Archive for June, 2008

I'm a very lazy geek, of the funny kind who tries to automate every each repetitive task, usually ending to spend more time in coding the automation script than doing the job manually :)

However, today I wanted to install a Thunderbird add-on called Clippings for managing semi-canned responses (such as "Please read FAQ x.y" or "Thank you for your report, I'll investigate this issue and let you know ASAP”) to the tons of always welcome support email inquiries I get.

Now, according to AMO, installing a Thunderbird add-on is quite a daunting task in my eyes:

How to Install in Thunderbird

  1. Right-click the link below and choose "Save Link As..." to download and save the file to your hard disk.
  2. In Mozilla Thunderbird, open Add-ons from the Tools menu.
  3. Click the Install button, and locate/select the file you downloaded and click "OK".

I don't know your tastes, but searching my filesystem(s) for a file I've just saved from a different application (especially when the file browser lacks auto-completion features) is one of the most tedious activities for me. I'd also hate leaving random XPI files here and there on my hard disk...

So I just rebelled and tried something slightly different:

  1. In Mozilla Thunderbird, open Add-ons from the Tools menu.
  2. From Mozilla Firefox, drag the "Download Now" link and drop it onto the Mozilla Thunderbird's "Add-ons" window.

You know what? It worked just fine, with no filesystem round-trips!

As a bonus, something you may or may not know about installing Firefox add-ons from sites which are not on your installation whitelist (i.e. every site except, by default).
When you try, you get a yellow warning saying installation is prevented, and a button to override the block.
But rather than clicking and being warned, you can just drag the install link and drop it onto your location awesome bar: this entirely skips the warning.
Quick, clean and safer* :)

* Notice: Firefox 3 features a significant improvement over Firefox 2: the notification bar contains an "Allow" button to permit just the current one-shot installation, rather than the old "Edit options" button to modify your whitelist permanently.

The mass SQL injection attacks we talked about in in several posts, being mainly targeted to ASP sites running on Microsoft IIS and backed by Microsoft SQL Server, gathered lots of (quite undeserved) bad press to Microsoft.
Therefore the Microsoft Security Response Center felt the need to do something more than saying "blame developers for their poor coding practice", and asked the HP Web Security Research Group (formerly SPI Labs) to create a tool helping site owners to identify their SQL injection holes.
So now, after one month of development, HP is announcing Scrawlr, the "SQL Injector and Crawler".

Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. [...] It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!

Scrawl can be thought as a free version of the professional scanners in HP's products portfolio, with some limitations making it suitable for self-diagnosis of your site in the specific context of this kind of non-targeted massive attacks, which usually inject URL query parameters from links, rather than POST requests from forms. In facts, it

  • Will only crawl up to 1500 pages
  • Does not support sites requiring authentication
  • Does not perform Blind SQL injection
  • Cannot retrieve database contents
  • Does not support JavaScript or flash parsing
  • Will not test forms for SQL Injection (POST Parameters)

Scrawl can be dowloaded here.
Of course, once you've found your site is vulnerable (and if you're in doubt, it's 99% likely to be) you still need to plug your holes.
If you've got the budget for a professional code review and cleanup service, just ask :)

For xB Browser, for users running XeroBank, we've removed noscript and replaces it with SPP. That allows users to protect against cross-site scripting, and false certificates, without dealing with NoScript issues.

Does anybody know what this XeroBank guy is talking about?

SPP can't obviously stand for Site Pecurity Policy. It wouldn't make sense (spelling and grammar aside) because SSP is not meant and not going to replace NoScript anytime soon. The SSP we know does not allow "users to protect against" anything, it just allows compliant web sites to protect their own users (which is great, anyway).

So, any hint about this SPP supposed NoScript killer?

Although all the source code of Firefox is public and can be scrutinized during development at any time, a Tipping Point Security Advisory has been announced right in the middle of the Firefox 3 download day.
A unlucky coincidence, of course: only a conspiracy theorist could suspect that the timing had been chosen in order to maximize the hype effect for the Zero Day Initiative.

However Mozilla developers are working around the clock, and there's already a patch being privately tested. All the information publicly available so far is that this vulnerability allows a malicious web page to trigger the execution of arbitrary code on the client side, and affects Firefox 2, 3 and likely all the products based on the same rendering engines. Technical details and exploitation proof of concepts are being kept private by Tipping Point as well until the patch is shipped, therefore Mozilla users should be relatively safe: after all we can be 99.99% sure every browser out there is vulnerable to something; we just hope that the bad guys don't know the details yet.

I can add that, even in this case, NoScript users are the safest.



Bad Behavior has blocked 937 access attempts in the last 7 days.