JavaScript eval() is EVIL

The blogosphere is full of mentions to the worm that is attacking old versions of the WordPress blog platform and the attack on the popular Scobleizer blog. I was reading about it in the weekend, particularly how the worm works, what it does, how to prevent it and how to recover from it.

As Matt Mullenweg, creator of WordPress, puts it: “This particular worm, like many before it, is clever”. One of the things it does is changing the links of the blog to something like this:



/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/

and this in turn allows evaluated code to be executed. “eval” is evil hum? Although its not something new, still quite cunning. The eval() function evaluates a string and executes it as if it was script code. This means when a user clicks the link on the affected blog, the Javascript arbitrary code will run on the user’s browser. Not good.

http://wordpress.org/development/2009/09/keep-wordpress-secure/

http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/

Apple product announcements

Last night came the new Apple product announcements. During the keynote, several web sites had live feeds, amongst them macrumors. They got hacked and this is how it started:

goofed-up-macworld-live-feed-marked-up

Hehe, damn pirates!

Among the announcements I like the idea of organizing photos in iPhoto by face (using face detection). That’s just cool.

Some of the announcements are described here.

DA-Op3n CTF contest

I was happy to know my team finished 9th in the DA-Op3n CTF contest. It’s not on the top three but there were some nice teams out there :)

I think the contest was very well organized. We had a status page to check how teams were doing in keeping their services up. We had a script to report vulnerabilities in the services and a public list of advisories reported. Besides this we had graphs in nearly real-time displaying the number of captured flags per service or the current team ranking. Some of the undiscovered holes are now documented.

These graphs are plotted against data present in a database which is fed by the scoring bot, which periodically checks all services and awards points to the teams if their services run or if they cracked another team’s services.

Graph
Graph

Secure Virtual Machine Images of XP and Vista (by NIST)

Via the DDJ’s Portal Blog, it seems that the National Institute of Standards and Technology (NIST) is providing “virtual machine images” of secure configurations of Windows XP and Vista.

The images contain pre-configured security settings for agencies to use when testing and evaluating their applications to ensure they function effectively and securely during migration to these new operating systems.