Tag Archive for 'Security'

WordPress Theme: Unwakeable 1.5

Published
by
Tyler
on May 14, 2008
in Internet, Noteworthy, PHP, Personal, Unwakeable and WordPress
. Comments

I released Unwakeable 1.5 last night. This means Unwakeable is 100% compatible with WordPress 2.5! The previous version of Unwakeable, 1.2.1, didn’t play so nicely with WordPress 2.5.

Unwakeable 1.5 was built from the ground up using K2 r687 as a starting point. I decided to start fresh for Unwakeable 1.5 and scrapped pretty much all the code from 1.2.1. Unwakeable still has all the features it had in previous versions.

Advanced navigation and live search now work in Unwakeable. Unwakeable also comes with the K2 Sidebar Manager, a superior alternative to WordPress widets. You can enable the K2 Sidebar Manager or you can use WordPress widgets, either one will work. Or, if you don’t like sidebar managers, you can continue to modify the contents of sidebar.php to get the sidebar setup you desire.

You can download Unwakeable 1.5 from the official Unwakeable page. Please let me know of any bugs or problems you run into.

Popularity: 1% [?]

WordPress 2.3.3 Security Release

Published
by
Tyler
on February 5, 2008
in Internet, Open Source, Personal and WordPress
. Comments

WordPress version 2.3.3 has been released. This release, like the previous one, addresses an urgent security vulnerability that was found in the WordPress XML-RPC implementation. The flaw could allow any valid user on your blog to edit posts made by other users on your blog.

WordPress 2.3.3 also fixes some other minor bugs. If you don’t care about those minor bug fixes and just want to patch your blog against the XML-RPC vulnerability, you can download a fixed copy of xmlrpc.php and copy it to your WordPress installation directory, replacing the existing xmlrpc.php file.

You’re probably better off just downloading WordPress 2.3.3 and doing the full upgrade.

Popularity: 10% [?]

WordPress 2.3.2 Urgent Security Release

Published
by
Tyler
on December 29, 2007
in Internet, Open Source and WordPress
. Comments

The WordPress folks have released WordPress 2.3.2, describing it as an urgent security release. This latest version fixes a bug that can be exploited to display your draft posts. Some changes have also been made to prevent certain error messages from giving away more information about your database than they need to. I would strongly advise that WordPress users install 2.3.2 ASAP.

WordPress 2.3.2 includes a new feature to allow you to customize the error page that’s displayed when WordPress can’t connect to your database. You can see the full list of changes between 2.3.1 and 2.3.2, you can also see which bugs are fixed in WordPress 2.3.2.

Head over to the 2.3.2 announcement post on the Dev Blog for the full story on WordPress 2.3.2. If you don’t care about any of that, you can just head straight to the download.

Popularity: 14% [?]

WordPress Theme: Unwakeable 1.2.1

Published
by
Tyler
on September 4, 2007
in Internet, Noteworthy, PHP, Personal, Security, Unwakeable and WordPress
. Comments

I hadn’t planned on releasing another version of Unwakeable in the 1.x series, yet here it is. The release of Unwakeable 1.2.1 was prompted after the discovery of a cross-site scripting (XSS) vulnerability in the Unwakeable search functions.

The vulnerability makes it possible for people to run malicious code that could, for example, steal all the cookies from your domain. You can download Unwakeable 1.2.1 from the official Unwakeable page. There are no new features in Unwakeable 1.2.1. The only difference between 1.2 and 1.2.1 is the fix for the XSS vulnerability.

If you’re already using version 1.2 and don’t want to bother upgrading, I’ve put together a post describing the steps to take to patch the vulnerability in Unwakeable 1.2.

I apologize for the inconvenience and please let me know if you have any issues with Unwakeable 1.2.1.

Popularity: 23% [?]

Unwakeable XSS Vulnerability

Published
by
Tyler
on September 3, 2007
in Internet, Noteworthy, PHP, Personal, Security, Unwakeable and WordPress
. Comments

It was brought to my attention a couple days ago that Unwakeable 1.2 contains a cross-site scripting (XSS) vulnerability in the search piece. To test to see if you’re vulnerable, search for this on your Unwakeable site:

<script>alert('XSS Vulnerability!');</script>

If you see a javascript popup after searching, you’re vulnerable to attack and should follow the steps below to fix the vulnerability in Unwakeable 1.2. I’ve already taken steps to fix this vulnerability in Unwakeable 2.0, which will be released shortly.

To fix your installation of Unwakeable 1.2 you need to edit three files: serchform.php, theloop.php, and header.php.

1. searchform.php

First, open searchform.php and change this piece on line 8:

<form method="get" id="searchform" action="<?php echo $_SERVER['PHP_SELF']; ?>">

to this:

<form method="get" id="searchform" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">

2. theloop.php

Next, open theloop.php and change this piece on line 42:

printf(__('Search Results for \\'%s\\'','k2_domain'), $s);

to this:

printf(__('Search Results for \\'%s\\'','k2_domain'), htmlspecialchars($s));

3. header.php

Finally, open header.php and change this code on line 6:

Search for <?php echo $s;

to this:

Search for <?php echo htmlspecialchars($s);

That’s it, once you’ve made those three changes you should no longer be vulnerable to this cross-site scripting attack. To make sure, just perform the search I mentioned above. It should no longer produce a javascript pop-up.

You can find out more about this vulnerability at blogsecurity.net. They have a tool called WordPress Scanner that will scan your WordPress installations for security problems.

Let me know if this fix doesn’t work for any of you.

Popularity: 19% [?]

How To: Cisco VPN Client On Ubuntu 7.04 (Feisty Fawn)

Published
by
Tyler
on May 17, 2007
in Internet, Linux, Noteworthy and Open Source
. 168 Comments

IMPORTANT UPDATE, SEE BELOW

So, I installed Ubuntu 7.04 Feisty Fawn beta about 2 months ago. I installed it on my notebook and one of my workstations, both of which had Windows installed previously. I’m not dual booting on those machine, they’re 100% Ubuntu now.

After getting everything setup and running nicely, I realized I had no way of connecting to the Cisco PIX VPN we have at work. This is really important for me to be able to do, my job depends on it. I immediately went to Google and started searching. Turns out a nice fellow named Alexander Griesser has created a patch for the Cisco VPN client. The most recent CIsco VPN client for linux won’t compile with kernels 2.6.19 or newer. There’s really not much of a difference between his instructions and this how-to. However, I’m including more detailed instructions for those who may not be familiar with compiling software on Linux.

Here’s the steps I took to get the Cisco VPN Client to work under Unbutu 7.04 (Feisty Fawn). Note: A $ at the beginning of a line signifies a command to be run from the terminal.

  1. Download vpnclient-linux-4.8.00.0490-k9.tar.gz (mirror) to your home directory.
  2. Open a terminal window and untar the vpnclient with the following command:
    $ tar xzf vpnclient-linux-4.8.00.0490-k9.tar.gz
    This will create a new folder called vpnclient in your home directory. Leave the terminal window open, you’ll need it later.
  3. Download the patch (mirror) and save it to the vpnclient folder that was created in step 2.
  4. Go back to your terminal window and move into the vpnclient folder:
    $ cd vpnclient/
  5. Now patch the Cisco VPN source with this command:
    $ patch < vpnclient-linux-2.6.22.diff
  6. Next we actually build the Cisco VPN client, issue this command:
    $ sudo ./vpn_install
    Just hit enter for everything it asks you, the defaults are all OK. You may see lots of warnings, but those are OK.
  7. The VPN client is installed, now we need to start it:
    $ sudo /etc/init.d/vpnclient_init start
  8. Place your .pcf configuration files in /etc/opt/cisco-vpnclient/Profiles/
  9. If your .pcf file is called myVPN.pcf, you’ll connect to the VPN with the following command:
    $ sudo vpnclient connect myVPN


That’s it! You should now be able to connect to your Cisco VPN with the official Cisco VPN client on Linux. This will probably work on pretty much any linux setup, not just Ubuntu.

UPDATE (8/18/2007): Alexander Griesser released a new patch that works with kernel versions 2.6.22 and greater. The new patch is backwards compatible, so it also works with older kernels as well, such as 2.6.10 and 2.6.21. All the download links above point to the newest release of the patch. I’ll continue to update this how-to as he releases new patches.

UPDATE (10/04/2007): Cisco has finally released a new version of their vpn client for Linux. This new version compiles on all the new 2.6.xx kernels without the need for patching! You can download it from Alexander’s site or you can get it right here.

UPDATE (12/29/2007): Alexander Griesser has a new project page for his Cisco VPN client patches. It contains basic usage information and will most likely always have the latest and greatest patch available for download. In addition to that, Alexander has a new patch to make version 4.8.01.0640-k9 of the Cisco VPN Client compile on 64bit systems. Again, you can download the latest Cisco VPN Client for linux from the following link:
http://www.longren.org/files/vpnclient-linux-x86_64-4.8.01.0640-k9.tar.gz

Popularity: 89% [?]

cheap xbox 360 games - buy from zavvi
cheap xbox 360 games - zavvi

mobile phones - Web Design - Cheap Flights - Mortgages - Loans - Phoenix Landscaping
Bike Insurance - Landlords Insurance - Search Engine Marketing - Mobile Phone


people-charming