K-Squared Ramblings » xss

Alphabet Soup: XP SP and EV SSL XSS!

Kelson — Mon, 19 May 2008 17:26:22 +0000

Sorry for the lack of updates this past week. I was just way too busy prepping for our move this weekend.

A couple of interesting news bits I noticed when I got into work this morning:

It looks like I’ve been lucky with installing Windows XP Service Pack 3. I’ve had no problems with the one machine I installed it on. According to Information Week, a lot of people are having serious problems with SP3, including BSOD on AMD-based systems.

Also, NetCraft has a screenshot of a PayPal page with both the green bar of an Extended Validation (EV) SSL certificate and a cross-site scripting (XSS) vulnerability. It’s a step or two beyond the standard lock icon, but there are still limits to what an EV cert can tell you. Unfortunately PayPal and others are really trying to drum “green bar = safe” into people’s heads.

WordPress 2.1.1 Security Alert

Kelson — Sat, 03 Mar 2007 01:13:45 +0000

Sometime in the last 3-4 days, someone managed to alter the download for WordPress 2.1.1, adding a remotely exploitable security hole. The WordPress team has declared the release “dangerous” and has issued an update, WordPress 2.1.2, taken from the clean source plus a few fixes. If you run WordPress 2.1.1, upgrade ASAP!

Things worth noting:

The SVN source that the developers use was not altered.
Older versions, such as 2.0, don’t seem to have been affected.
If you downloaded 2.1.1 when it was first released, it’s probably okay.
2.1.2 also includes a fix for a cross-site scripting vulnerability discovered a few days ago, so it’s worth updating anyway.

I still had the tar archive of 2.1.1 from when I grabbed it the day of the release, so I compared its contents to the 2.1.2 archive. The two files mentioned in the announcement, feed.php and theme.php, aren’t any different, confirming that the initial release was unaffected. That’s also where I saw the changes for that XSS bug.

*sigh* It’s always something…

Web worm in MySpace

Kelson — Fri, 14 Oct 2005 19:50:14 +0000

Worms of the future: someone on MySpace *ptui!* came up with an actual JavaScript worm using cross-site scripting exploits and XMLHTTPRequest. In 24 hours, the worm had forced 1 million users to add him to their friends lists.

Personally, MySpace bugs the heck out of me because it seems to have a culture that encourages embedding images from other sites. 18% of hits to hyperborea.org from other websites are from myspace. Admittedly that’s inflated by the fact that attempts to embed images from my Flash site redirect to the actual articles, so it’s probably more like 10%, but it’s still insane. Earlier this week I started blocking hits from MySpace to images posted on this blog, and I plan to do the same with the Flash images over the weekend. You like my photos? Great, link to my actual site! You like the scan I have of some movie logo? Great, copy it and upload it to your own site!

(via Slashdot)