1. Fixed a simple security hole in , uncovered unintentionally by an attack mounted ≈5hrs ago — intent appeared to be to create new user accounts, unintended result was the creation of a new, empty article.

    Hundreds of requests were made against URLs similar to these:

    • /articles/do.php
    • /articles/modules.php?app=user_reg
    • /articles/index.php?app=home&mod=public&act=register
    • /action/sign_up
    • /articles/sign_up.html
    • /articles/?page=login&cmd=register
    • /articles/tiki-register.php
    • /articles/index.php?page=register&action=register
    • /index.php?page=item&action=item_add
    • /articles/index.php?user/create_form/
    • /articles/join.php
    • /articles/index.php?dll=register
    • /articles/index.php?option=com_community&view=register
    • /articles/register.php
    • /articles/signup.php

    Presumably these URLs are compromised on other systems — needless to say they are far too ugly to exist in ! I’m unsure exactly why /articles was used as the base URL for the attack in all cases apart from two.

    As these URLs don’t exist, and will never exist, it should be safe enough to add server- or application-level filters immediately closing any requests which include them.

  2. Prepping an old machine for demoing crypto tech at the cryptoparty tonight, windows being a complete pain. I have a feeling I’m going to be spending most of the evening apologising for other people’s bad UI decisions.

  3. Micah N Gorrell: @BarnabyWalters Those would work as well but would limit it's use to an actual browser. What is wrong with an HTTP header for this?

    @_minego links with the rel semantic can be used both in human-visible markup for improved back-compatibility and quick error-spotting (as well as layering on top of existing solution) and also in HTTP headers for machine-only use

  4. Barnaby Walters: #idea: a microformat for download signatures/checksums, allowing browsers to automatically verify files without people having to go into the terminal and use shasum or gpg --verify

    Of course the more significant thing is UI considerations: how to offer this info to the downloader, how to explain what the various possible outcomes mean and what action the user should take as a result of them