Archive for ‘Blog’ category

反正是睡不着，所以快手地寫了個甚為簡單的 WordPress plugin，是在有密碼保護的文章中加上密碼提示的。之前嘗試貼出有密碼保護的文章時，要在另一個 post 給予提示，頗為不方便。這個 plugin 已經想做很久了，但一直沒有下定決心，趁這點點空閒寫了出來，放了在自己的站上。有興趣的可以看看，很易用的，不需要甚麼設定。

有一個很重要的因素令 mobile blogging 可以成為痛苦的體驗，那就是輸入法的好壞。沒有當地人習慣的輸入法，或者輸入法介面不方便，不單令人不會花時間去 moblog，連 SMS 都會減少使用，成為失敗之作。我也正在電話上嘗試有多(不)方便，幸好現在的電話同時有倉頡和手寫，縱使倉頡鍵盤用起來不太方便，還有手寫可以搭救，中文認字率也頗高(英文則不行了)，感覺尚可接受。

當然還有另一個同樣重要的因素：寫 blog 的程式的優劣。一方面要清簡，另一方面又要功能不太缺乏；像我現在測試用的 freeware 就不太好了，只能說勉強合格。設定比較容易，但沒有 cut and paste，要加鏈結或圖片要整個網址慢慢按，令到文章加甚麼東西都要慘兮兮的。似乎任何 offline 的 blogging 程式都只適合用來寫 draft。剛才還想在程式裏加 link 的，結果始終要靠瀏覽器幫手。

以下是不知多久前積累下來的 blog spam 統計，和上次一樣，只看 user agent:

Read the rest of content »

Most WordPress users might have written something they don’t want to share at all, that is called private post. However that feature poses some usability problem. Sometimes I would find it inconvenient when searching for my own private posts — they are only available inside admin page, or you have to browse tens or hundreds of pages, one by one, to search for them.

Out of my own need, I coded a plugin to solve the situation; now I can see my own private posts inside calendar and monthly archive list. Probably it can be useful for others, so the plugin is available here.

很久沒有那種找到知音的感覺了。雖然大多數內容都是諷刺或帶憤世嫉俗的語氣，但的確說出了許多 Linux 用家的心聲。以往也想過自己寫些甚麼的 (事實上也寫了兩篇稿給 LinuxPilot，但角度不同)，但就是沒法谷着那一口烏氣去寫出來，要寫也寫不出那麼辛辣的英文語句。

不過找到臭味相投的人，都是多得 Planet GNOME （我說的是這一篇）。如果是平時，早就一笑置之，看也不再看一眼，但昨天竟失了常性，把那種視用家如低等動物的「開發者」臭罵一頓。這幾年來我的忍耐力一天比一天差了。那個「開發者」到最後算是半道歉地解釋他不是討厭那個 blog，雖然看不到有任何反話的成份（倒比較像是那些自封為神的開發者踐踏用家），但也就算了。

但有一點是可以看到的，那類叫用家滾回 Windows 的原教旨主義者絕對是 Linux 失敗的毒瘤之一，雖然這種毒瘤是割不完的。

想來，我也該是時候貼 LinuxPilot 那些文章出來了。

2008-06-21 編輯：那句 “ungzip my pants and suck my tarballs” 真是絕句！

Here we take a glimpse of WordPress fanboys’ mindset. Why WordPress is more than SSH? Because SSH is vulnerable to username guessing (more formal term: enumeration), while WordPress isn’t! But why?

Read the rest of content »

As promised in previous post (in Chinese, sorry), here is the full advisory of WordPress SQL injection vulnerability I have mentioned. Excerpt below:

It is found that the search function provided within WordPress fails to sanitize input based on different character sets. So if WordPress tries to query MySQL database using certain specific character sets, WordPress search function is exploitable using charset-based SQL injection.

Currently known character sets exploitable include: Big5, GBK, GB18030. All of them may use backslash (’\') as part of multibyte character. WordPress with MySQL database created any other character sets fulfilling such property may also be exploitable.

Executing this attack alone results in exposure of all database content on web interface without need of authentication. However, if combined with other exploits (such as cookie authentication vulnerability disclosed earlier), any remote user can obtain WordPress admin privilege, resulting in server compromise.

Actually, I have long been suspecting this is exploitable, though the real effort to verify such claim doesn’t occur before a few days ago. Given the security track record of WordPress, such thing is entirely within expectation.

Chinese sites which are stubborn enough to continue using Big5 or GBK encoding in database are in jeopardy; but otherwise most sites should be rather safe from this exploit (as most should be using UTF-8). Neither is latin1 character set vulnerable (as used in most earlier default WordPress installation). But in contrary to common belief, it looks like mysql_real_escape_string() doesn’t fix the problem at all. Anybody can confirm or deny this?

2007-12-10 20:55 update: GB18030 is not vulnerable. MySQL 5.0.x doesn’t support this character set at all, don’t know about 5.1 series.