James Wilson –blog

Hello! I am (bored|tired) tonight. I am (nice|23 yo) girl that would like to chat with you. Email me at [A-z0-9]@[A-z0-9].info only. (You will see some of my private pics|Don’t miss my naughty pictures|I would like to share some of my pics).

Is anybody else getting a lot of email consisting of just this? For the past week or 2, my spam folder, thankfully not my inbox, is getting filled with these emails. They all follow the same template, with nothing straying from one another. It’s always bored or tired, nice or 23 yo, and it’s always a .info domain for the email. Maybe I’m weird, but it just seems weird. They aren’t trying to make me buy some stock, click their referral/ad link, steal my credentials from wherever, make my p3n15 huge or have a rich, dead uncle in some random country. They want me to send an email to a different email address than the one that was sent (It’s usually a Yahoo address, that actually looks to be sent by Yahoo). I just don’t see the usefulness in it.

Share This

Apparently, people realized that if they have their folders indexable, they could be indexed. OMG! And that you can view you plugins directory via Google. Holy crap!

First off, their google dork isn’t even right. Index of /wp-content/plugins should clearly be intitle:"Index of /wp-content/plugins" or else I’ll get your’s and this shitty post in the results.

But that’s not even that good. It only applies to people with their blog hosted in the root directory. If you have it in the blog/ directory, you don’t get hit.

So now, the query should be intitle:"Index of"+intitle:"/wp-content/plugins". This returns about 50k more results.

But what about the usefulness of this?

Let’s say there is a vulnerability in the “Share This” plugin.

We can try the directory way that’s supposedly so vulnerable. intitle:"Index of /wp-content/plugins" share-this.php 40 hits

Or a better method. We know that the plugin adds a link called “Share This” to every post. Don’t believe me? Scroll down a bit and you’ll see it. So we can search for “Share This” on pages with the word wordpress, since that’s usually in the footer, but not if it uses the word plugin, since it’s probably talking about the plugin itself or have wordpress or Share This in the title since it’s likely to also just be talking about the plugin itself. wordpress+"Share This" -plugin -intitle:"wordpress" -intitle:"Share This" 3.3 million hits.

Sure, there will be false positives, but there’s a much greater changes of having a much bigger impact. Who cares about the false positives? If it doesn’t work, it doesn’t work. Just move on. You could start it at night and have tried all the sites before even waking up, well, maybe, probably not, but you’ll have a lot more than 40.

I’m thinking the severity of the whole directory being exposed is a little dramatic. Yeah, it’s probably better if it wasn’t indexed, but it’s not killing anyone. Now, if you have a password in there, that’s a different case.

In fact, here is my plugin directory. (I have indexes off by default, mainly because netfirms doesn’t use Apache’s indexing thing)

% ls -lA wp-content/plugins
total 1400
drwxr-xr-x  2 2701791  552     512 May  8 18:41 404-notifier
-rw-r--r--  1 2701791  552    4667 May  8 18:41 404-notifier.tar.gz
drwxr-xr-x  3 2701791  552     512 May  7 22:18 PostToTwitter
-rw-r--r--  1 2701791  552    2134 May  7 22:16 PostToTwitter.tar.gz
drwxr-xr-x  2 2701791  552     512 Apr 21 16:03 akismet
drwxr-xr-x  2 2701791  552     512 May  8 18:41 comment-relish
-rw-r--r--  1 2701791  552    3536 May  8 18:35 comment-relish.tar.gz
drwxr-xr-x  2 2701791  552     512 May  7 22:18 easy-auctionads
-rw-r--r--  1 2701791  552    7542 May  7 22:16 easy-auctionads.tar.gz
-rw-r--r--  1 2701791  552   54904 Apr 21 15:20 goog.tar.gz
drwxr-xr-x  2 2701791  552    1024 Apr 21 16:20 google-sitemap-generator
drwxr-xr-x  5 2701791  552     512 Apr 21 16:49 gregarious
-rw-r--r--  1 2701791  552  109199 Apr 21 15:49 gregarious.tar.gz
-rwxr-xr-x  1 2701791  552    2025 Oct 25  2006 hello.php
-rw-r--r--  1 2701791  552    5152 Nov 16  2006 ol_feedburner.php
-rw-r--r--  1 2701791  552    1861 Jul 24  2006 sem-unfancy-quote.php
drwxr-xr-x  2 2701791  552     512 May  8 18:40 share-this
-rw-r--r--  1 2701791  552   14032 May  8 18:35 share-this.tar.gz
drwxr-xr-x  2 2701791  552     512 May  7 22:17 stats
-rw-r--r--  1 2701791  552    5213 May  7 22:16 stats.tar.gz
drwxr-xr-x  3 2701791  552     512 May  8 18:41 subscribe-to-comments
-rw-r--r--  1 2701791  552   16017 May  8 18:36 subscribe-to-comments.tar.gz
drwxr-xr-x  2 2701791  552     512 May  8 18:40 twitter-tools
-rw-r--r--  1 2701791  552   17148 May  8 18:36 twitter-tools.tar.gz
drwxr-xr-x  4 2701791  552     512 Apr 21 21:47 widgets
-rw-r--r--  1 2701791  552   26579 Apr 21 20:48 widgets.tar.gz
drwxr-xr-x  2 2701791  552     512 Apr 21 16:20 wp-cache
-rw-r--r--  1 2701791  552   47104 Apr 21 15:21 wp-cache.tar
-rw-r--r--  1 2701791  552   31091 Jul 26  2006 wp-db-backup.php
drwxr-xr-x  4 2701791  552     512 Apr 25 12:54 wp-syntax
-rw-r--r--  1 2701791  552  309747 Apr 25 12:56 wp-syntax.tar.gz

Yes, I download the zips then convert them to tarballs, that’s why all of my widgets are available in both formats.

But it also raises another question, how many of those do I have enabled?

404Notifier? No. PostToTwitter? No. akismet? Yes. Comment-relish? No. Easy-auctionads? Hell no. Google Sitemaps? Yes. Gregarious? No. Hello Dolly? Fuck no. Feedburner? Yes. Unfancy quote? Hell yes. Share this? Yup. Stats? Yes. Twitter tools? I had to check, but yes apparently. WP Cache? Yes, Wordpress is too slow without it. DB Backup? Yup. WP Syntax? Yes, I likes me fancy highlighting.

10 out of 16 enabled. Does it mean that they can’t be exploited without being enabled? Not necessarily, but to an extent, yes. It should die when it gets to an add_action call, unless someone allows it to execute other PHP code or include other files before calling add_action. Though they probably shouldn’t do it in the first place. include($_GET['file']); comes to mind.

And if anyone is wondering where all the scripts are, I’ll have a couple of widgets soon and another couple of python scripts.

Share This

Brightcove. Why the fuck do they even exist?

First, the embedding is horrible. It takes a while for the video player to load. Even if you had just had that page open before, it’s still going to take about 10 seconds to come up. How long does YouTube take? Next to none. I don’t ever have to see some ugly loading cube-like thing everytime I want to see something. Or see it the whole time in Konqueror, and I’ll assume Safari, since the video player never even loads. Good show.

And if I want to link to it or embed it somewhere else, the code comes up inside of the flash player. I guess the fact that working with text in flash is just about as annoying as having bees sting your eyes. Copy code. Wait, it didn’t copy. Copy code. I think it worked, no wait, it didn’t. Copy. Ok it worked, wait, fuck, it’s code for the other movie. WTF?

Also, instead of calling RSS RSS. They call it “Takeout.” It even has an RSS logo on a Chinese takeout box. Yup, it’s just as much fun as ordering Chinese takeout. And it makes you feel just as bad after using it. They think it’s a good plan to put the amount of uploaded videos in the title of the feed. Why? Who the fuck knows. Maybe they want to allow people to know the count of videos from the feed, but were too stupid to put another XML attribute. Here’s what the feed says in Google Reader:

“Brightcove - The Pbstar Channel - 17 Uploaded Videos” has no unread items.

Yup, I guess the 17 uploaded videos will never change, and I’ll never have any more videos to see.

And what’s even worse is that they only show you a thumbnail of the video. WTF? Don’t think your really shitty business model, see none, won’t last without people always viewing your site? Screw you guys, I’m going home, errr, back to YouTube, and they don’t even have RSS. I’ll gladly wait until someone uploads your video over there in order to bypass your crap.

But I guess since it’s beta, it can be complete crap. And businesses actually use them? I guess they don’t care as long as they get a cut of the ad revenue!!! OMG, Moneys!!! I like money. And what better way to be somewhere in the third to fifth in line to get your cut. That completely makes up for the horribleness that it is.

Share This

Done. No more. If you don’t provide a full content feed, I’m not reading it. That’s it. The only exception might be comics, and that’s only if it’s really good.

Be like Gawker, and put ads in them for all I care. I’m not going to see them, but I’m not going to see them on your site anyways. Or put a link at the bottom of every post, like techcrunch or engadget. I’ll actually see those. I’m not going to click them, and can easily ignore them, but some people might not.

But don’t, just don’t, only provide a partial content feed. It’s been shown that full content feeds have just as many click-throughs as full content feeds, so you’re not gaining anything. In fact, you’re losing some, because I’m not going to read it. The whole offline support of Google Reader doesn’t really work. I guess I could star some to read later when I’m online, but that’s stupid. I want to read stuff when I’m offline with nothing better to do, not star things to read them when I’m online with better things to do.

I tried to subscribe to about 5 blogs yesterday, only to immediately unsubscribe after seeing the horrible […]. If I wanted to go to your blog to read the post, I would just go to your blog in the first place and cut out the middleman.

I also went through to remove all partial content feed that somehow managed to slip through or decided to change, which resulted in about 15 feeds being removed. Like ArsTechnica, most news feeds, and GNUCITIZEN. GNUCITIZEN, not sure why the change of heart with your feed, but it’s a shame, I really liked your blog. If you change it back, I’ll continue reading, but until then, you’re not on my subscription list.

I also removed any sites that force you to go to their site anything else. I’m looking at you digg. Reddit, keep up the good work. I don’t want to have to jump through hoops just to try to get to the content. But digg, you’re pretty much pointless anyways. Going to that site maybe once a week and viewing the top content is more than most people need.

If make the content accessible by your readers, you’ll do better than forcing people to your site. People want the content to come to them how they want it. And if they have their own sites or whatever, they will be more likely to link to you, which then, people will view your site. Or just let search engines do their work. People still use those, and they’ll view your site. But to loyal people who just want to read what you have to say, give what they want. And if someone wants a partial content feed, offer it to them, but don’t remove support for the full content feed.

Share This

I recently bought an MX610 mouse. It looked pretty neat with it’s 2 notification lights that even work on linux. It even used a freakin’ laser. Awesome I thought. It’ll be a great replacement for my old worn out Microsoft mouse.

The first thing I noticed was the tiny little micro receiver it had. I didn’t think too much of it, since I plugged it in, and it worked fine. I had to plug it into the back, since I didn’t have any open ports in the front at time. This makes a distance of about 5 feet from the mouse to the receiver. This worked fine for the first couple of days, but then I would notice some lagging here and there. So, I reconfigured my usb connections, and moved it to the front, which now has a 3 foot distance (Yes, I measured). Good enough I thought.

A few days ago, the lagging started coming back. Now, the mouse is less than 2 weeks old. Much too early for me having to replace the batteries. So, I tried moving the mouse closer to the receiver, and it works flawlessly, move it back down, it’ll work fine, then will have some random lagging, then fine, then lag, and so on. It becomes really annoying. And it’s all to blame on that stupid micro receiver.

New mouse - 3 feet - 1 inch = 3 feet = Poor connection:

Old mouse - 3 feet - 4 feet = -1 feet = Perfect reception:

With my last mouse, it had a receiver on a decent sized wire, which you could then position to be close to mouse, not having to worrying about where your PC was. With the stupid micro receiver, that usefulness is throw out the window. If you want the reception to be better, you need to move the PC closer to the mouse or spend $10-20 on a stupid USB extender cable. If I want to spend an extra $20, I’ll buy a nicer mouse, which doesn’t have some shitty micro receiver.

My new plan, rig up the old receiver to work with the new one, probably just in the sense of being a USB extender.

Share This

It sure does.

I put an ad at the bottom of each post when viewing a single post (it has since been removed), and check out my awesome earnings

That’s right. $0.23. I didn’t even make a quarter. I was close though.

Let’s do some math. I had these up for about 7 days, making my daily earning about 3.6 cents a day. It’ll take 28 days for me to get to $1.00. But I need $100 before being able to get anything. Sneaky sneaky there Google. Now, I’m up to 7.6 years. Let’s say a couple people click an ad (the 3.6 cents a day is just from showing them), we can bring that down to an even 7 years. Luckily, after a year of using Adsense on other sites, I already have $30 dollars in my account after a year. We can cut that down 5 years. Or if we want to count $30 / year, 2 years, but I’m not going to count that way.

I’m going to be rich.

Share This

Coming from the WWDC, Apple announced it’s going to allow third party Web 2.0 applications. Really? Are you saying that previous to this that Safari wasn’t going to support even Javascript? Why thank you Mr. Jobs that you are now going to allow the basics of most browsers for years.

And how are Web 2.0 applications supposed to be iPhone applications. Last time I checked, you can’t use any of that multi-touch shit that’s so ‘revolutionary’ with javascript and HTML. Or that Web 2.0 apps haven’t existed for phone previous to this. What about twitter? That’s Web 2.0 and I can totally use that on my phone.

And what about games? I haven’t seen anything about games on the iPhone. I sure as hell can’t make a good game solely with javascript and html. I could try, but I don’t think it would any where near as good as a native java version. But really, why aren’t there any games? I guess you’ll be too busy using Google Maps to be busy playing games.

This like if Nintendo said, hey, if people want to make games for the Wii, do it from the Opera web browser. We don’t need that whole disk and game thing anymore. Everything is done with AJAX now. But instead, Nintendo has a $2000 SDK so more people could make games.

But hey, I should be glad, since now I can make applications that ’seamlessly access the iPhone services’. Great, I can now visit a site and not only worry about it trying to give me malware, I now have to worry about it making calls to Russia on my behalf.

But, I’m sure they secured it so that won’t be possible. Let’s just ignore that 1 day after Safari for Windows was released, multiple vulnerabilites were found. I’m sure iPhone’s Safari will be so much secure. Probably only 2 vulnerabilities will be found the first day, and that’s only because only a few can afford or get the damn thing.

Here’s about how far I see this going. Google Reader for the iPhone. They already have a Wii version, so an iPhone one is right up their alley. Probably some company will get millions in financing to build a solely iPhone web app, only to realize that only 5% will know about it, and of that 5, only 0.1% might use it. And when that 0.1% is out of half a million, you’re looking at 500 users. And if it isn’t free, which probably is the only way to make money from it, drop that user count to 50.

Sorry Jobs. I don’t buy the hype. Have fun selling all those slightly fancy iPods for ridiculous amounts of money.

Share This

Eh. A little self promotion never hurt anyone.

I’ve launched a new paintball blog on the grounds that all others suck. (Paintball Journal, you aren’t that bad, just the site itself sucks. If you were self hosted and less ad-ridden, you would have my support).

It’s available over at PaintballHeadlines.com, or you can subscribe to the feed.

It’s not too much now, but hopefully it’ll grow into something more.

If you want to write for it, you can. You need to have some knowledge about paintball, or at least some interest in it. Just tell me some info about you, make an account over there, and I’ll promote you to an author. Currently, there’s no monetary incentive. If I do happen to put ads on it and make a profit, it’ll be split between everyone.

Share This

A WordPress 2.2 vulnerability was posted on milw0rm recently, which allows SQL injection via xmlrpc.php.

Here is the vulnerable function

function wp_suggestCategories($args) {
        global $wpdb;
 
        $this->escape($args);
 
        $blog_id                             = (int) $args[0];
        $username                            = $args[1];
        $password                            = $args[2];
        $category                            = $args[3];
        $max_results            	     = $args[4];
 
        if(!$this->login_pass_ok($username, $password)) {
                return($this->error);
        }
 
        // Only set a limit if one was provided.
        $limit = "";
        if(!empty($max_results)) {
                $limit = "LIMIT {$max_results}";
        }
 
        $category_suggestions = $wpdb->get_results("
                SELECT cat_ID category_id,
                        cat_name category_name
                FROM {$wpdb->categories}
                WHERE cat_name LIKE '{$category}%'
                {$limit}
        ");
 
        return($category_suggestions);
}

Namely this part

if(!empty($max_results)) {
     $limit = "LIMIT {$max_results}";
}

Way to not censor or check if the variable is valid. That’s some pretty poor programming practices right there.

It took the whole of 2 seconds to fix it.

if(!empty($max_results) && is_int($max_results)) {
     $limit = "LIMIT {$max_results}";
}

This was fixed in the trac by typecasting the variable to an int. Whatever. Both ways work.

$max_results = (int) $args[4];

The issue was posted in the trac on May 28, and instead of issuing an update or informing people, nothing has been mentioned. Just let it get disclosed, have people try to exploit.

It does, however, not look to be too bad. You have to know the user’s username and password to exploit it, though I’m not sure what user level is need for this (I was too lazy to get the exploit working without C#). If it’s subscriber, shit. If it’s anything other than admin, it’s still not very good.

Share This

Number 8 in Widget-A-Day is a reddit widget.

It’ll display your latest liked items on reddit.com. You can edit the display, count, and username.

Not much of widget (can be kinda done via the RSS widget), but it’ll be the closer in Widget-A-Day. I might have one on Saturday, but there’s no guarantee. It’s been fun. Hopefully someone has found these useful. I’ll do it again sometime. If you have any problems, suggestions, or whatever, let me know

Download reddit.zip

SVN Checkout
svn co http://svn.wp-plugins.org/reddit-widget/trunk

Default display:

Admin panel:

Requirements

• WordPress 2.2 or 2.0.x/2.1.x with WordPress Widgets
• PHP 4.3.0 or greater (needed for function file_get_contents)

Installation

1. Download reddit.zip
2. Extract and upload reddit.php to the plugins/ directory
3. Enable reddit Widget in the Plugin admin panel
4. In widget admin panel, place reddit in the sidebar, and edit it to enter your username

Features

• Displays your latest liked items (on reddit.com)
• Completely customizable display
• Caching for large traffic sites

Formatting

There are 3 parts needed to format the output.

The first part, called items start in the admin panel, is the first part of the widget after the title. For the default formatting, this is just <ul>.

The second part, called items end, is the ending of the widget. By default, this is:
</ul>
<a href="%profile%" style="float:right;">%username%</a>


The third part is what is called for each item. By default, this is:
<li style="list-style-type: none;"><a href="%link%">%title%</a> (<a href="%more%">more</a>)</li>

The premise of calling each value is this:

1. start
2. item
3. item
4. …
5. item
6. end

The formatting for items is:

• %title% - Title of the item
• %link% - Link to the item
• %desc% - Description of the item - Just [link] [more] links
• %date% - Date the item was submitted (ISO)
• %more% - More link - The link to the comments
• %number% - The number of the current item

The formatting for start and end is:

• %username% - Your username
• %profile% - Link to your profile
• %rss% - Link to your profile’s RSS feed
• %count% - Number of items shown

Download reddit.zip

Share This