Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SQL Injection: Wordpress 3.0.2 released

Published: 2010-12-02
Last Updated: 2010-12-02 17:25:16 UTC
by Kevin Johnson (Version: 1)
1 comment(s)

 Wordpress has released a new version, 3.0.2, to fix a SQL injection flaw.  This flaw is in all previous versions of the codebase according to reports, which means that if you are running Wordpress, you must update.  This exploit is possible with author-level permissions but personally I would not depend on this to protect myself.  More information is available here.

1 comment(s)

ProFTPD distribution servers compromised

Published: 2010-12-02
Last Updated: 2010-12-02 14:36:49 UTC
by Kevin Johnson (Version: 1)
2 comment(s)

 It was announced that the source for ProFTPD was compromised and a back door was inserted.  The attacker compromised the main ftp.proftpd.org site on November 28, 2010.  This site is also the main rsync server, which means that anybody who has downloaded ProFTPD between then and December 1, 2010 is potentially running a version with the backdoor code.  According to reports, this compromise was performed against an unpatched vulnerability within ProFTPD itself, so even if you did not install the backdoored version, you may be running vulnerable software.

 

More information is available at here

Kevin Johnson

Secure Ideas

2 comment(s)

Robert Hansen and our happiness

Published: 2010-12-02
Last Updated: 2010-12-02 03:15:44 UTC
by Kevin Johnson (Version: 1)
8 comment(s)

 So as it’s my first shift as handler of the day I was worried if I would be able to live up to the bar the handlers have set in diaries and days past.  This started a train of thought that was accelerated by Robert “RSnake” Hansen’s 1000th and final post on http://ha.ckers.org today.  I am sure that everyone reading this is aware of whom Robert is but in case you have been under a rock for the last many years or just not involved in web application security.  Robert is one of the giants upon whose shoulders we all stand.  Robert has helped cause XSS, SQLi and XSRF to become terms that the business people we deal with understand.  He has also fostered an environment where people share tips and tricks and encourage each other to become better.

 
In his last blog post on the site, Robert discusses how he needs to follow his happiness and that this is the main reason he is stepping out of the limelight. (Yes this blog post does continue the light shining on him a bit but I think its ok this once.)  He brings up a point that is one that I have discussed with many people.  What happens when this isn’t fun anymore?  While I am sure that rooting boxes and yanking data through a web application will cause me to giggle for years into the future, how do we ensure that the people we have manage and monitor our security are still enjoying what they do?
 
Its also funny that this comes up at the same time that the mainstream news outlets are discussing the use of the history browsing attacks using JavaScript and CSS.  This is an attack we have discussed for a long while now, but since its been found in the wild being used by advertising and adult sites, maybe we will see some more movement on fixing it.
 
Thoughts?
 
Kevin Johnson
 
8 comment(s)
Diary Archives