For me, responsible open security practises should mean that as well as providing a quick response to security issues you provide enough detail about the issue to your users to allow them to make a judgement call about how important the upgrade is to them.  Do they need to do the upgrade immediately because the issue is easy to exploit or can it wait till the weekend when they have more time to ensure they have a backup and a plan for when the upgrade goes wrong.

The WordPress project tries to provide this information and we provide clear security release announcements on the development blog which is syndicated into everyones dashboard.  The habari project however seems to be happy with a release announcement which basically says – “Hey, you blog is vulnerable to some critical security issue but we fixed it for you upgrade now!“.

For example in the WordPress 2.6.2 announcement we have:

Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand().  With his help we worked around these problems and are now releasing WordPress 2.6.2.  If you allow open registration on your blog, you should definitely upgrade.  With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password.  The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit.  However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.  Stefan Esser will release details of the complete attack shortly.  The attack is difficult to accomplish,  but its mere possibility means we recommend upgrading to 2.6.2.

Comparing this to the recent habari annoucement:

The Habari Community announces the release of version 0.5.2. This version is a critical security update; all users of any version prior to 0.5.2 should upgrade at once. Additionally users of HEAD should also update to the latest revision.

Thanks are due to the entire community for identifying and patching this bug in a timely manner.

This isn’t very detailed and leaves me wondering – What was the issue? How serious was it? Is the issue such a bad example of security aware development that they don’t want to highlight how wrong they got things?

Don’t get me wrong, I am please that security matters for the habari project and I know the difficulties involved in developing secure software, I just feel that you need to be open with your issues to build trust with your users.

Update:  There is now a much clearer release announcement for habari v0.5.2.

Here is how to prepare:

1. Install Firefox (if you don’t have it already!)
2. Install firebug. This is the web debugging tool of choice.
3. Load up the relevant WordPress admin page that is not working for you.

Now to collect the information. First load up firebug for the current page by clicking on the icon in the status bar or using the Tools menu to select “Tools>Firebug>Open Firebug”.

Next you need to fill in the form that is causing you problems:

Now you can click on the form submission button and see the activity in the firebug console:

Next you can switch between the tabs to display the other information:

You can then copy this data out of the firebug windows by right clicking and selecting the appropriate copy option.

This information can then be provided either via the wp-testers mailing list or in the trac ticket you have created for your issue.

You can read the first one here: http://westi.wordpress.com/2007/09/30/wordpress-weekly-digest-24th-september-to-30th-september-2007/

Well it was about time to start running the my own code.

One of the new features that really sticks out after upgrade is the Plugin update notification – it lets you know when updates to plugins which are downloadable from http://wordpress.org/extend/plugins/ are available and includes a link to the plugin entry for you to download the update.

In his review he talks about the RSS feed support in IE7 beta 1:

One of the big things talked about in Internet Explorer 7 is its support for RSS feeds. Indeed, I found a couple already in the Favorites menu. So I decided to check out the IE Blog, and this is what I got. Obviously the RSS feed support still needs a lot of work, or at least a stylesheet. Hopefully this will develop further before release, or it will be pretty useless.

From: http://www.ioerror.us/2005/08/02/windows-vista-beta-1-review-and-screenshots-part-1/

In the screenshot he has on his site we see Internet Explorer displaying it’s standard pretty view of an XML file but not the nice view of the RSS we expected. I was suprised to see this as the test I had run of this feature against my sites RSS feed had worked ok as can be seen in the following screenshot.

Looking at the feed returned by the IE blog that ioerror tested with all looks well and so it seems that the detection algorithm is not quite perfected yet – you would have thought however that the IE team would have tested it against there own blog!

First impressions are that the new user interface is clean and with the introduction of tabs a great improvement. However it seems that they have thrown a few of the UI design rules out the window – for example normal Windows UI design has the menu bar at the top of the window – not two levels down beneath the address and tab bars.

Interestingly browsing to a new website brings up the “Microsoft Phishing Filter” which offers to check all the websites you visit to see if they are impersonating a trusted website. Also middle click to open in new tab is supported – working the same way as Firefox. .

Things are looking good for IE7 Beta 1 or Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322)).

Since then I have investigated, discovered and fixed the problem.

Symptoms:

• All the SK2 plugins that use DNS in one form or another give positive karma to comments / trackbacks that are spam.
• When you look at the karma report the IP address returned by the RBL looks familiar – Its the IP address of your web server!
• Trackback checks find links to your site in the referrer but a manual check finds that the site doesn’t exist

Looking at what was going on, I was a tad confused – it seemed that the dns server was returning the local ip address if it couldn’t get a result – very strange – to start with I thought that maybe the dns proxy I was using was screwed so I disabled that but the problem still existed. Dragging out my favourite network analyser, tethereal, I watched what was going on when the dns lookups occurred and noticed the following:

1. The first dns request looked ok and got a failed response.
2. The second dns request had the localdomain name tacked on the end and got an successful response.

This got me thinking and I went and looked at the dns setup at my host – looking through the zone file I found and interesting entry that I didn’t remember adding:

* IN A 217.155.152.65

This catch-all dns entry meant that any lookup under ftwr.co.uk was going to resolve to the web servers IP address!

There are a number of ways to fix this issue, which in order of preference are:

1. Fix the code so that all dns lookups are specified with a “.” on the end, this means that the resolving library will not try adding the local domain on the end (I believe so anyway).
2. Remove the catch-all entry from your dns – whether or not you want to do this or not depends on why its there in the first place and whether you have control over it.

Ajax isn’t a technology. It’s really several technologies, each flourishing in its own right, coming together in powerful new ways. Ajax incorporates:

• standards-based presentation using XHTML and CSS;
• dynamic display and interaction using the Document Object Model;
• data interchange and manipulation using XML and XSLT;
• asynchronous data retrieval using XMLHttpRequest;
• and JavaScript binding everything together.

None of this is new technology, but rather the application of existing technology to provide a much better user experience to the user of a web application. Web applications are often see as poor second cousins to desktop applications in terms of user experience because of the continual slow round tripping to the web server to progress to the next step. “Ajax” as used by sites like Google’s gmail removes this poor user experience as the data for the next page is downloaded in the background while the user reads the current page.

This is a good approach for enhancing the user experience. However, the web developer must remember that a portion of his/her audience will come in with a browser that doesn’t support JavaScript or has JavaScript disabled and a JavaScript free site must be available for the end-user to get some use out of the site. The developer must also ensure that this new “Ajax enabled” site is also fully accessible so as to cater for all types of user.

“Ajax” enabling also leads to possible security issues as the new “Ajax enabled” pages will require a number of public accessible webservices to be written, these services may already exist and be being used by the current technology, for example PHP, ASP or Java , that is generating the plain XHTML+CSS pages. At present these webservices exist in a protected network zone and so may not have been written in as secure a manner – these services will now need reviewing for security problems and also the possibility that advanced users may try and access them directly to build there own pages – it is likely that direct access to the webservices is not expected and as such it may be wise to lock them down.

Another technology which springs to mind that is missing from the “Ajax” hit list is JSON (JavaScript Object Notation) which is a technology for describing the data passed between the JavaScript code in the browser and the webservice that is called using the XMLHttpRequest object. The major benefit of using JSON as the format for the request-response exchange over this link is that at the browser end the JavaScript code can just eval() it to get the objects as the message is JavaScript.