Centaur - a Four-wheeled Segway
Mr. Protocol writes "Segway, the folks who brought you the two-wheeled wonder called the IT, have a new concept vehicle up on their website. Called Centaur, it's a four-wheeled version of the IT that pulls stable wheelies by acting like a two-wheeled IT. The movie (Windows Media or Quicktime) shows someone having far too much fun riding one."
God is great
Yorkle!
Nah, probably not.
Date discovered: 10 Oct. 2004 Severity: Critical
Synopsis
The popular "Last Measure" PHP script, commonly used by trolls and script kiddies, contains unique features including the logging of referer information (for both URLs and the username of the poster), the IP address of the victim, and the victim's clipboard contents (the code only works with versions of Internet Explorer running on Windows XP or earlier without Service Pack 2, even though there are similar ways to get clipboard information from Mozilla-based browsers).
One part of the script, a database browser for victim's clipboard contents, contains hastily-written code (authored by Rucas) that can be exploited to execute arbitrary MySQL commands via modification of the variables passed in an HTTP GET request.
Proof of Concept
A normal GET request to look at a specific database entry looks like this:
A stray "%0a" is interpreted literally as a command separator, which allows other commands to take place (an error message may result for the command that is supposed to run, but all other commands will run).
Solution
It is highly recommended that the "Last Measure" script be disabled completely (or that the database functionality be disabled) until a patch is released. Contact the developers at lastmeasure.com if you have any concerns.
(vulnerability found by the people here)
Off topic. But, you missed Talk like a Pirate Day! by a few weeks.