Re: [LUAU] Non-IE bug?
As far as I know you're safe until you install an extension. Hopefully a patch for a permanent fix will be out soon! Rodney [EMAIL PROTECTED] wrote: - Original Message - From: Rodney Kanno <[EMAIL PROTECTED]> You can find instructions for a "temporary" fix here: http://users.tns.net/~skingery/weblog/2005/02/permanent-fix-for- shmoo-group-exploit.html Thanks Rodney, Instructions are for XP, but I found the file on my OS X box and edited it. The exploit no longer works, weee! However, your link also states UPDATE 2/8/05 8:02 AM PST In the comments reader lionfire mentions that this fix isn't quite permanent because compreg.dat gets updated when you install an extension. I have just confirmed this. I'm looking further into how to make this permanent. Stay tuned! So as long as I don't install any Firefox extensions, I'm safe? Sorry, I'm a teacher, not a techie. --Peter ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
Re: [LUAU] Non-IE bug?
- Original Message - From: Rodney Kanno <[EMAIL PROTECTED]> > You can find instructions for a "temporary" fix here: > > http://users.tns.net/~skingery/weblog/2005/02/permanent-fix-for- > shmoo-group-exploit.html Thanks Rodney, Instructions are for XP, but I found the file on my OS X box and edited it. The exploit no longer works, weee! However, your link also states UPDATE 2/8/05 8:02 AM PST In the comments reader lionfire mentions that this fix isn't quite permanent because compreg.dat gets updated when you install an extension. I have just confirmed this. I'm looking further into how to make this permanent. Stay tuned! So as long as I don't install any Firefox extensions, I'm safe? Sorry, I'm a teacher, not a techie. --Peter
Re: [LUAU] Non-IE bug?
You can find instructions for a "temporary" fix here: http://users.tns.net/~skingery/weblog/2005/02/permanent-fix-for-shmoo-group-exploit.html Rodney [EMAIL PROTECTED] wrote: This scares me. What are the chances of this being fixed anytime soon? --Peter A new phishing/scam threat using International Domain Names (IDN) can be used to steal your identity and money. See following for details: http://www.infoworld.com/article/05/02/08/HNdomainnamethreat_1.html Go to following for a demo of this phishing attack and description: http://www.shmoo.com/idn Click on the links for www.paypal.com, you will get a bogus site with the word "meeow" which could be made to look like the real site to steal your information. Both the regular html and SSL (https) links can be forged. Currently, this exploit affects only non-Microsoft IE browsers. Since IE has not yet implemented IDN in it's browser it is not vulnerable. ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
[LUAU] Non-IE bug?
This scares me. What are the chances of this being fixed anytime soon? --Peter A new phishing/scam threat using International Domain Names (IDN) can be used to steal your identity and money. See following for details: http://www.infoworld.com/article/05/02/08/HNdomainnamethreat_1.html Go to following for a demo of this phishing attack and description: http://www.shmoo.com/idn Click on the links for www.paypal.com, you will get a bogus site with the word "meeow" which could be made to look like the real site to steal your information. Both the regular html and SSL (https) links can be forged. Currently, this exploit affects only non-Microsoft IE browsers. Since IE has not yet implemented IDN in it's browser it is not vulnerable.
RE: [LUAU] apache security question
And Rightfully so...Being Paranoid that is... You may want to use something a little stronger for authorization such as mysqlauth or almost any other authentication Scheme/Module...Also you may want to include nobots.txt in any directory you do not want a search engine to probe. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Gordon Sent: Tuesday, February 08, 2005 12:05 PM To: LUAU Subject: Re: [LUAU] apache security question Charles Lockhart wrote: > So, we have a script or something that every time you create a > directory in that secure directory, the script adds an .htaccess file, > and the .htaccess file is used to enforce privacy, requiring a > username and password to log in. I'm told that this should be secure > enough to keep people from accessing the private area, and to prevent > information from turning up on Google + etc. > > So my question is, is that correct? I have no webmaster experience, > and very limited privacy/security experience, so I'm not setting that > up, our network admin is, but I figured I'd get a second (third, > fourth, fifth...) opinion. > HTTP Auth should be enough for a wiki. I don't know anything about your particular wiki, soconsider the flaw of HTTP Auth for yourself. The session is handled entirely on the client-side (no specification for "logging off"). And the authetication can be passed in the URI/REFERER stings. A funky browser behavior could, in turn send this kind of info to a foreign entity (google, etc). But I may just be paranoid. Tom ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
Re: [LUAU] apache security question
Charles Lockhart wrote: So, we have a script or something that every time you create a directory in that secure directory, the script adds an .htaccess file, and the .htaccess file is used to enforce privacy, requiring a username and password to log in. I'm told that this should be secure enough to keep people from accessing the private area, and to prevent information from turning up on Google + etc. So my question is, is that correct? I have no webmaster experience, and very limited privacy/security experience, so I'm not setting that up, our network admin is, but I figured I'd get a second (third, fourth, fifth...) opinion. HTTP Auth should be enough for a wiki. I don't know anything about your particular wiki, soconsider the flaw of HTTP Auth for yourself. The session is handled entirely on the client-side (no specification for "logging off"). And the authetication can be passed in the URI/REFERER stings. A funky browser behavior could, in turn send this kind of info to a foreign entity (google, etc). But I may just be paranoid. Tom
[LUAU] apache security question
We've got a web server running FC2 and Apache 2. I was asked to set up a private wiki area on that server, one that provided both username/password security for the wiki, and the same level of access for the directory. So, we have a script or something that every time you create a directory in that secure directory, the script adds an .htaccess file, and the .htaccess file is used to enforce privacy, requiring a username and password to log in. I'm told that this should be secure enough to keep people from accessing the private area, and to prevent information from turning up on Google + etc. So my question is, is that correct? I have no webmaster experience, and very limited privacy/security experience, so I'm not setting that up, our network admin is, but I figured I'd get a second (third, fourth, fifth...) opinion. Thanks in advance, -Charles
Re: [LUAU] VMWare & SuSE 9.2
Thanks Michael, I did the following last night, cd /usr/src/linux make clean make mrproper make cloneconfig make prepare-all and vmware could build the Kernel and works! Rodney Michael Bishop wrote: On Sun, 06 Feb 2005 20:55:31 -1000, "Rodney Kanno" <[EMAIL PROTECTED]> said: Has anyone been successful in getting VMWare workstation 4.5.2 to work on a default installation of SuSE 9.2? I have installed the vmware rpm as well a make and gcc, but during the vmware-config.pl process, I get the following error message: /make: Entering directory `/tmp/vmware-config1/vmmon-only' make -C /usr/src/linux/include/.. SUBDIRS=$PWD SRCROOT=$PWD/. modules make[1]: Entering directory `/usr/src/linux-2.6.8-24.10' WARNING: Symbol version dump /usr/src/linux-2.6.8-24.10/Module.symvers is missing, modules will have CONFIG_MODVERSIONS disabled. CC [M] /tmp/vmware-config1/vmmon-only/linux/driver.o make[1]: Leaving directory `/usr/src/linux-2.6.8-24.10' make: Leaving directory `/tmp/vmware-config1/vmmon-only' Unable to build the vmmon module./ Does anyone have an idea of what I am doing wrong and/or missing? Thanks! A quick search on google for "Symbol version dump" vmware, the 3rd link is to the Novell forum. Try the fixes in this thread... http://forums.novell.com/group/novell.support.suse.linux.enterprise-server/readerNoFrame.tpt/@[EMAIL PROTECTED]@[EMAIL PROTECTED]@S-,[EMAIL PROTECTED]/@[EMAIL PROTECTED] Good luck. Michael ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau