Posted on 31 May 2010 by Demian Turner
- While You Slept, They Hacked #tcdisrupt – Watch the video, some interesting hacking projects
- Google i/o 2010 – GWT + Spring – This is one of the more impressive videos from this year's Google I/O event, here you can see how VMware (of all people) organised an effort to combine the predominant backend Java framework, Spring, with the leading frontend framework, GWT, and came up with quite a harmonious result – recommended watching
Posted on 25 January 2008 by Demian Turner
Well the title says it all, but I don’t think this is a reason for anyone to have a heart attack, aside from me but I’m recovered now 😉
Please download Seagull 0.6.4 which includes the small fix required to solve the file disclosure problem. 0.6.3 is no longer available.
As the release has only been out <24 hours I doubt there are many production sites running on the vulnerable code, but if you were svn updating a live site, a very bad practice by the way, then svn up again 😉
The problem: very simple, some recent code we introduced to merge, compress and cache CSS and js files was accepting arbitrary paths from GET – ouch. The checking is now much more stringent.
Thanks to the gentleman over at milw0rm.com who posted the flaw less than 24hrs after the release went out. While he didn’t inform me or anyone I know of, Google alerts notified me of his announcement. In my view this is open source (with a little help from Google) working at its best.
Finally, please note that the title of the exploit article is inaccurate, it claims versions <= 0.6.3 are affected, this is not true, the affected optimizer.php file was only introduced in 0.6.3.