A vulnerability in the TRUSTe seal verification service was demonstrated last week, showing how the service could have been exploited to make it look as though an unauthorised site had a valid TRUSTe seal.
A security researcher using the pseudonym "Antani Tapioco" discovered the problem, which stemmed from insufficient input validation on the TRUSTe seal validation page. Netcraft has reported the problem to TRUSTe and it has since been fixed.
Tapioco demonstrated how JavaScript could be injected into the page, causing a popup dialog box to display the message "Verified by haxors, LOL". Tapioco was further critical of the ease at which the flaw was found, saying that companies should spend money on code reviews and penetration tests to discover such problems before they become an issue.
Tapioco was able to execute JavaScript on the page by injecting an img tag with an invalid src parameter. The JavaScript payload, specified in the onerror handler, was then subsequently executed. This kind of vulnerability on a page like this has the potential to be very harmful - being able to inject arbitrary JavaScript can allow attackers to remove all existing content from the page and replace it with their own content.
The explosion of spam blogs on Google's Blogspot hosting service is drawing a chorus of condemnation from prominent bloggers, and has led at least one blog search service to stop indexing posts on Blogspot. The growth of spam blogs has accelerated in recent months, fueled by automated tools that can create blogs on Blogspot and some similar services and populate them with keyword-optimized posts and Google AdSense advertisements.
About 39,000 fake blogs have been created on the web in the past two weeks, according to an analysis by Technorati, or about 4.6 percent of the 805,000 new weblogs created in that period. FightSplog, which has been monitoring new blogs at Blogspot, recently documented 2,763 porn splogs created by a single "splogger." Blogspot-based spam blogs recently began featuring names of prominent bloggers in posts, boosting the splogs' visibility in searches at web-based RSS aggregators like Feedster, PubSub and Bloglines.
The move prompted IceRocket to stop indexing new posts from Blogspot.com, according to a blunt post from Mark Cuban, a major investor in IceRocket. Cuban says Blogspot indexing will resume once filters are adjusted, but warned Google to fix the problem or face a permanent ban. Bloggers are also focusing their fire on Google, which has stepped up its splog-squashing efforts in recent weeks but still can't keep pace with the automated instasplogs. "If your motto truly is to do no evil, then you need to start putting some resources behind an effort to curb this train wreck," LockerGnome's Chris Pirillo advised Google.
www.georgewbush.com switches to self-hosted FreeBSD server, www.sun.com upgrades to Solaris 9, not 10
While response times have been improved since moving to FreeBSD, www.georgewbush.com is simply redirecting visitors to the Republican National Committee web site at www.gop.com; however, making an HTTP 1.0 request to www.georgewbush.com causes it to serve the "Test Page for Apache Installation" instead of instructing the browser to redirect to www.gop.com.
www.georgewbush.com continues to block access based on geographical location. A dynamically updating chart of site performance for www.georgewbush.com is available here
Another notable change was observed on Sun Microsystems’ web site at www.sun.com, which was upgraded from Solaris 8 to Solaris 9 on Nov 30. Sun's tardy approach to running the latest version of Solaris on www.sun.com - Solaris 10 was recently released - is in sharp contrast to Microsoft, who ran www.microsoft.com on Windows 2003 for months ahead of its launch.
Linux enthusiasts are not alone in finding their "World" running on Microsoft software, as the Mac World Expo is also hosted on Windows Server 2003.
| Rackspace Managed Hosting - Web Hosting - Hosting | Swishmail.com Business Email Hosting | Apollo Hosting - VPS, Ecommerce & Website Hosting |
| INetU Managed Hosting - Dedicated Servers | DataPipe - Personal Touch, Global Reach | Web Hosting - Website Source - Ecommerce, VPS |
| Reseller hosting Managed dedicated server Ahosting | Web Hosting and Reseller Hosting By HostDepartment | Web Hosting UK - VPS Hosting Dedicated Server |
| Web Site Hosting - Network Solutions | ||
Advertising on Netcraft
Digg
Slashdot
Reddit
StumbleUpon
Delicious
Technorati