lucumr

Finally I’ve made the Matura :D I got a “Guter Erfolg”, I would have got a “Ausgezeichneter Erfolg” if there wasn’t the huge amout of spelling mistakes I made in my written German exam. But I’m happy nevertheless.

Especially the oral Matura was just awesome. Because I wrote a so called “Fachbereitsarbeit” in computer science i had one written exam less than normal. So I only had English, Maths and German as written subjects and Religion, English and computer science as oral subjects. So as you can see darn simple matura, especially because in Austria you can choose one out of two general questions and a special question out of your special subject you worked out the weeks before the Matura.

My topic for the computer science “Fachbereichsarbeit” was security in web applications and apparently my presentation was that impressive that I got some applause which was a very, very cool experience. I had one of the last exams and usually the teachers and the examiner are already so bored that nobody listens to your ten-minute talk. It’s a really cool feeling that you were able to somehow impress the persons in the room.

I still don’t know the final results but I know that I got a “Guter Erfolg” which is the second best result you can get.

Plans for the next two weeks: Off to Ios with friends :-) and relaxing. So basically off from Sunday the first till Friday the 13th :-)

Georg Brandl with whom I work together at various open source projects hosted on pocoo.org now runs a blog at pyside.blogspot.com. He’s currently working on the new python documentation, and also the lead developer of the pygments source highlighter. Cool stuff!

Happy blogging Georg :-)

Looks like the Ruby XMLRPC implementation still has a vulnerability:

#!/usr/bin/env ruby
require 'xmlrpc/server'

class TestHandler
  def foo
    42
  end
end

if __FILE__ == $0
  srv = XMLRPC::Server.new(5000)
  srv.add_handler('test', TestHandler.new)
  srv.serve
end

Connecting to it with the python shell now does this:

>>> from xmlrpclib import ServerProxy
>>> p = ServerProxy("http://localhost:5000/")
>>> p.test.send('foo')
42
>>> p.test.send('`', 'echo "Shit"')
'Shit\n'

And something tells me there is no way to avoid this problem, so better just not use add_handler with a class. Explicit is better than implicit.

Update after some googeling i found someone that discovered the same: Ruby, Python, and an XML-RPC Server Arbitrary Shell Command Execution Flaw.

Today they released a new Wordpress version and there are a few security fixes in. Because I don’t feel like upgrading I patched the holes myself, here what you should fix if you use wordpress:

Look for that in wp-includes/class-phpmailer.php:

$sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail, $this->Sender);

Those **** forgot to escape shell commands, they forward it to popen a few lines later. How stupid…? Here’s however is the fix:

$sendmail = sprintf("%s -oi -f %s -t",
    $this->Sendmail, escapeshellarg($this->Sender));

Then once again the xmlrpc.php file. Either delete it or make a cron that downloads the the most recent one automatically. They upgrade more escaping bugs then they actually announce…

And in the kubrick theme (if you use it or a derived theme) there is an XSS whole, they don’t escape REQUEST_URI, just replace

<?php echo $_SERVER['REQUEST_URI']; ?>

with

<?php echo htmlspecialchars($_SERVER['REQUEST_URI']); ?>

And the most interesting part about this update: security updates are marked as “minor”, a missing “<em>” is marked as major…

Update: they just inverted the colors… my fault