Recent
Prevention of unwanted telemarketing calls
I am tired of receiving multiple telemarketing calls per day, I’m tired of the Telephone Preference Service (TPS) not having an affect and I’m tired of telecommunication companies charging for prevention features which should be free.
I came across an e-petition that was setup by a Rob Whitelock, it is not perfect in its recommendations but certainly puts the general point across.
e-petitions is an easy way for you to influence government policy in the UK. You can create an e-petition about anything that the government is responsible for and if it gets at least 100,000 signatures, it will be eligible for debate in the House of Commons.
You can help by signing the petition here;
http://epetitions.direct.gov.uk/petitions/17324
WordPress 3.3 Cross-Site Scripting (XSS)
Yesterday two Indian security researchers, Aditya Modha & Samir Shah, released an advisory outlining a Cross-Site Scripting (XSS) vulnerability within the latest version (at the time of writing) of WordPress 3.3. Many people started re-tweeting the news (including myself) and blogging about it. The problem came when I tried to reproduce the vulnerability, I couldn’t.
I started to think that the vulnerability was a miss-understanding or publicity stunt and was getting annoyed at the many people who were spreading miss-information. I contacted the researchers over Twitter and told them that I was unable to reproduce the vulnerability in any browser or on any WordPress installation including vanilla installs.
The researchers got back in touch with a link to a WordPress installation on which the vulnerability worked. The URL they gave me was an IP address. Within their environment the XSS worked.
At this point I think even the researchers were puzzled. They sent me this code that they believed was the function causing the XSS within wp-includes/functions.php http://pastebin.com/iBnpN8Zm.
WordPress Plugin Disqus Comment System XSS
# Exploit Title: WordPress Plugin Disqus Comment System < = 2.68 Reflected Cross-Site Scripting (XSS)
# Google Dork: inurl:/wp-content/plugins/disqus-comment-system/
# Date: 11.12.11
# Author: Ryan Dewhurst (@ethicalhack3r)
# Software Link: http://downloads.wordpress.org/plugin/disqus-comment-system.2.68.zip
# Version: 2.68
# Tested on: Cross-Platform
** Vulnerability Description **
The WordPress Disqus Commment System version 2.68 was found to be effected by Reflected Cross-Site Scripting (XSS). At the time of writing the plugin (not version) had been downloaded 504,746 times. [0]
EC-Council – CEH – Unethical Behavior
The EC-Council or ‘The International Council of E-Commerce Consultants’ as they like to call themselves offer a range of different services, mostly in the field of Information Security training and certifications. One of their certifications, the Certified Ethical Hacker (CEH) claims to aspire to training ‘ethical’ hackers.
“CEHv7 provides a comprehensive ethical hacking and network security-training program to meet the standards of highly skilled security professionals.”
What I have found is the way the EC-Council promote their CEH is less than ethical and damn right unethical.
A comment left on my blog quite a while ago (2010/04/20 at 6:18 am), looked fairly authentic, however, when investigating a little further it was clear to me that the comment was in fact SPAM.
“smith said…
Hey folks, Thanks for sharing your views,article includes a very good information about the ethical hacking, the most interesting job in the field of computer security is being an ethical hacker,so i striven into the field of CEH, for more information on CEH check this link http://www.eccouncil.org/certification/certified_ethical_hacker.aspx”
WPScan 1.1 released
I am pleased to announce, after 5 months of work, that WPScan version 1.1 has been released!
With 780 more lines of code the most notable changes are:
Detection for 750 more plugins.
Detection for 107 new plugin vulnerabilities.
Detection for 447 possible timthumb file locations.
Advanced version fingerprinting implemented.
Full Path Disclosure (FPD) checks.
Auto updates.
Progress indicators.
Improved custom 404 checking.
Improved plugin detection.
Improved error_log checking.
Lots of bugs fixed.
Lots of small tweaks.
A full list of changes can be found here:
http://code.google.com/p/wpscan/source/browse/trunk/CHANGELOG
