There is a (relatively minor) stored XSS vulnerability in WP Photo Album Plus (WPPA) 5.4.5. WPPA maintains its own error log. When this error log is viewed through the web interface, its output is not sanitized. Regular users that have the ability to upload files to photo galleries can cause arbitrary data to be written to the log file. An easy way to demonstrate this is to upload a zip file containing a file named:
<img src="ff" onerror="alert('xss');">
When you try to import the contents of the zip file, it produces an error containing the malicious file name that is logged. Things aren’t escaped properly on the upload/import pages either, resulting in the js running after the import attempt. The lack of proper sanitization on these pages results in a reflected XSS vulnerability as well, but with double and single quotes escaped with backslashes, so you may need to fiddle with it a bit to get it to do something useful.
http://wptestbox1.dev/wordpress/wp-admin/admin.php?page=wppa_import_photos&zip=<img src="ff" onerror=alert(0);>.zip
If you want to manually start or stop a RAID consistency check in Linux it’s quite simple.
Starting a check on md0:
[email protected]:~# echo check > /sys/block/md0/md/sync_action
Stopping a check on md0:
[email protected]:~# echo idle > /sys/block/md0/md/sync_action
If you’re using Debian (or a Debian based distro, e.g. Ubuntu), there is a script to do this.
Just a real quick post on how to get progress updates from dd.
The dd command normally doesn’t display any progress updates when you run it.
In order to get dd to print out its current progress, send the USR1 signal to the dd process.
Step 1: Start dd.
[email protected]:~$ dd if=/dev/random of=outfile
Step 2: Get the PID (Process ID) of dd.
[email protected]:~$ ps a PID TTY STAT TIME COMMAND -- snip -- 9158 pts/30 S+ 0:00 dd if=/dev/random of=outfile 9187 pts/31 R+ 0:00 ps a
If you’ve ever tried to set up your own mail server, you know it can be a pain in the ass.
A lot of hosting companies offer free email forwarding and this may work fine for you, but if you want a separate mailbox (or several) you either need your own mail server or you need to get someone else to host it for you. Google used to offer free email hosting (i.e. gmail, but with your own domain name), but stopped offering this for free in 2012. Outlook (from Microsoft) stopped allowing new sign ups with your own domain name too.
Fortunately, Zoho offers free email hosting (and paid plans, of course). As of the time of writing, they offer free email hosting for 10 users, 5GB per user.
Have you ever wanted to mess around with a copy of Windows Server 2012, Exchange Server, SQL Server, or some other Microsoft product targeted at businesses?
You can download fully functional copies of Windows Server, Windows 7, Windows 8, Exchange, SQL Server, Office, and a shitload more for free from Microsoft’s own website.