XSS Exploits in Wordpress Themes

June 21st, 2009

I found a family of Cross-site Scripting (XSS) Vulnerabilities while checking out Wordpress themes.

An XSS vulnerability is where a site allows a hacker to spit back JavaScript of the hacker’s choosing to some innocent third-party, typically by way of some type of sneaky JavaScript injection that the site isn’t coded to protect against. The third-party’s browser executes the JavaScript as if it came from the site, which lets the injected script have access to any cookies that the third-party has with the site. The hacker stealthily retrieves the cookies, and it’s all downhill from there. Lost cookies can lead to lost passwords.

One of my longer-overdue tasks has been to get this site off of the default Wordpress theme. So I’ve slowly been checking out themes, taking notes of what I like, and kicking a few of them around on a private WP install on my laptop. Quite a few themes are fodder for XSS attacks, by way of incorrectly sanitized search pages.

Here’s how to tell if the theme you’re looking at (or using!) is vurlnerable to the XSS exploit. Type this into the search box:

<script>alert('xss');</script>

If you get a pop-up dialog that says ‘xss’, you’ve found a vulnerable theme. Repair the vulnerability before using the theme, or find a safer one.

To pick on one theme in particular (because it’s a nice theme, and the author hasn’t fixed the exploit or responded to my email), try this on the DePo Clean theme. Scroll to the bottom to get to the search box.

Fortunately, repairing the vulnerability is straightforward. Find and open search.php in the editor of your choice, then replace

<?php echo $s; ?>

with

<?php echo strip_tags($s); ?>

This prevents a script entered via search from being echoed back to the user.

And consider sending a note to the theme’s author. Fixing a problem at the source is usually best.

And no, no new theme here yet. Working on it.

Posted in Technical Stuff | No Comments »

A Word About Hospitals and Flowers

April 5th, 2009

The dread “____ is in the hospital” call came in early February. I spent parts of that month on airplanes, doing bedside duty, and taking care of things away from home. A few long weekends disappeared from the calendar, and a bunch of stuff I’d wanted to get done either went *poof* or caused cascading delays. Meanwhile, other, smaller emergencies didn’t get the memo about waiting their turn. It’s taken most of March to get back on top of things.

If you have friends and family, at some point the same might happen to you. One moment your life is chugging along, and the next you’re sitting in a hospital keeping someone company, or just being there for them while they go through a miserable, painful experience.

One lesson from this is that it’s important to have a way to quickly contact people who may be expecting things from you, so that they can know you’ll be unavailable and can make alternate plans. A quick exercise is to list all of the things you’re involved in, and who might be left hanging if you had to suddenly disappeared. Do you have their contact info, or contact info for someone who can let other people know? Can you reach them if don’t have net access?

The other lesson has to do with flowers.

The florist industry has spent a lot of advertising money conditioning us to send flowers when someone we’re close to goes into the hospital. From what I’ve seen hanging around a large hospital, that advertising paid off. Arrangements too large for one person to carry getting wheeled in; Roses and daisies by the dozens; a large, heavily tattooed Yakuza wannabe carrying a dainty little arrangement in a tiny vase for his sick mother.

There are at least three problems here.

First, there’s not a lot of room in many hospital rooms. Surface space is at a premium. There’s no place for the flowers to go that doesn’t displace something else, and often that something else is medical. So expensive arrangements end up on the floor in the corner, out of the patient’s sight.

Second is the issue of pollen and smell. You’d think that people (or florists) would know not to send a mass of allergens into confined places where people might be having, say, respiratory problems. But it happens. And you don’t want the patient going into a sneezing fit when they’re hooked up to a bunch of tubes, or when they’re in traction. And we link smells to events. It isn’t nice to associate the smell of, say, roses with having an IV needle changed and being woken up at all hours for blood pressure checks.

Third is the “no flowers” policy in some wards that will leave you stuck with a bill for flowers that the florist couldn’t deliver, or which a nurse immediately redirected to a trash can outside. An expensive gesture, wasted.

So when someone you love goes into the hospital, think twice about sending flowers. If you can, coordinate and send one small, neutral arrangement. Cards are good. Send cards.

Posted in Life Hacks | No Comments »

By the time you start to notice

January 31st, 2009

In a short lightning interview that Ward Cunningham did with with Ron Jeffries and Chet Hendrickson, Chet has this to say about Technical Debt (emphasis mine):

“Our experience has been that by the time you start to notice that the code needs to be cleaned up, you’ve already lost a lot of time because of it, and it’s almost impossible to ever get back to where you were. We actually believe that you can never be as clean by going back a month or a week later and cleaning up than you could if you just cleaned up as you went.”

“By the time you start to notice” is a challenge. You either have to be so clean in your coding practices that you never present yourself with the need to notice problems, or you have to develop your ability to notice problems so that you can spot them sooner. I’ve never seen a team—even one doing TDD and refactoring in earnest—manage to stay completely clean, so it would seem that developing noticing skills, and helping teams develop willpower, is the way to go.

Posted in Agile | No Comments »

Configuration needs testing, too

January 31st, 2009

This morning Google pushed a bad configuration file used by search, and for 55 minutes all search results came back with a “this site may harm your computer” warning.

Oops.

A timely reminder that configuration needs testing, too.

The question that you need answered before you push is “will the application configured in this new way behave the way I expect it to?” The details of how you’ll test to answer that question will depend on the nature of your application and its configuration data, but will probably include some tests against possible misconfigurations. In Google’s case, where the configuration error was essentially an accidental wildcard in a blacklist, a simple “verify that there isn’t a wildcard here” test would have saved them some embarrassment.

Are there simple tests that could save you from embarrassment?

Posted in Testing | No Comments »

A Hardware Interlude, With Pliers

December 12th, 2008

When it came time to replace my always-on home Linux box, I settled on the Intel Atom in its dual-core flavor, and set about building a small system based on Intel’s D945GCLF2 motherboard. The idea of a system that draws 45 watts when running full out was compelling.

I also wanted quiet. Several reports noted that the fan that comes on the board is noisy. The guy at the local computer store who sold me the parts confirmed the problem, and handed me a Zalman ZM-NBF47 fanless northbridge cooler as a replacement.

When I put the system together, it looked like the Zalman wouldn’t fit. The CPU heatsink blocks one orientation, and RAM blocks the other. So I left the stock heatsink/fan in place. Big mistake. Lots of noise.

After a bit of head scratching and some Googling, I found the trick.

First, mount the clips on the Zalman and bring them out on a diagonal. Then, with needle-nosed pliers, bend the hooks backwards like this:

Zalman heatsink with hooks twisted backwards

Next, remove the stock northbridge heatsink and fan, clean off the old thermal grease, and lay down a new coat from the tube that comes with the Zalman. Set the Zalman down diagonally, and attach it through the back side of the hooks on the motherboard, like this:

Zalman heatsink hooked onto Motherboard

It’s a tight fit. There’s less than 1/8″ clearance between the Zalman and the RAM stick, and I bent a few of the fins up so that they wouldn’t touch the CPU heatsink. The Zalman is quite warm to touch, so you’ll want a case with good ventilation.

The result, with the board in a case with a fanless quiet power supply, is a very quiet system. If I listen, I can hear the disk spinning, but that’s it. Bliss.

I’m sure that replacing the stock heatsink/fan voided the warranty on the board, but if you insist on quiet, it’s worth the risk.

The D945GCLF2 with 2Gb seems to run Ubuntu 8.10 without any problems. The onboard video drives a 1600×1200 LCD reasonably well, though there’s no mistaking it for a gaming box. I haven’t tried audio yet. One pleasant surprise was checking /proc/cpuinfo and finding four processors listed instead of the two I expected. Each core is hyper-threaded.

Addenda: There’s a good discussion on quieting this board at silentpcreview.com. Note in particular concerns about how hot the chipset runs, and assumptions about the fan providing cooling for the passive heatsink next door. Taking a closer look at the power supply in my box, I found that it had a very quiet fan that provided airflow over the southbridge heatsink. If you don’t have airflow, the ZM-NBF47 might not be what you want.

A discussion on the Ubuntu forums has instructions for enabling lm-sensors so that you can see the chip temperatures.

Posted in Technical Stuff | No Comments »

The Bedside Reading Pile Revisited

November 24th, 2008

It’s been a year and a half since the last snapshot of what I’ve been reading. Since the pile is threatening to fall over again, now is a good time for an update.

Bedside Books 11/08

The only active book in the pile is Algorithms in a Nutshell. It’s a good refresher on how to analyze algorithms, but isn’t a broad survey.

Lea’s Concurrent Programming in Java and Bloch’s Effective Java (second edition) came off the shelf a few nights ago so that I could refresh myself on multi-threaded programming in Java. (I’ve since ordered the second edition of Lea’s book, since a few useful things like java.util.concurrent have happened since the first edition.)

Poppendieck’s Lean Software Development: An Agile Toolkit came off the shelf last week for a reference check on Value Stream Mapping. If you’re an Agilist who hasn’t yet read any Lean literature, this is a good place to start.

The only book in the pile that I have any issue with is jQuery in Action. There’s a trend in technology references books toward lighthearted prose. In this case, I thought that wit and humor got in the way of clear, unambiguous writing. Still, it’s a good introduction to an awesome JavaScript framework.

Michael Feather’s Working Effectively with Legacy Code has been cycled in and out of the bedside pile several times. I highly recommend it if your life takes you near large piles of code that you didn’t have a hand in creating.

Tom Vanderbilt’s Traffic: Why We Drive the Way We Do was an insightful read, with interesting parallels to software development. I’ll have more to say about that later.

Crockford’s JavaScript: The Good Parts is worthwhile if you do any work in the browser and find yourself swearing at JavaScript. Crockford sketches out a safe subset of the language. You’ve got to love a book that has appendices named “Awful Parts” and “Bad Parts”. And if you’re doing web work and don’t know about the various cross-site scripting vulnerabilities, stop now and get a copy of Foundations of Security: What Every Programmer Needs to Know. It’ll give you a good scare.

As evidence that I actually do read fiction, there’s Terry Pratchett’s Making Money, a fun read that explores the philosophy of the Gold Standard as it evolves into something else on Discworld. That one goes near the bottom of my top ten favorite Pratchetts.

Near the top right are several lateral thinking and math puzzle books that I got to keep the family occupied during some long plane flights this summer.

There are two management books in the pile, even though I’m not managing right now. It’s a hard habit to shake off.

The only unread book in the pile is Peter Walsh’s It’s All Too Much: An Easy Plan for Living a Rich Life With Less Stuff. Recommended by several friends. I’m kind of worried that my “stuff” includes way too many books.

Posted in General | No Comments »

« Older Entries