Nearly 1% of websites built with a content management system (like WordPress or Joomla) are unknowingly exposing their database password to anyone who knows where to look.
TL;DR — Summary of the Problem
Using a text editor to modify content management system (CMS) configuration files (like wp-config.php) could expose your database password to the world. Several popular text editors like Vim and Emacs automatically create backup copies of the files you edit, giving them names like “wp-config.php~” and “#wp-config.php#”. If the text editor crashes or the SSH connection drops during editing, then the temporary backup files may not be cleaned up correctly. This means that the CMS config file (which contains the database password) could accidentally be made public to anyone who knows where to look.
Most servers, including the ubiquitous Apache, will happily serve the plaintext of .php~ and .php# files without passing them through the PHP preprocessor first, since they don’t have the .php file extension. Thus, your sensitive database credentials are just one GET request away from being accessed by a malicious party.
I wrote an automatic program, which I call CMSploit, to test for the prevalence of this issue across the wider web. I tested the top 200,000 websites (as ranked by Quantcast) and found that 0.11% of websites are vulnerable. If we eliminate non-CMS sites, and just look at CMS-powered websites, then we find that 0.77% of websites running a CMS have publicly-visible config files.
If you want all the gory details, then keep reading.
People keep asking me to share how I handled the viral traffic rush to YouTube Instant — 1 million visitors in 10 days — and which VPS hosting provider I recommend.
The answer to the latter question is, without doubt, Linode.
Linode VPS Hosting Review
I’ve been using Linode to host my websites for the past 2+ years and I’m thoroughly impressed by the service. I can’t recommend them enough — it is easily the best web hosting service I’ve used to date.
If you’re coming from the shared hosting world, then let me tell you: a virtual private server (VPS) is a whole new world. A VPS means freedom, power, and total flexibility. You get access to everything from root, the kernel, and on up. All managed from the command line and, occasionally, the simple Linode control panel. Your Linode is completely and totally your machine.
Update 10/19/2011:CNET says that Adobe is working on a fix and it could be ready by end of week. Adobe also emailed me and said “our product team is wrapping up their investigation and is now working on a fix, which should not require a Flash Player update”.
Update 10/20/2011: Whoa, this story is everywhere!
Update 10/20/2011: Adobe says they just posted a fix to the Settings Manager that should resolve the issue. I just tested it out, and indeed the issue appears to be fixed now. Congrats, Adobe, for the quick fix!
I discovered a vulnerability in Adobe Flash that allows any website to turn on your webcam and microphone without your knowledge or consent to spy on you.
It works in all versions of Adobe Flash that I tested.I’ve confirmed that it works in the Firefox and Safari for Mac browsers. Use one of those if you check out the live demo. There’s a weird CSS opacity bug in most other browsers (Chrome for Mac and most browsers on Windows/Linux).
This attack works by using a neat variation of the normal clickjacking technique that spammers and other bad people are using in the wild right now. For the uninitiated:
Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
— Wikipedia
I just watched a talk by Eric Ries (IMVU founder and investor) that he gave to Stanford ETL. He goes over stuff that’s mostly taken for granted at startups in the valley, these days. (I picked up most of these lessons from working at Facebook and Quora over the past two summers.)
But, I’ve never heard these startup ideas articulated this clearly before. This is an excellent talk.
I’ve been asked this question a lot lately, especially after I built YouTube Instant. So, here’s the answer, once and for all, for those who are interested.
In short:
I learned how to program by building lots of websites.
The full story:
I learned how to program by working on lots of different website projects starting from a pretty young age. What follows is a full account of all the major websites I’ve built, back to the very first site I made when I was 11 years old. What I hope the reader takes away from this full retelling is the importance of doing lots of side projects if you want to learn to program well.
The best way to learn a new skill is to practice, practice, practice. All the best programmers that I know sincerely enjoy programming — it’s something that makes them absurdly happy to do. And, so they do it a lot. Often, an unhealthy amount. Learning how to program — and how to do it well — doesn’t take superhuman ability. It just takes a willingness to get your hands dirty and build stuff.
Hi, this is Feross. I'm a computer science student at Stanford University. I'm interested in Internet technology, web development, and computer security. I like hacking on cool software projects, running, basketball, retro video games, and shiny gadgets.
You Should Follow Me