Archive for the ‘Security’ Category

Zero day vulnerability in many WordPress themes

Mark Maunder announced a zero day vulnerability in many WordPress themes yesterday here on his blog.

If you use any third party WordPress themes, you should check your server for the presence of timthumb.php or thumb.php. It is reported that several theme marketplace websites host common legitimate themes that utilize this library.

The fix is to remove any allowed sites from the thumb.php or timthumb.php files as recommended below.

BEFORE:

$allowedSites = array (
	'flickr.com',
	'picasa.com',
	'blogger.com',
	'wordpress.com',
	'img.youtube.com',
	'upload.wikimedia.org',
	'photobucket.com',
);

AFTER:

$allowedSites = array ();

Please read the full technical details at Mark’s blog in the link above.

Interesting post regarding password change frequency

In doing some research on Password Recovery in 6.5.x, I came across this comment on the Notes/Domino 6 and 7 Discussion forum.

“Most security experts now agree that forcing periodic password changes doesn’t increase security – it just makes users more likely to forget or write down their passwords. Unfortunately, most corporate IT departments haven’t caught on yet. ;)”

This was posted by Posted by Dave Kern on 26.Apr.06 at 02:31 PM

Then someone asked him about that very statement in the next post, and here is his response. Read the rest of this entry »

Salted Hash, finally

Finally, after suggesting it be done months ago, I was able to implement salted hash for the Internet password field in our directory.

Check this technote for details and other related technotes:

http://www-1.ibm.com/support/docview.wss?rs=899&uid=swg21255244

This is configured in the Directory Profile (open the NAB, select Actions, Edit Directory Profile)
Set “Use More Secure Internet Passwords” to Yes

This will be affective from any Internet passwords that are saved in the directory from that point forward.

You should also select each person document in the NAB and select Actions\Upgrade to more secure Internet Password.

Don’t ask why it took so long to enable this.

Consulting

I'm currently available
for Lotus Notes / Domino consulting engagements.

LinkedIn

Connect with me:

LinkedIn

Advertisement
Advertisement
Categories