PaulDotCom's Web Site

Have to call you on this; on your php comments:

- being an interpreted language has nothing to do with the public having access to the source. This does mean that the source is uncompiled on the server side and can be read, but access is restricted (see below).
- you can't spider a website and get all the php source because a handler for php on the webserver is going to interpret all the source before it is presented to the browser/spider (almost all php apps store the db password and others in a php file that is used as an include in other php files for db access)
- you can't view the page source in the browser and view the source because what you are viewing in post interpretation
- it may be possible to use a remote file inc vuln to render the contents of a php file, but which comes first, the chicken or the egg

on other notes:
- sql injection has nothing to do with php. .net, python, java, etc. are all vulnerable to sql injection. Sanitization is a necessary element of web-enabled apps.

Please, correct me if I am wrong.

Oh, and standards are good

Axton

The maximum transmission power for the 2400-2483.5 MHz band is 10 mW (10 x 10^(-3) Watts) according to the ETSI standard. More information here: http://lib.tkk.fi/Dipl/2006/urn007307.pdf (PaperPage 26, PDFPage 39)

1 Watt.

Source: http://www.enigmatic-consulting.com/Communications_articles/RFID/Link_budgets.html
And part 15 of the FCC regulation:
http://www.fcc.gov/oet/info/rules/

(page 101 towards the middle of the page)

I may be wrong as well but I think CD-Man is wrong.

First of all, the first link says:

"In our estimates we will assume the maximum legal output power of 1 watt or 30 dBm."

Their estimates are obviously not a trustable source.

And the second source has nothing to do with RFID. It talks about radio frequency devices but just mentions RFID once and it uses the term "RFID registration" that nobody else knows about. (Look for "RFID registration" in google and all you'll get is a bunch of links to register in some RFID-related events)

Im sorry Cd-Man but I really dont think your sources are valid.

Given that you didn't specify which set of regulations to use, I've given an answer which is applicable to both the UK and the US. (From http://www.aegis-systems.co.uk/download/ISM2.pdf) There are probably other regulations elsewhere!

In the UK, RFIDs are regulated under the category of "equipment for the
detection of movement or alert" (“EFDOMOA”). The current UK power limit
for “EFDOMOA” is 100 mW EIRP in the band 2445 - 2455 MHz sub-band,
with an exception of 500 mW EIRP for tagging and identification applications
in this sub-band. If implemented in the rest of the ISM band, the more
general SRD limit of 10 mW EIRP would apply. If the system is operated
within the frequency hopping / direct sequence requirements of ETS 300
328 then an EIRP of 100 mW is allowed across the whole of the band.

Under Section 15 regulations in the US applications in the range 2435 -
2465 MHz (twice the bandwidth of the UK sub-band) are limited to a field
strength of 500 mV/m (at 3 metres) which is equivalent to an average power
of 75 mW and a peak power of 7.5 Watts. In the rest of the ISM band the
limit is a field strength of 50 mV/m (0.75 mW average, 75 mW peak).
However if the system adheres to the frequency hopping and/or direct
sequence requirements of Part 15 in relation to the whole ISM band then an
EIRP level of 4 Watts may be deployed (1 Watt transmitter + antenna gain
of 6 dBi).

I just want to say I think this was a particularly good show, thought it is always good. Keep up the good work! And Joe is one funny guy

I was especially interested in how the php remote includes content relates to a commercial php product my place of employement purchased (and considered placing on the internet *shudder**gag*):
www.clip-share.com

Take a look at the php.ini requirements from their knowledgebase:

http://helpdesk.scriptxperts.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=47&nav=0

Is this not a sad sight that requires everybody out there to post their warnings on the furums http://forums.scriptxperts.com/index.php?

By the way: Apparently up to 4Watt is allowed when using a frequency hopping scheme and a directional antenna.

(Same source, PaperPage27, PDFpage 40)

Original source was: Finkenzeller, K. RFID Handbook - Fundamentals and Applications in Con-
tactless Smart Cards and Identification, 2nd ed. John Wiley & Sons Ltd, Sept
2004.

Im sorry to post so much guys, I dont want to spam, but Im really going crazy with all this maximum RFID power stuff.

Now I found a document by Texas Instruments that says that RFID operating in the ISM 2.4Ghz band can have 2 different maximum power values:

1) 2446 – 2454 MHz RFID ERP +24.85 dBm == 0.30549 Watts
2) 2446 – 2454 MHz RFID ERP +33.85 dBm == 2.4266 Watts

Maximum power is in terms of the ERP, effective radiated power, (related to the EIRP by the relation ERP = EIRP – 2.15 dB).
I used an online tool to convert dBm's into Watts

Paper by Texas Instruments: http://focus.ti.com/lit/an/swra048/swra048.pdf
dBm to W Conversor: http://www.wirelessguys.com/calculations/watts_to_dBm.php

So, who's the winner of the syngress question?

;-P