SQL injection doesn't have anything to do with PHP. You can create query ("DELETE FROM "+user_supplied_var) and run it in any language - PHP, ASP, ASP.NET, perl, etc. If you want to shoot yourself in the leg, noone will stop you. PHP was just easy and very popular. Usually unexperienced developers create security problems, not the language itself.
Oh - I'm sure, that in the darkness of interwebs, there is some forgotten script, that includes file which name consists of one of GET attributes + ".asp". Yes - some web developers are that clueless. If I understand description correctly, exploit depends only on the name of included script. I suppose that's why it's marked "remote" by Secunia.
Anyone got IIS6 to try? Ahh... I forgot, it's slashdot:)
Maybe it's like that because we like to read subtitles and hear the original voice? Subs are MUCH better than dubbing. Most eng. speakers won't know what I'm talking about, because only 1% of movies you've seen were not in English (it was anime probably). Dubbing works for cartoons (some of them), but normal movies dubbing sucks.
Only place where I see this applicable is:
- take picture of a movie box in shop
- upload tag to torrent search site
- download results
- profit!
No need for... even.
RotT... nice memories...
On-topic:
In RotT you could bind left leg kick to some key and then switch main weapon to right leg kick - that made some good screenshot material when used at the same time:) Probably easter egg.
Should anything be improved about RPM at all?
It's good as it is. Especially with possibility to depend on library version instead of package (if used wisely by packager). It's fast as hell and packages are easier to make than.debs (been there, done that).
But I won't be ever using rpm based distro if I can. I've seen lately CentOS 4 and basically it looks like my old RH5. Every time I need some package, I have to look for yet another repository / single package on google, because official ones don't think it's nice to include stable mysql5, dar, jabberd, or any other package you want.
I don't see any problems with rpms as files. But as system packages? NO! I'd rather wait 3 times longer every run, until apt-get updates it's database, or just schedule packages info update for midnight for emerge.
Stats that do say something:
3 day old CentOS - 2 custom packages and 5 new repos for basic system - and it's not complete yet
2 year old ubuntu - 1 repo for author's own testing versions of 1 package
Hmm... browsing through it, I see, they list RH and Suse separately and Generic Linux somewhere at the bottom... For me it seems, that they added specific names and forgot to take down Generic thing. Some kind of editing mistake probably. We'll see about it in a couple of days, when they react in some way.
The real problem?
"MySQL Quietly Drops Support..." ?
Ok - so what should they do? Place posters all around your city saying "WE DROP SUPPORT FOR DEBIAN USERS!!!"? Yeah - that would be a great marketing move. Get real - they don't want to go on with Debian support dept., then it's their choice. They're creating a place for a new company, that will do support for those who want it.
With original lightbulbs, there must come original fingerprints...
Wait for big comeback of Edison in your local bank;) (btw: wasn't using Elvis' fingerprints when committing crime in movies an overused idea?)
Inferno (http://www.vitanuova.com/inferno/) is direct remake of Plan9 and seems just on time for VM systems wars. It has _really_ big adventage so far though... (as in - it works;), but also works as native OS, or from VM in any system, or IE browser even)
There's a difference between being narcissistic and being popular by showind what you're doing. Google shows its beta products and takes them down if they're not working out. Microsoft will or will not publish Singularity for the next 5 years probably. I haven't heard of other projects listed.
Meanwhile, I've seen google groups beta, I've used beta of picassa to publish pictures and used tons of others google products before they reached production-ready state and when they were really poor in features. Now I'm testing google code projects even though they're can be described as alpha stage, not beta. Google also wrote some articles and explained what are they doing and what is planned.
Singularity? We've seen some ideas, some graphs, but where is the development now? What is planned release date (even if missed by +4 years). Do you know anything about Singularity? http://research.microsoft.com/os/singularity/ here are the same informations provided in articles over and over again - nothing new - only that it's managed and will improve access rights and is based on microkernel - NOW THAT'S SURPRISING!
Now imagine, that you're hard as a piece of wood (stop thinking what I'm thinking), have no suspension (legs) and that you weight 300 pounds (not that I have any idea how much that is in your strange system - grow up people - start measuring weight in stones, like the rest of us in Drakalor Chain).
Now throw your imagination on the stairs from about 1,5m (that's 4,92125984 feet for SI impaired) - I'm sure there was a big chance, that your imagined stairs either were destroyed (wooden), or some chips fell off (stone).
No idea what system are you using, but if it's Linux, then try F-Spot (http://f-spot.org/Main_Page). It's basically Picasa, but:
uses labels (normal text ones) AND tags with tag hierarchy, so you can tag it with "My room" and it will also get parent tags "Home", "My city", "My country" and "Place". Any number of tags allowed, along with complex searches (("Grandma foo" OR "Grandma bar") AND EXCLUDE "My room" is possible)
has less "effects", but
has more sliders in color / contrast correction + histogram
supports camera and folder import
And yes - it has Picasaweb export!
Additionally it's a new project and is actively developed. Tags are kept in database, so network sharing will probably work with good configuration. Changes are kept like in Picasa - it always keeps the original file without modifications.
It's strange for me, that nobody mentioned.hack//SIGN, or Tad William's "Otherland" yet. We just need some comatose kids in front of screens...:)
Hmm... anyone seen a bracelet around?:)
Microsoft is banning 360 firmware modders Posted in Xbox 360, Hardware, Xbox Live by Curry on October 29th, 2006 at 18:13
After several months of silence it was more or less accepted that Microsoft wasn't going to do anything about the firmware hacks that allow Xbox 360s to play backups. Rather surprising, considering the 'inventor' of the hack confirmed in March already that the mods are easily detectable, and the reports that piracy is running rampant in countries like China. It appears that Microsoft is finally taking action against them though, although they may be hitting the wrong persons.
This thread on the official Xbox.com forums was started by Furydog, who posts with a completely empty gamer profile:
I have two xbox 360's and since Friday October 13 2006 I have not been able to connect with my two 360's. According to MS customer support my status codes indicate that I have MODDED 360's which I don't. I have contacted several different people and I only one person (GreenJohnny) has responded to me but he was not able to assist me. Although, he did confirm that the status codes I received indicate that my systems Mac addresses are banned because their supposedly MODDED.
Xbox Support stating there are status codes that indicate a machine was banned for modding? That's a new one. To further confirm the story ILBCNU from Xbox Support Staff responds to his post stating they are investigating the issue and apologizing for the problem. So yep, your modded Xbox 360 is now officially in risk of getting banned from Live or worse.
The fundamental problem with the firmware hack is that it's a so-called Man in the Middle attack on the system's security. Imagine a phone call between 2 English speaking people, and you've got control over the line in between. By cutting in at the right moments, you can make it appear to one of the participants that the other one is saying something to him, but it's actually you saying something else and making him believe that it's a valid response. That's a simplified explanation of how the hacked firmware works: it lies to the 360 kernel about what the disc is saying about its authenticity. Now imagine if both the speakers on that phone line suspected you were in the middle, and switched to speaking a slightly modified dialect. If you're still breaking in with the original dialect, it's easily detectable that you're trying to fool around. Back to the 360, since Microsoft still has absolute control over disc contents and the kernel code, they can simply change the dialect on both sides and thus detect firmware hacks. If they wish, they can take any action they want upon detection, ranging from the simple Xbox Live ban to even bricking your 360 or disabling it to run any newly released games.
There is something slightly fishy about the report though, being that it says the 360 is banned based on MAC address. Those of us familiar with the OSI model and common network implementations will immediately know this is not true, because MAC addresses are part of the Ethernet protocol and live on Layer 2, and never get routed over the internet. In simple terms: your 360s MAC address is not remotely identifiable. An option could be that the Xbox Live login code sends the MAC address itself to the Live servers to be able to uniquely identify the 360, but that would be plain silly since MAC addresses are known not to be unique: they only need to be unique within their physical subnet. A far more obvious solution on Microsoft's part would be to use the console serial number for this, which is embedded in the system anyway and truly unique.
Drowning firmware chips in epoxy didn't stop the modders...
Whatever the details, we can consider it a fact that MS is currently acting against modded Xbox 360s, and you should start worrying if you've got a firmware replacement in your concave box: the Empire is Striking Back.
Slashdot Mirror
SQL injection doesn't have anything to do with PHP. You can create query ("DELETE FROM "+user_supplied_var) and run it in any language - PHP, ASP, ASP.NET, perl, etc. If you want to shoot yourself in the leg, noone will stop you.
PHP was just easy and very popular. Usually unexperienced developers create security problems, not the language itself.
Oh - I'm sure, that in the darkness of interwebs, there is some forgotten script, that includes file which name consists of one of GET attributes + ".asp". Yes - some web developers are that clueless. If I understand description correctly, exploit depends only on the name of included script.
:)
I suppose that's why it's marked "remote" by Secunia.
Anyone got IIS6 to try?
Ahh... I forgot, it's slashdot
> IIS 6 hasn't had a public remotely exploitable bug in it. Ever.
;)
"Microsoft Internet Information Services ASP Code Buffer Overflow"
http://secunia.com/advisories/21006/
Software:
- Microsoft Internet Information Services (IIS) 5.x
- Microsoft Internet Information Services (IIS) 6
Impact:
- System access
- Security Bypass
Where:
- From remote
"hasn't had a public remotely exploitable bug"? Ever? Yes, of course - ever
Maybe it's like that because we like to read subtitles and hear the original voice?
Subs are MUCH better than dubbing. Most eng. speakers won't know what I'm talking about, because only 1% of movies you've seen were not in English (it was anime probably). Dubbing works for cartoons (some of them), but normal movies dubbing sucks.
Seems it's not server problem (not for all at least):
Citing board post
"[...]This is a nasty ICQ6 bug, but it is fixed with a complete uninstall of all user data and reinstall.[...]"
Some other users also say that it helped. Maybe it's an organized hoax, but whatever. You may want to backup your data and try.
We'll never know for sure... you can't kill Christopher Reeve twice.
Oh yeah... ...
- check preview before posting
-
- profit
Only place where I see this applicable is: - take picture of a movie box in shop - upload tag to torrent search site - download results - profit! No need for ... even.
In Soviet Russia overlord welcomes you!
RotT... nice memories... On-topic: In RotT you could bind left leg kick to some key and then switch main weapon to right leg kick - that made some good screenshot material when used at the same time :) Probably easter egg.
If AAC has license fees, why does http://www.audiocoding.com/ give faac & faad for free?
"PHP is not a real language" flame war starts in: 5, 4, 3, 2...
Mod parent funny, damn it!
It deserves Zaphod's name! They both do... (tagged: zaphod)
Anyway - what are the chances, that it fell from sky, when the improbability shields weren't up?
It's good as it is. Especially with possibility to depend on library version instead of package (if used wisely by packager). It's fast as hell and packages are easier to make than
But I won't be ever using rpm based distro if I can. I've seen lately CentOS 4 and basically it looks like my old RH5. Every time I need some package, I have to look for yet another repository / single package on google, because official ones don't think it's nice to include stable mysql5, dar, jabberd, or any other package you want.
I don't see any problems with rpms as files. But as system packages? NO! I'd rather wait 3 times longer every run, until apt-get updates it's database, or just schedule packages info update for midnight for emerge.
Stats that do say something:
Hmm... browsing through it, I see, they list RH and Suse separately and Generic Linux somewhere at the bottom... For me it seems, that they added specific names and forgot to take down Generic thing.
Some kind of editing mistake probably. We'll see about it in a couple of days, when they react in some way.
The real problem?
"MySQL Quietly Drops Support..." ?
Ok - so what should they do? Place posters all around your city saying "WE DROP SUPPORT FOR DEBIAN USERS!!!"? Yeah - that would be a great marketing move. Get real - they don't want to go on with Debian support dept., then it's their choice. They're creating a place for a new company, that will do support for those who want it.
With original lightbulbs, there must come original fingerprints... ;) (btw: wasn't using Elvis' fingerprints when committing crime in movies an overused idea?)
Wait for big comeback of Edison in your local bank
Inferno (http://www.vitanuova.com/inferno/) is direct remake of Plan9 and seems just on time for VM systems wars. It has _really_ big adventage so far though... (as in - it works ;), but also works as native OS, or from VM in any system, or IE browser even)
There's a difference between being narcissistic and being popular by showind what you're doing. Google shows its beta products and takes them down if they're not working out. Microsoft will or will not publish Singularity for the next 5 years probably. I haven't heard of other projects listed.
Meanwhile, I've seen google groups beta, I've used beta of picassa to publish pictures and used tons of others google products before they reached production-ready state and when they were really poor in features. Now I'm testing google code projects even though they're can be described as alpha stage, not beta. Google also wrote some articles and explained what are they doing and what is planned.
Singularity? We've seen some ideas, some graphs, but where is the development now? What is planned release date (even if missed by +4 years). Do you know anything about Singularity? http://research.microsoft.com/os/singularity/ here are the same informations provided in articles over and over again - nothing new - only that it's managed and will improve access rights and is based on microkernel - NOW THAT'S SURPRISING!
So what's the situation here? Did Asus get licence for embedding skype technology in hardware? Or did they just learn how to use it?
Then they've got another 372183628 of them on the production line, ready for cheap shipping to every major US and EU reseller...
Now imagine, that you're hard as a piece of wood (stop thinking what I'm thinking), have no suspension (legs) and that you weight 300 pounds (not that I have any idea how much that is in your strange system - grow up people - start measuring weight in stones, like the rest of us in Drakalor Chain).
Now throw your imagination on the stairs from about 1,5m (that's 4,92125984 feet for SI impaired) - I'm sure there was a big chance, that your imagined stairs either were destroyed (wooden), or some chips fell off (stone).
And yes - it has Picasaweb export!
Additionally it's a new project and is actively developed. Tags are kept in database, so network sharing will probably work with good configuration. Changes are kept like in Picasa - it always keeps the original file without modifications.
It's strange for me, that nobody mentioned .hack//SIGN, or Tad William's "Otherland" yet. We just need some comatose kids in front of screens... :)
Hmm... anyone seen a bracelet around? :)
Microsoft is banning 360 firmware modders
Posted in Xbox 360, Hardware, Xbox Live by Curry on October 29th, 2006 at 18:13
After several months of silence it was more or less accepted that Microsoft wasn't going to do anything about the firmware hacks that allow Xbox 360s to play backups. Rather surprising, considering the 'inventor' of the hack confirmed in March already that the mods are easily detectable, and the reports that piracy is running rampant in countries like China. It appears that Microsoft is finally taking action against them though, although they may be hitting the wrong persons.
This thread on the official Xbox.com forums was started by Furydog, who posts with a completely empty gamer profile:
I have two xbox 360's and since Friday October 13 2006 I have not been able to connect with my two 360's. According to MS customer support my status codes indicate that I have MODDED 360's which I don't. I have contacted several different people and I only one person (GreenJohnny) has responded to me but he was not able to assist me. Although, he did confirm that the status codes I received indicate that my systems Mac addresses are banned because their supposedly MODDED.
Xbox Support stating there are status codes that indicate a machine was banned for modding? That's a new one. To further confirm the story ILBCNU from Xbox Support Staff responds to his post stating they are investigating the issue and apologizing for the problem. So yep, your modded Xbox 360 is now officially in risk of getting banned from Live or worse.
The fundamental problem with the firmware hack is that it's a so-called Man in the Middle attack on the system's security. Imagine a phone call between 2 English speaking people, and you've got control over the line in between. By cutting in at the right moments, you can make it appear to one of the participants that the other one is saying something to him, but it's actually you saying something else and making him believe that it's a valid response. That's a simplified explanation of how the hacked firmware works: it lies to the 360 kernel about what the disc is saying about its authenticity. Now imagine if both the speakers on that phone line suspected you were in the middle, and switched to speaking a slightly modified dialect. If you're still breaking in with the original dialect, it's easily detectable that you're trying to fool around. Back to the 360, since Microsoft still has absolute control over disc contents and the kernel code, they can simply change the dialect on both sides and thus detect firmware hacks. If they wish, they can take any action they want upon detection, ranging from the simple Xbox Live ban to even bricking your 360 or disabling it to run any newly released games.
There is something slightly fishy about the report though, being that it says the 360 is banned based on MAC address. Those of us familiar with the OSI model and common network implementations will immediately know this is not true, because MAC addresses are part of the Ethernet protocol and live on Layer 2, and never get routed over the internet. In simple terms: your 360s MAC address is not remotely identifiable. An option could be that the Xbox Live login code sends the MAC address itself to the Live servers to be able to uniquely identify the 360, but that would be plain silly since MAC addresses are known not to be unique: they only need to be unique within their physical subnet. A far more obvious solution on Microsoft's part would be to use the console serial number for this, which is embedded in the system anyway and truly unique.
Drowning firmware chips in epoxy didn't stop the modders...
Whatever the details, we can consider it a fact that MS is currently acting against modded Xbox 360s, and you should start worrying if you've got a firmware replacement in your concave box: the Empire is Striking Back.
Many thanks to Puma81 for the link!