Image Manipulation Script Vulnerabilities

Yesterday, Mark Maunder published a blog post making people aware of a vulnerability in the popular PHP image manipulation script TimThumb. Anyone that uses TimThumb should definitely read that article to make sure that the vulnerability gets patched. Almost a year ago, though, I posted (and I was far from the first) about a vulnerability in another extremely popular PHP image manipulation script; phpThumb.

Securing Filezilla

As you may or may not know, Filezilla, the extremely popular FTP client, stores all of your FTP passwords in plain text on your hard drive. While I strongly disagree with this practice, I also understand that there are reasons not to do so. It would be really nice to have some sort of option to encrypt the passwords, but I don’t see that happening any time in the near future.

There are actually multiple levels of danger in using Filezilla (and, presumably, many other FTP clients). Unlike a Web browser, where, if you choose not to use the password manager none of your passwords are stored; Filezilla still stores all of the details from your most recent connection in a file called filezilla.xml and all of the details from your 10 most recent connections (at least, the ones you make by typing the information into the Filezilla interface; which is the only way to connect if you are not using the Site Manager) in a file called recentservers.xml, even if you choose not to use the Site Manager. These are plain old XML files with all of the information stored in plain, non-encrypted text. The format of the entries looks similar to the following.

Check Your Sites With Google

Earlier this week, I received a report that something fishy was going on with one of my websites. The report indicated that some sort of spam had infiltrated the site, informing users about great deals on pharmaceuticals. Needless to say, since we had not recently gone into the business of selling drugs (legal or otherwise), this was a bit suspicious.

I headed to the page that was included in the report and checked it out in about 20 different ways. I opened it in each of the five browsers I have installed; I viewed the regular source of the page; I viewed the generated source (after the JavaScript has run and modified the source) of the page and couldn’t find anything about the pharmaceuticals reported in the message.

Integrating Twitter With Your WordPress Blog

Last month, Smashing Magazine posted a great article explaining quite a few different ways to integrate Twitter with your WordPress blog. Many of the suggestions are “hacks” for WordPress, while some are just plug-ins, but they are all helpful.

Here are some of the things the article shows you how to do:

  1. Automatically create TinyUrls for your blog posts
  2. Display your latest tweet without a plug-in
  3. Create a “Tweet this” button
  4. Create a Twitter page on your WordPress blog