object oriented structure) but fails in implementation (unlogical). Also there are some sort of Don'ts and some general error in reasoning.

A few Examples:

I really dont understand this reference: If someone could explain this variable to me, i'd be pleased. (And this comment is also funny because it proves my point that EVERYTHING is commented...) Oncall Array Initialisation ($adm = null; before), every C/C++ Programmer's Brain would probably explode now at the latest. And just a another fail: oh speaking of set_magic_quotes_runtime is also deprecated, but is just a design fail.

#4 Release Cylcle

The latest version was released back in 2008. The Forum is not really active, so you cannot really call it a community. There are no code guidelines, whatsoever. But amazingly there are still people using it.

#5 Web Standards

I just say: Applying a XHTML 1.0 Transitional Doctype to an HTML Template does not make it XHTML 1.0 Transitional!!!

#6 install.php is not deleted!

The install.php script remains on the server, there are no checks whether it has been renamed or delted. You can easily overwrite the site's configuration file with your own rouge mysql server. I tested around 50 Indexhibit pages and in 70% the install.php file was still on the webspace. The reason for this is the people who actually use this CMS are Hipsters and dont know anything about tech at all.

#7 Insecure Login Policy

This is the login procedure:

While exploiting the login procedure itself turned out to be very tricky because of very restrictive regexes, you can see that it is completely cookie based, and an attacker could steal the cookie and use it to authenticate himself as an administrator. There is no User-Agent, IP-Validation. There is only a Two-Day-Cookie-Lifetime, which is not stored into the db, so you could use an old cookie to authenticate yourself.

#8 SQL Injection Vulnerabilities

Yes its 2011. We're reading about Data Leaks every day, so you should think that there would be a SQL-Injection security awareness by now, even on the Hipster side of the Planet. But unfortunately already in the routing-process in /index.php there is a SQL-Injection Vulnerability:

I like the //clean up the uri-comment, it could be interpreted almost ironically. You could easily request:
/index.php?'=''AND(SELECT/*a*/*/*a*/FROM/*a*/ndxz_users/*a*/INTO/*a*/OUTFILE/*a*/'/www/yourpath/ndxz-studio/data.txt')/*a*/AND/*a*/''=' and dump the user database to a file or do other nasty things you could do with a sql-injection.

Conclusion

DO NOT USE IT!

PS: Dear Hipsters, why is small black (8-9px) text on a white page, with dotted hover state border-bottom so damn cool?

I've implemented a HTML5 Canvas Build of Conway's Game of Live. Check it out!

Check out this Pen!