freeuser.org

David Ross had a good blog post a few weeks back about how IE8.0 is no longer vulnerable to the US-ASCII encoding attack . For those of you who don’t know what I’m talking about you can find an example of it on the charsets page . Looks like both of the browser manufacturers are stepping up their game a little for the next version of the browsers to hit the market. On a side note, and something I’ve been meaning to post for a while now, I’ve found a discrepancy between IE and Firefox that I think is worth noting. Most of the time this isn’t an issue but most web-pages decode Unicode inputs, so the fact that Firefox automatically encodes every GET parameter with Unicode is not a big deal. However, if the page doesn’t do any conversions, but rather echos the data back exactly as it was seen Firefox isn’t vulnerable. However, Internet Explorer is - because it doesn’t convert " into %22 for instance. It’s a subtle difference, and only effects certain websites, but it was big enou...

OSVDB-ID:  44969  -  http://osvdb.org/show/osvdb/44969 Description <em style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-5208" target="_blank">CVE</a>)</em> : SQL injection vulnerability in sub_votepic.php in the Datsogallery (com_datsogallery) module 1.6 for Joomla! allows remote attackers to execute arbitrary SQL commands via the User-Agent HTTP header. Classification Location: Remote / Network Access Attack Type: Information Disclosure, Input Manipulation Impact: Loss of Confidentiality, Loss of Integrity Exploit: Exploit Public Disclosure: Uncoordinated Disclosure OSVDB: Web Related Products Unknown or Incomplete [Via -  http://www.exploit-db.com/exploits/5583/ ]

The WordPress Photo Gallery module suffers from a remote SQL injection vulnerability. [Via - http://packetstormsecurity.org/filedesc/wpgallery-sql.txt.html ]

The Oracle Application Server Portal 10G suffers from an authentication bypass vulnerability. Details are provided. [Via - http://packetstormsecurity.org/filedesc/oracleasp-bypass.txt.html ]

[Via - http://www.milw0rm.com/exploits/5587 ]

This is not good. Researchers from INSERT found a vulnerability in the Gmail engine that could allow spammers to forward mail through Google, thereby bypassing blacklists and being accepted by whitelists. It works by using the same forwarding features that allow users, myself included, to forward their email through Gmail. The worst part of this is that it also bypasses Gmails 500 recipient limit for any email, though that part should be easy to fix. I hope. INSERT has been courteous enough to omit a fair amount of the details of the vulnerability, but I think there’s enough general information in the notification that spammers will be able to figure it out soon if Google doesn’t act even faster than the bad guys. Given Google’s track record and the sneaking suspicion that Google was given advance warning of the vulnerability, I’m hoping Gmail can be made secure fairly quickly. I’ll be interested to see what we hear on this over the next couple of weeks on the Full Disclosure/No...

Prove di condivisione letture! Durante questo periodo di stasi casalinga mi è balzata alla mente un'idea forse che potrà far storcere il naso a qualcuno, ma che mi sembra vada esattamente nella direzione del mio concetto di aggregazione. In virtù delle ultime fantastiche modifiche apportate al Google Reader mi sono finalmente deciso ad implementare (ancora work in progress) un meccanismo di autopost basato sulle notizie che leggo dal mio feed e che ritengo rilevanti. Google Reader permette di taggare una notizia utilizzando delle semplici keyword, e fin qui nulla di trascendentale. Ulteriore feature che si aggiunge a questo è la possibilità di estrapolare un feed Atom/RSS delle notizie classificate, così come accade per gli Shared e gli Stared Items . Qui entra in scena WP-O-Matic un RSS Agreggator . In sostanza che fa? Polla i feed che gli diamo in pasto alla ricerca di nuovi elementi per poi trasformarli in veri e propri post sul blog (più tutta una serie di altre cose/opzio...