ohryan.ca

A Web Developer in Winnipeg

  • Huge Vulnerability in WordPress 4.8

    in

    Anthony Ferrara discovered a significant security vulnerability and an even more fundamental security flaw in WordPress.

    The correct fix is to ditch this whole prepare mechanism (which returns a string SQL query). Do what basically everyone else does and return a statement/query object or execute the query directly. That way you can’t double-prepare a string.

    It’s worth saying that this would be a major breaking change for WP. One that many other platforms have done successfully (PHPBB did this exact thing, and went from having massive SQL Injection vulnerabilities to almost none).

    WordPress has made great strides in modernizing  and hardening core. I really had no idea WPDB was still in the dark ages! For shame!

    Read his post for all the gory details.

  • Good Morning 2002

    in ,

    Why not spend your morning engrossed in the sounds of a giant PC tower next to your head, like it’s 2002:

    Thanks hacker noon.

  • Mr. Shodan

    Mr. Shodan

    in , ,

    Mr. Robot season 3 is off to a great start. As per usual, the episode features tonnes of Easter eggs for hacker nerds.

    But I have to admit I was a little surprised to see a shodan.io cameo. Shodan is a search engine for things connected to the web that isn’t a web server.  Web cams, network equipment, industrial controls and other hardware that relies heavily on security through obscurity.

    Here’s a fun video from Defcon 20 demonstrating what fun can be had.

    Bonus: The search Mr. Robot performs org:”Evil Corp” product:”Apache Tomcat”,  returns real results with show relevant data.

    Bonus Part 2:

    The domain in question has an open SNMP (file sharing port).

    No guest account unfortunately. If only I could remember some of the logins from the show.

    The rabbit whole goes deep this season! Hack the planet.