* Posts by SteveGS

6 posts • joined 19 Dec 2015

Facebook blames 'server config change' for 14-hour outage. Someone run that through the universal liar translator

SteveGS

Re: Facebook was down?

Who gives a zuck?

SteveGS

Nothing to gawp at on the iPhart?

Might be the reason why fewer kids than usual walked off the pavement in front of my bike yesterday...

Why Firefox? Because not everybody is a web designer, silly

SteveGS

Re: chrome is google spyware, and I've seen a lot of crappy software that tries to install it

Do you *really* want the all-seeing and would-be world-dominating Google to monitor your web browsing activities?

Teen UK hacker pleads guilty after earning $385k from DDoS tool

SteveGS

"A quick search of Bailii shows usages in the U.K. as far back as 1822."

Yes - but there are considerably fewer instances. According to BAILII's website, 'pled' appears in 1946 entries and 'pleaded' appears in 50732 entries. Incidentally, 'pled' shows up as misspelt in my spell checker. It is not valid to compare it with words like 'bred' or 'bled' because, although their present-tense forms are all pronounced similarly (plead, breed, bleed), the spelling is different - there is an 'a' in 'plead'. Interesting that the present tense of another 'ea' verb pronounced 'ee' (read) only changes its pronunciation, not its spelling, when in the past tense - whereas 'lead' becomes 'led'. Not to say that a past-tense 'plead' pronounced 'pled' is valid - though there are a few instances of it. Isn't English wonderful?

As for our transatlantic friends' spelling: when their ancestors left this side of the Pond in the 17th century, they took with them a form of English spelling and pronunciation that was extant at the time. Language is constantly changing, so it is to be expected that subsequent changes would be different. A major influence on the west side of the Atlantic was one Noah Webster, who started compiling 'An American Dictionary of the English Language' in 1807 that was finally released in 1828. This is responsible for the loss of the 'u' in words like 'colour'; the substitution of 's' for 'c' in words like 'defence'; the reversal of the final letters 're' in words like 'theatre', among others. The rationale behind this was an attempt to simplify spelling by making it more phonetic.

So it's incorrect to say these spellings are wrong - just different, even though they may appear alien to some British eyes.

SteveGS

Re: Opportunity

Totally agree. While nobody here (I hope) would condone Mudd's actions, it must be taken into account he was only 15 when he committed this 'crime'. It just shows how cr4ppy and vulnerable some systems are that a kid can get in so easily. His 'penance' should be to write 'hardening' software for these vulnerable systems. In jail he'd just be bullied as a nerd and then get sucked into the underworld of the seriously bad.

Patch now! Joomla attacked in remote code execution blitzkrieg

SteveGS

Re: Temporary Mitigation

I think you need to do a lot more than that, to cover all permutations of HTML escape codes, etc. that the little slimebuckets might slip in. You should also cater for what they put unto the URL bar (by grabbing $_SERVER['REQUEST_URI']), and what some browsers do with that information.

The problem with simply trying to catch the string 'eval' is that it can stymie the search engine because searches for 'devalue', 'medieval', 'evaluate' etc. will just kill the page. If they try sneaking in an HTML escape code, eg. '%65val', that won't get caught. So we have to be a bit smarter, by using urldecode() to decode escape sequences and then remove ALL whitespace before testing. Then we can simply look for 'eval(' I didn't cater for search engines looking for 'base64' because my site isn't aimed at geeks! However, the following will also catch 'base%36%34', for instance.

Looking through my logs (on a Joomla site I help run, which is stuck on V1.5.26 because we can't find how to import its database into a later version), there were several hits from very old browsers, which would exploit any vulnerability. I took the site down as soon as I heard about this, installed the patch (to session.php) that Joomla released, and added the following right at the start of index.php for both the main site and /administrator. Comments should be self-explanatory.

/* Try to catch any attempt to inject malware.

First set up an array of possible whitespace they might use, and then replace anything in that array with nulls */

$whitespace = array(' ', '%20', '+', ' ', '%09', '\t', '\n', '<br>', '<br />', '<br/>', '%12', '\v');

$asd = str_ireplace($whitespace, '', $_SERVER['HTTP_USER_AGENT'] );

/* Use urldecode() to catch any attempt to disguise nasties. */

$asd = urldecode($asd);

/* Need to use urldecode() twice for the URI:

First get round browsers escaping % twice - '%2534' should reduce to '4', and also get things like chevrons back */

$bsd = urldecode(urldecode($_SERVER['REQUEST_URI']));

// Now replace whitespace with nulls as before....

$bsd = str_ireplace($whitespace, '', $bsd );

$rsd = $_SERVER['REMOTE_ADDR'];

// Known baddies - not use of === 0 to catch only those that start with the test strings

if ( ($rsd == '74.3.170.33') || (strpos($rsd,'146.0.72.') === 0) || (strpos($rsd,'194.28.17') === 0) )

die();

// Catch attempts to inject eval(base64()) scripts through the user agent or URI.

if ( (strlen($asd) > 255) || (strpos($asd,'base64') !== false) || (strpos($asd,'eval(') !== false) ||

(strlen($bsd) > 255) || (strpos($bsd,'base64') !== false) || (strpos($bsd,'eval(') !== false) )

die();

I also run a Wordpress site which is up-to-date, but as a precaution I put the above code at the top of both the root and /wp-admin index.php files.

Biting the hand that feeds IT © 1998–2019