Image Manipulation Script Vulnerabilities

Yesterday, Mark Maunder published a blog post making people aware of a vulnerability in the popular PHP image manipulation script TimThumb. Anyone that uses TimThumb should definitely read that article to make sure that the vulnerability gets patched. Almost a year ago, though, I posted (and I was far from the first) about a vulnerability in another extremely popular PHP image manipulation script; phpThumb.

Securing Filezilla

As you may or may not know, Filezilla, the extremely popular FTP client, stores all of your FTP passwords in plain text on your hard drive. While I strongly disagree with this practice, I also understand that there are reasons not to do so. It would be really nice to have some sort of option to encrypt the passwords, but I don’t see that happening any time in the near future.

There are actually multiple levels of danger in using Filezilla (and, presumably, many other FTP clients). Unlike a Web browser, where, if you choose not to use the password manager none of your passwords are stored; Filezilla still stores all of the details from your most recent connection in a file called filezilla.xml and all of the details from your 10 most recent connections (at least, the ones you make by typing the information into the Filezilla interface; which is the only way to connect if you are not using the Site Manager) in a file called recentservers.xml, even if you choose not to use the Site Manager. These are plain old XML files with all of the information stored in plain, non-encrypted text. The format of the entries looks similar to the following.

WordPress Releases Critical 3.0.4 Upgrade Patch

Blogging software WordPress has posted an update to their software that they are calling a “critical” update. WordPress founder Matt Mullenweg posted about the update this afternoon and suggests you download and install the patch as soon as possible.

You can see the full changeset that is part of the 3.0.4 WordPress patch on the WordPress Trac.

If you run WordPress on your own server, you can use the auto-update to download and install the 3.0.4 version with the patch or you can download the software from wordpress.org.

WordPress 3.0.2 Released – Mandatory Security Update

The folks over at WordPress released a new minor version this evening, and are calling it a “mandatory security update”. From the looks of it, only a handful of “minor” (their word, not mine) security holes were patched in this version, so I’m not quite sure why it’s being tagged as mandatory.

Regardless, if you’re running WordPress anywhere, you should really login to your administrative area, back up your site and then perform the update (if you don’t have a nag message at the top of your dashboard, you can always go to the “Updates” section under the “Dashboard” menu).

WebShell Hack – An Update

A few weeks ago, I wrote about the fact that one of my website’s was hacked and exploited by a script apparently known as “WebShell by oRB”. At the time, I was hoping that the issue had been fixed, but I quickly learned that it hadn’t. At least once each day, the hack re-appeared on our website in different ways through different files.

After a bit more research into the matter, I found that the issue seems to be related to a vulnerability in phpThumb, a widely-used PHP script that dynamically resizes and manipulates images. The vulnerability was identified as early as 5 years ago according to some reports. Unfortunately, the developers of phpThumb have yet to do anything about it.

Important: Twitter Updating Authentication Methods

Twitter fail whaleI honestly have no idea when this was announced, but Twitter will start disabling its “Basic Auth” on Aug. 16, 2010 (the system will be completely unavailable by Aug. 31). For Twitter users, this doesn’t really mean anything. However, for Web developers that use various interfaces and plug-ins to share information on Twitter, this is big.

The majority of API libraries and classes that were (and, as of this writing, still are) listed in the official Twitter API documentation will stop working. This change, as far as I can tell, will effect the way tweets are sent and the way tweets are received. Therefore, whether you’re trying to post tweets from an external source, or you’re simply trying to list your latest tweets, if the interface uses the old system of Basic Auth, it’s going to stop working on Aug. 31.

Pages: