Language Selection

English French German Italian Portuguese Spanish

Latest Security and FUD

Filed under
Security
  • Userdir URLs like https://example.org/~username/ are dangerous

    I would like to point out a security problem with a classic variant of web space hosting. While this issue should be obvious to anyone knowing basic web security, I have never seen it being discussed publicly.

    Some server operators allow every user on the system to have a personal web space where they can place files in a directory (often ~/public_html) and they will appear on the host under a URL with a tilde and their username (e.g. https://example.org/~username/). The Apache web server provides such a function in the mod_userdir module. While this concept is rather old, it is still used by some and is often used by universities and Linux distributions.

    From a web security perspective there is a very obvious problem with such setups that stems from the same origin policy, which is a core principle of Javascript security. While there are many subtleties about it, the key principle is that a piece of Javascript running on one web host is isolated from other web hosts.

    To put this into a practical example: If you read your emails on a web interface on example.com then a script running on example.org should not be able to read your mails, change your password or mess in any other way with the application running on a different host. However if an attacker can place a script on example.com, which is called a Cross Site Scripting or XSS vulnerability, the attacker may be able to do all that.

  • FOSSID and BearingPoint Enter Strategic Partnership Around Open Source Software Governance

    FOSSID, a leader in open source software compliance and security, and BearingPoint, a leader in open source management services, today announced their strategic partnership around free and open source software governance. After successfully cooperating in selected projects for more than two years, BearingPoint decided to choose FOSSID as its strategic provider of open source analysis tools. FOSSID’s technology provides high performance and accuracy in the code analysis services performed by BearingPoint.

    [...]

    BearingPoint’s modular FOSS services provide companies with streamlined processes and infrastructure to deploy, manage, and govern their software throughout the product lifecycle, helping them to manage open source compliance and security. BearingPoint’s FOSS analysis services provide a timely and confidential analysis of the customers’ code base, including comprehensive compliance and security reports for their business decisions.

  • 5 ways to secure your applications from open-source vulnerabilities [Ed: Interesting, Proprietary software programs/code have no vulnerabilities? This is only an Open Source thing?]
  • How to make open source success less of a crapshoot [Ed: Typical Asay]

Container environments targeted by Kinsing malware attacks

  • Container environments targeted by Kinsing malware attacks

    Cybersecurity researchers at Aqua Security have identified a malware campaign that targets misconfigured open Docker Daemon API ports with thousands of attempts taking place daily. The researchers warn, “These are the highest numbers we’ve seen in some time, far exceeding what we have witnessed to date.”

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Qt Creator 4.12.2 released

We are happy to announce the release of Qt Creator 4.12.2! This release of Qt Creator supports Qt for MCUs 1.2 and fixes various smaller issues. The opensource version is available on the Qt download page under "Qt Creator", and you find commercially licensed packages on the Qt Account Portal. Qt Creator 4.12.2 is also available as an update in the online installer. Please post issues in our bug tracker. You can also find us on IRC on #qt-creator on chat.freenode.net, and on the Qt Creator mailing list. Read more

Ardour 6.0 Information

Our friends at Ardour have released Version 6.0, and we would like to offer them a huge congratulations! While the source code and their own builds were available on release day, many of you have been waiting for Ardour 6.0 to come to Ubuntu’s repositories. Today, that day came. Ardour 6.0 has landed in Ubuntu Groovy Gorilla (future 20.10) and will be on Ubuntu Studio’s daily spins of Groovy Gorilla within 24 hours of this writing. Unfortunately, it is not possible to backport Ardour 6.0 into Ubuntu 20.04 LTS, nor would we want to. This is because if we do, we might disrupt the workflow of people who are currently working with projects in 5.12 that are relying on its functionality and sound. Ardour 6.0 has an all-new Digital Sound Processor (DSP), and as such it may sound somewhat different. Read more

Android Leftovers

Raspberry Pi 4: Chronicling the Desktop Experience – Dear Diary – Week 32

This is a weekly blog about the Raspberry Pi 4 (“RPI4”), the latest product in the popular Raspberry Pi range of computers. Before kicking off this week’s blog, there’s a few recent interesting developments that caught my eye. The first one is merely a cosmetic change. The Raspberry Pi Foundation has decided to rename Raspbian to Raspberry Pi OS. Forgive me if I accidentally forget the name change. The real news is that a new model of the RPI4 has been launched. The major improvement offered by the new model. 8GB of RAM, wow! That’s an impressive chunk of memory on a tiny computer. This development doesn’t render the 32-bit operating system obsolete. After all, the 32-bit system allows multiple processes to share all 8GB of memory, subject to the restriction that no single process can use more than 3GB. But advanced users who need to map all 8GB into the address space of a single process need a 64-bit userland. Step forward the second exciting development — a new 64-bit Raspberry Pi OS. Unsurprisingly, it’s currently in beta. Read more