Shellshock, Exploiting Bash Vulnerability Through Apache CGI

You may have read about it anywhere else, yet I insist on fixing this one straight on.
The story: a Bash vulnerability has been reported as CVE-2014-6271 and later as CVE-2014-7169 (as it was uncompletely fixed). It allows arbitrary code execution when the content of a variable is parsed, that is, every now and then in shell scripts. If the content of the variable comes from user input, then this is a way for the user to execute arbitrary code, with current local rights.

One way this can be exploited is via Apache CGI (or nginx CGI). These have been provenly found to be exploited on the web, so this is no unnecessary crying wolf. CGI uses shell (Bash) to parse web request headers such as Host or User-Agent and allows arbitrary code execution with the administrative rights of the web server daemon itself. I succeeded in exploiting it for audit purposes, showing there is no need to be a lifelong-expert to proceed.

Although exploits of this vulnerability have reportedly been spotted only by use of Apache/nginx CGI, there could very well be other exploits of any server that uses Bash to parse user input, which means virtually any server undex Unix/Linux (think: Apache without CGI, cups, postfix, databases...)

The following command, launched from a server Bash shell, let's you know if the server is vulnerable to this vulnerability. Unless you did something specific in the last days, it's highly unlikely that your server will not be vulnerable.

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

So, I dearly recommend to patch Bash itself. If you cannot patch or must delay patch application, making sure no CGI scripts are exposed or CGI is disabled is a temporary workaround.

Passer du temps sur Klout augmente votre score Klout!

Constat : plus je passe de temps sur Klout, plus mon score augmente.

Pas de recette miracle : ce n'est pas parce que je passe du temps sur Klout que mon score augmente, cependant le constat est vrai. Plus je passe de temps sur Klout plus mon score augmente, ce pour deux raisons qui valent aussi bien pour tous les réseaux sociaux (informatiques ou non, d'ailleurs) :

1. Si je m'y intéresse, si j'y investis mon temps, l'investissement finit par payer. A force de fréquenter le réseau, je vais finir par comprendre ce qui y fonctionne bien. Dit autrement, le réseau est un investissement, on ne peut pas espérer un bénéfice sans fournir un apport. (Correlation does not imply causation, yet it does mean correlation.)
2. Pour Klout comme pour les autres réseaux sociaux, il faut mettre en place une discipline. Un petit investissement de temps chaque semaine rapporte plus qu'un grand évènement ponctuel. De la même façon, le score Klout augmente plus en investissant progressivement plutôt que par actions d'éclat.

Free Dynamic DNS Providers

A friend sent me a compared list of free Dynamic DNS providers. For memory, dynamic DNS is the mechanism that allows someone with a dynamic IP (virtually everyone at home) to get a domain name always pointing at the current IP.
This list compares usual Dynamic DNS providers like no-ip.com or dyndns.com and many others.

Please Don't Break Tabbed Browsing and Browsing History!

Tabbed browsing or the ability to browse websites in multiple tabs at the same time is now an acquired benefit. Yet, it can be broken if ill-designed websites just try to mess with it.

Basically, when you click a link, the address of the link gets copied into the address bar of the browser and you access that address. If you open the link in a new tab (middle button on the mouse, usually), the address gets copied to the address bar of the new tab. Pretty simple, huh?

But some sites try to add scripts that tell your browser where to go when the link is clicked, instead of just doing the normal way. So, they mess with the regular work of the browser. Three kinds of bugs can then be encountered:

1. The link opens both in the current tab and the new tab.
2. The new tab opens but the linked page doesn't show in it.
3. The browsing history gets broken, preventing you from correctly returning to the previous page.

So, here is my point:

STOP MESSING WITH LINKS!
STOP MESSING WITH BROWSING HISTORIES!
Just let users open what they want where they see fit.

Example:
Viadeo, a French kind of LinkedIn, is doing it. If you middle-click a link, it will open both in the current tab and in the new tab. Thank you developers! Let me add that this is particularly inadvisable for a social network, where the most valuable users are very experienced and open dozens of tabs at once.