Picasa is really nice, but it has a limit of 100 Mb which is really small.

Gallery 2, last time i checked, was a lot-of-stuff-in-one-place-with-difficult-and-crappy-code-inside kind of project. I’ll take a look if it got better recently.

P.S. Perl/php/c/c++ prefered. Java/Ruby/python isn’t prefered either (could be the client part, but not the server part).

It’s a MacBook! Yes, yes, a MacBook.

It’s a white 13″, 2.4 GHz Core 2 Duo with 2 GB of RAM, 160 GB SATA 5.4k rpm’s, a 8x superdrive and Intel GMA x3100 144 MB video card.

Almost everybody who i’ve told that i bought a Mac asked me what OS will i be using…

Mostly, i use FreeBSD (yes, on desktop/laptop), but this time i’m trying to stick to Mac OS. It’s quite nice, stable, and almost usable… although there are still some little things i have to get used to.

If i won’t like it, i’ll try get back to FreeBSD, but so far i’m liking it.

Oh, and also, now when i have a new laptop – maybe i’ll be writing more posts to my blog (famous last words).

Ok, ok, just joking. But the banner is really funny.

Today they had a major bug on their website – the webmaster must have done a s/t//g over the main website, resulting in all t‘s disappearing on the website, which resulted in css and javascript not displaying at all.

They fixed it in about 2 hours. Quite long for _such_ a company. But hey, shit happens to everybody! So i’m not blaming them…

And now, the same day, security advisory for Cisco with 12 (yes, TWELVE!!!!) security vulnerabilities for cisco IOS’es.

WHAT THE ******?!

I mean, really… Cisco, what happened with you?!

In the morning, when she asked me to look when her bus leaves, i have powered up my notebook…and…. nothing…

What the f*ck?!?!!

I can hear the hard drive do some stuff, i can hear the fans, i can feel the heat coming, but there’s nothing on the display.

After a minute or two i hear BIOS screaming BEEEEEEEEEEEEEEEEEEEP, BEEP BEEP….. Woops … something IS wrong.

I’ve taken my girlfriend to the bus station, and went to google for BIOS beep codes. The first match told me – 1 long beep and 2 short beeps is video/monitor problem, in the second place is the dram problem, third place – motherboard problem.

Fuck. I don’t have any tools to open up my notebook at home, but even if i had, i don’t know what i can do with it as it is 99% a hardware problem, and i suck at hardware.

Now i have to use my workstation which i don’t usually use as i don’t have a comfortable table and chair.

I’ll try taking the notebook to my work on monday to see if the local guys can help me out somehow, but if not …. uff… R.I.P my sweet notebook

P.S. Maybe anyone has any ideas about this problem and how i can fix it?

A few days ago, some guy in #wordpress @freenode mentioned a WordPress Automatic Upgrade plugin – so i thought i’ll give it a try and update my blog using it.

Downloading and installing the plugin was easy ( as it always is ). The plugin offered me to upgrade my wordpress install from 2.6.0 to 2.6.1 – i’ve agreed.

WPAU (WordPress Automatic Upgrade) backuped the files and database, and offered me to download it – good.

Then it downloaded the update, put the website into maintenance mode, disabled all plugins, upgraded the install, and re-activated the plugins.

The update went smooth. Everything works! WPAU also offered to remove the backups – and, from my personal experience, i know that not everybody chooses to remove the backups. That’s where the problem starts…

WPAU generates a random file name for backups in wpau-backup directory – that’s fine. But if you have directory indexing turned on ( default in most of the places ) – everyone who will go to your blog’s wpau-backup directory will see the backup files, and will be able to download them! That’s bad.

Now, what’s in the backups ? Backups have your blog’s root directory with all kind of stuff, but most interesting is wp-config.php … which has your MySQL’s database password inside …

As most sites have phpMyAdmin available for maintenance – you can use that stuff to create new wordpress user with admin privileges, change the admins password/email, change the content of the blog – in other words, almost anything.

If the site doesn’t have phpMyAdmin or remote MySQL access – you will get the database backup, with all the useful information inside, all the password-protected posts and etc.

Next thing, if you do have directory indexes OFF – then there’s another problem – WPAU leaves a file behind it with lots of useful information, and the file is accessible to everybody. Filename won’t be published here, but it’s not a big deal to find out which file it is.

That file has plenty of nice useful information:

• file system paths to your blog installation
• file list in your blog directory
• ful list of enabled WordPress plugins
• path to the random file name having your WordPress backups!

So, even if You have indexing turned off – full url to your backups is available to everybody.

So, the minimum information disclosure WPAU does is paths to your blog installation, maximum – full access to your database or even ftp account.

So, for a PoC let’s see what information does WPAU authors home page give out.

So, the full path to the blog is: /home/.anubis/keithdsouza/techie-buzz.com

The full list of activated plugins follows:

404-notifier/404-notifier.php
MyAvatars/myavatars.php
ST_AddRelated2Feed.php
adsense-injection.php
akismet/akismet.php
all-in-one-seo-pack/all_in_one_seo_pack.php
better-comments-manager/better-comments-manager.php
better-tags-manager/better-tags-manager.php
brianslatestcomments.php
briansthreadedcomments.php
cforms/cforms.php
comment-relish.php
diggthis1.1.3.php
download-counter.php
easygravatars/easygravatars.php
feedburner_feedsmith_plugin_2.2/FeedBurner_FeedSmith_Plugin.php
full-text-feed/full_feed.php
future_calendar.php
google-analyticator/google-analyticator.php
google-sitemap-generator/sitemap.php
increase-sociability/increase-sociability.php
kb-robotstxt/kb-robots-txt.php
kontera/kontera.php
live-comment-preview/live-comment-preview.php
loginlockdown/loginlockdown.php
math-comment-spam-protection/math-comment-spam-protection.php
mydashboard/mydashboard.php
no-self-ping/no-self-pings.php
notify-unconfirmed-subscribers/notify-unconfirmed-subscribers.php
ozh-better-feed/wp_ozh_betterfeed.php
plugin-central/plugin-central.php
pmetrics-wordpress.php
popularity-contest/popularity-contest.php
psychic-search/psychic-search.php
recent-posts/recent-posts.php
related-posts.php
runPHP/runPHP.php
seo-title-tag/seo-title-tag.php
show_top_commentators.php
simple-forum/sf-control.php
sitemap-generator/sitemap-generator.php
srg_clean_archives.php
stats/stats.php
subscribe-to-comments/subscribe-to-comments.php
subscriber-gadget.php
techie-social/techie-social.php
technorati-rank/technorati-rank.php
top10.php
tpbc.php
what_would_seth_godin_do.php
wp-admin-fluency/wp-admin-fluency.php
wp-cache/wp-cache.php
wp-contact-form/wp-contactform.php
wp-db-backup/wp-db-backup.php
wp-page-numbers/wp-page-numbers.php
wp-reinvigorate.php
wp-subscribed.php

The random filename for database backup is: wpau-db-backupHmttozkA.zip

The random filename for files backup is: wpau-files-bak-wfxtiEGj.zip

Although, the file doesn’t exist (it was cleaned up), but if it would  exist and directory indexing would be off – you could download the database backup directly.

Tried to use this stuff on a few blogs and 30% of them didn’t have the backup files removed, and i could download them using the random file name i’ve got from wpau’s leftover files.

The author of the plugin was informed about this on 2008-08-18.

This was fixed on 2008-08-21 with WordPress Automatic Upgrade 1.2.2

So, I want to congratulate all the geeks on the internet and wish you a good sysadmin day!

For everybody else – if you have a sysadmin friend – congratulate him! Even better, buy him a gift, a beer, a new 23″ LCD display or anything like that!

If not sysadmins, then you wouldn’t be reading this blog at all, if not sysadmins – you couldn’t make a phone call, if not sysadmins – you wouldn’t be able to do most of the things that “just work” for you.

If not sysadmins – there wouldn’t be any internet or any network at all!

So, go run to the nearest shop, buy a six-pack and go congratulate your sysadmin

Oh, and by the way, the lithuanian sysadmin day contest is over, and the winner is already known (but it’s not published yet), but i want to congratulate him and thank all the other sysadmins who took a part in this contest – it was a pleasure to look how you guys dealt with all the tasks, and was a bit sad to know that 3 or 4 out of 16 tasks weren’t completed at all

Those tasks were really hard, though. So, that’s not a big problem that nobody completed them, don’t cry!

The tasks where just uploaded to the website and people can already view it here.

I’m one of the guys who get the answers to all the tasks and rate them, so i’m very interested in how will people do them! The tasks are really interesting, and i really wouldn’t like if somebody would cheat. It’s all about the process, not about the result!

So, anyway, have a nice game guys!

Hostex, one of Lithuania’s biggest hosting and data-center companies, announced the already annual sysadminday contest (3rd year in a row).

System administrators all over Lithuania are welcome to join this contest. It will start on Wednesday (July 23th), at 10:00 am. The tasks and questions will be published on the website (sysadminday.lt). People will have 34 hours to complete the tasks.

Each task gives some points, and only the first submitted answer is correct. The first person who submits an answer for some of the tasks gets more points. So, you have to be correct and fast too!

The winner of the contest is a person who gets most points and will get a 2500 litas worth trip to any country he wishes. There will be prizes for some specific tasks too, but that information isn’t published yet.

Also, everyone who will register for the event (and atleast try to solve some tasks) will be invited to a party which will take place on Friday, July 25th ( the sysadminday itself ) in some local Vilnius club. I wonder if beer will be free out there?

Also, i am one of the few guys who creates the tasks. And, what can i say – few of them i like very much, few of them i don’t, but it still will be really great. If you’re a sysadmin, a dba, a network admin or any other admin from Lithuania – register for event, it’ll be great (and you won’t loose anything if you won’t solve any tasks)!

P.S. you can find tasks from the last sysadminday 2007 contest here just to get an idea of how it looks.

In time period of one week ( since July 9th till July 15th ) anyone could try and hack pigu.lt, and wouldn’t be sued for that (if he won’t make any real damage).

For anyone who could successfully exploit their website, pigu.lt team would give you 1024 piguLitas ( about 500$ ) discount in their e-shop.

Sadly enough, i only got to know about this on July 15th night ;(

Because the time period was over already, i only tried to look at their web page ‘softly’. After a hour or so of browsing i’ve found a few non-critical bugs. When i contacted their team in the morning, the bugs were already fixed! They checked the logs and saw my actions and fixed them, great job guys!

Anyway, the biggest hole which was found was a 3rd party support app. Staff has left the installation files in the default place, and the attacker used them to re-install the app again (but used his own database). That way, their support page was compromised, but clients information wasn’t leaked.

The winner of the contest was DI security, some local lithuanian team (never heard of them). You can read about the contest results more here (lt).

Oh, and by the way, pigu.lt team gave me a 100 piguLitas discount for the non-critical bugs i found, thanks guys!