Stellify

WordPress XSS vulnerability in templates.php

January 3, 2007 · 6 comments

WordPress

An important heads-up to all WordPress fans—that’s pretty much the whole blogosphere*, isn’t it? There’s been a recently-discovered security flaw with the blog software’s templates.php file. It’s called XSS, i.e. cross-site scripting, a vulnerability that permits malicious code injection into web pages.

David Kierznowski explains what part of the WP file is causing this:

When editing files a shortcut is created titled “recently accessed files”. The anchor tag text is correctly escaped with wp_specialchars(); however, the link title is not sanitised. Instead, it is passed to get_file_description($file). The only restriction or limitation here is that our text is passed through basename. This means standard script tags will fail when ending with “˜/”. We can get around this by using “open” IMG tags; this works under FF and IE.

In pseudo-English, that would mean:

WordPress is prone to a HTML-injection scripting vulnerability because the application fails to properly sanitize user-supplied input.

Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

TechBuzz lists all WordPress versions that are in danger of this exploit, but the short story is unless you’re using 2.0.6 you’re not safe. ~~And as far as I know that one hasn’t been released officially yet.~~ It’s advised you patch the culprit file in the meantime. (Make sure to back those files up first!) WP 2.0.6 has just been released yesterday. You might want to upgrade instead of patching.

* It’s so popular, in fact, that sneaky people are making money off of hinting at how you can use it to make your money. They obviously haven’t head of WP’s support community.

Update: It’s templates.php, with an s. oKs this!

What, No Holiday Post?

January 2, 2007 · 7 comments

Still, a belated Merry Christmas and Happy New Year to y’all!

I seem to have been too distracted by other things to come up with a post for this blog. I do have some things in mind but they’re too short for full length posts, so I stared at my blog for several days and pondered on whether to install some sort of asides (side-blogging) feature. Obviously, I haven’t (I tweaked and added other features anyway). So I shall resort to what I usually do, and that is unload a bunch of disjointed topics in one go.

Adobe CS3 Program Icons: Alphabet Soup on a Color Wheel (And What They Mean)

December 22, 2006 · 27 comments

[Looking for the list of Adobe CS3 program abbreviations?]

Adobe Photoshop CS3 Beta Released

(A prelude.)

Let’s start off by announcing Adobe has recently made Photoshop CS3 Beta available for download. It’s free as long as you have a valid Photoshop CS2, CS2, Production Studio, Video Bundle, or Web Bundle serial number and the final Photoshop CS3 version hasn’t come out yet. Another caveat: no tech support is available for the beta.

All the details are given on the Photoshop CS3 page, including download instructions and system requirements—at least 320 MB RAM and 64 MB video memory!

New Adobe Creative Suite 3 Program Icons

Adobe has been known to change branding strategies every new version, particularly the logo and icon aspects. Take Photoshop for example. From versions 1.0 to 7.0 there was the ever-present eye in each of the whimsically conjured designs. But this was followed by a more nature-friendly feather concept starting with the two generations belong to the Creative Suite.

For CS3, though, Photoshop and practically every other member of Adobe’s Product line has adopted a drastically different icon scheme (mentioned here), sporting two letters of the product name on a soft-gradient-fill-ed square. The typeface details are in the postscript of this entry. The color of the gradient is the color the product is assigned to on the color wheel. In the case of Photoshop, it’s a nice, deep blue, around #2B75CC (according to ColorZilla).

The Alphabet Soup and The Color Wheel

The Periodic Table of Elements comes to mind—transformed into a color wheel using the polar coordinates filter! (Kidding.) Yes, it’s very disorienting.

Time Person of the Year for 2006 is You—Yes, You

December 20, 2006 · 3 comments

This year, Time Magazine has named You as the Person of the Year. Yes, You, the publishers powered by the platform that is the World Wide Web.

The article begins by reporting that 2006 is the year we have realized history is no longer shaped by few greats. Instead, we have witnessed a phenomenon concocted by the crowd, from people all over the world. Wikipedia and YouTube are cited as the prime examples of such revolutionary behavior.

But beyond speaking in awe of such a new, large-scale, worldwide trend brought about by advances in computers and the Internet—here the phrase Web 2.0 has since been thrown about—Time commends us for all the hard work we put into making the revolution a reality.

Beta Testings

December 17, 2006 · 8 comments

I’ve been dead lately and I’m sick right now. In the meantime, some first looks…

4 Beta Testing

With Gravatar’s Outage and Suckage, Should A New Avatar System Take Its Place?

December 5, 2006 · 35 comments

Perhaps more than a week ago, while browsing around my site, I found this shocking message in the comments section:

I really don’t know why something inside me told me the hacker-like message pointed to the Gravatar plugin installed on this site, but sadly, Googling around confirmed my suspicions. Apparently it was a debugging message for the Gravatars2 plugin.

…Getting no gravatar back from gravatar.com is very common. I removed the rougue “SUCKAGE” message that I had been using for testing. Oops. :) You can download the latest 2.5.3 release to get rid of that. It only shows up when the gravatar downloaded from gravatar.com should have been valid, but wasn’t (the reason for the previous emergency release)… »

Putting a message like that may seem fun (in a geeky way obviously) when it’s for personal use only, but if you’re writing it inside code somebody else will see, and might possibly get scared of, don’t put it there! But then I guess this is no MP and we are not teachers who can scold you for such silliness. This is real life.

Best Designed Filipino Blogs for 2006 Announced!

December 1, 2006 · 14 comments

Basang Panaginip, the highly controversial blog that brought us The Sexiest Filipino Bloggers, The Sexiest Filipina Bloggers, and The World’s Most Photorealistic Vector Art have come up with a new list: the Best Designed Filipino Blogs for 2006.

I was shocked to find out that Michael dropped by to tell me I was on the list. The awards are no Philippine Webbies*, but my respect (or awe) for that award-giving body has started to erode a long time ago (here’s Mia’s story).

I’ve listed the winners here, but you should visit Basang Panaginip’s entry for visual proof. (Which means you’re under a rock and you haven’t heard of these people, much less visited their kickass sites before.)

Avalonstar by Bryan Veloso
Best Overall
I’m Bryan Veloso by Bryan Veloso
Best Designed About Page
Caterina Fake for Flickr
Best Filipino CMS Designer
iPap by Markku Seguerra
Best Designed Photoblog
Kutitots by Gail dela Cruz
Best Designed WordPress
How Now Brownpau by Paulo Ordoveza
Best Designed MovableType
Midori-X by Marni
Best Designed Blogger
Sacha Chua by Sandra Jean “Sacha” Chua
Best Designed Wiki Blog
Lukaret by Beng Hafner
Best Visual Aesthetic
Rebelpixel by Markku Seguerra
Best Navigation and Structure
Koray by Derek Punsalan
Best Usability
Avlack by Jolo Santos
Best Minimalist
Foliage Mod by Derek Punsalan
Best Single Column
5thirtyone October Special by Derek Punsalan
Best Blog Design for SEO
Hinge Inquirer Productions by Gail dela Cruz
Best Designed Commercial Blog
The Last Leaf by Mae Paulino
Best Use of Color
Stellify by Sophie “ia” Lucero
Best Use of Contrast
Avalonstar by Bryan Veloso
Best Logo
Anino by Datu Arellano
Best Header
Ironwulf by Ferdinand Decena
Best Use of Background Graphics
HighFiber by Luis Buenaventura
Best Designed Comment Avatars
HighFiber by Luis Buenaventura
Best Designed Community Blog

Best use of contrast, eh? To me that means they appreciated how I used black. Wai!

But beyond basking in awe (a. that they called me Sophie; b. Caterina Fake! Avalonstar! Rebelpixel! Can you say webstarstruck?) and l33tness, I’m thankful I have a few more Filipino greats to add to my list. Of what? Shhh!

* I know I’ve read sites from around the world that use “webbys”. The proper way to pluralize a word ending in Y preceded by a consonant is to use -ies. Adding an S is used for vowels preceding Y’s. (This grammar lesson is brought to you by The Obsessive-Compulsive Grammar Police, me.)

Squat, Don’t Sit.

November 28, 2006 · 6 comments

L of Death Note, squatting as usual

Once more, this proves we are slaves to social conditioning. Because sitting languidly on a “throne” was deemed more civilized than the ways of crude native folk, we have embraced it as the proper way to sit.

If you have ever felt, as many, many people do, that after you have evacuated, there is still something left, here is the reason:

The anal canal is UNSTRAIGHTENED when seated. Bowel evacuation when seated results frequently in OBSTRUCTIVE CONSTIPATION…Adopt a relaxed, FULL SQUAT POSTURE and the anal canal STRAIGHTENS.

So that’s why L sits like that.

It goes beyond constipation, though, as, detailed at Nature’s Platform. And among the experts on the subject is a certain Dr. Alexander Kira:

…While we regard the use of the water closet as natural, we represent only a relatively small percentage of the world’s population, and a percentage that may be said, in an absolute sense, to be wrong, insofar as we have allowed civilization to interfere with our biological functioning.

Found another “don’t get a job” post too. “Companies pay you for your time, not for the value you produce.” I don’t think that’s true all the time, but that’s why I don’t understand web designers and similar freelancers that charge by the hour.

Page 17 of 21« Newest ‹1014 15 161718 19 20 21

Everything on Stellify, unless otherwise stated, is made by Adelaida Sophia Marie F. Lucero and is licensed under a Creative Commons License.

· Hosted by HawkHost · Get Dropbox · Grab MediaLoot