As you may or may not know, Filezilla, the extremely popular FTP client, stores all of your FTP passwords in plain text on your hard drive. While I strongly disagree with this practice, I also understand that there are reasons not to do so. It would be really nice to have some sort of option to encrypt the passwords, but I don’t see that happening any time in the near future.
There are actually multiple levels of danger in using Filezilla (and, presumably, many other FTP clients). Unlike a Web browser, where, if you choose not to use the password manager none of your passwords are stored; Filezilla still stores all of the details from your most recent connection in a file called filezilla.xml and all of the details from your 10 most recent connections (at least, the ones you make by typing the information into the Filezilla interface; which is the only way to connect if you are not using the Site Manager) in a file called recentservers.xml, even if you choose not to use the Site Manager. These are plain old XML files with all of the information stored in plain, non-encrypted text. The format of the entries looks similar to the following.
Blogging software WordPress has posted an update to their software that they are calling a “critical” update. WordPress founder Matt Mullenweg posted about the update this afternoon and suggests you download and install the patch as soon as possible.
You can see the full changeset that is part of the 3.0.4 WordPress patch on the WordPress Trac.
If you run WordPress on your own server, you can use the auto-update to download and install the 3.0.4 version with the patch or you can download the software from wordpress.org.
The folks over at WordPress released a new minor version this evening, and are calling it a “mandatory security update”. From the looks of it, only a handful of “minor” (their word, not mine) security holes were patched in this version, so I’m not quite sure why it’s being tagged as mandatory.
Regardless, if you’re running WordPress anywhere, you should really login to your administrative area, back up your site and then perform the update (if you don’t have a nag message at the top of your dashboard, you can always go to the “Updates” section under the “Dashboard” menu).
A few weeks ago, I wrote about the fact that one of my website’s was hacked and exploited by a script apparently known as “WebShell by oRB”. At the time, I was hoping that the issue had been fixed, but I quickly learned that it hadn’t. At least once each day, the hack re-appeared on our website in different ways through different files.
After a bit more research into the matter, I found that the issue seems to be related to a vulnerability in phpThumb, a widely-used PHP script that dynamically resizes and manipulates images. The vulnerability was identified as early as 5 years ago according to some reports. Unfortunately, the developers of phpThumb have yet to do anything about it.
I honestly have no idea when this was announced, but Twitter will start disabling its “Basic Auth” on Aug. 16, 2010 (the system will be completely unavailable by Aug. 31). For Twitter users, this doesn’t really mean anything. However, for Web developers that use various interfaces and plug-ins to share information on Twitter, this is big.
The majority of API libraries and classes that were (and, as of this writing, still are) listed in the official Twitter API documentation will stop working. This change, as far as I can tell, will effect the way tweets are sent and the way tweets are received. Therefore, whether you’re trying to post tweets from an external source, or you’re simply trying to list your latest tweets, if the interface uses the old system of Basic Auth, it’s going to stop working on Aug. 31.