Archive for the ‘mysql’ Category

Updates to Twiike (v.0.2) – Twitter your Nike+ runs!

October 7, 2008

Just pushed an update to Twiike (figured why not make an update the same time Twitter was doing theirs).

Enhancements in this release:

  • Made signup 1-step using your Nike+ login.  This removes the need to use the “Share with friend” link from within Nike+.
  • Added pulldown menu to set default distance metric (km/mi) on your Twitter settings. This is now used for any runs published.  It’s initially set based on your Nike+ user preferences.
  • Added the user tweets to the Twiike timeline to drive additional traffic for Twiike users
  • Added retrieve your password (which is set to your Nike+ password when you sign up).
  • Added ajax progress bars to all functions that require the server to respond so users don’t think the site is not doing anything

Please keep it coming with the suggestions.  I received a ton today and would love to know how to keep making it better for users.

Post your Nike+ Runs on Twitter (Nike Plus)

October 4, 2008

Over the last couple weeks I’ve been getting more and more into running again.  While I don’t have the gumption to go run on streets since breaking my foot, I have been hoofing it on the treadmill at least 3-4 times a week.  The challenge has been that I love to update my Twitter and Facebook pages with my status and wanted a simple way to NOT have to update my runs by hand.  So today I’m releasing a VERY alpha version of what I’m calling Twiike (Twitter+Nike).  What it does is watch for me to sync my iPod after runs and posts those runs to Twitter (which I also have wired to update my Facebook status via the Twitter Facebook app).

It’s SUPER easy to use.  Basically login to your Nike+ account, click ‘Share with Friends’ in the upper right corner of the run, click ‘Send to a friend,’ enter ‘nikeplus@twiike.com’ in the email address field and click the ‘Send it’ button.  You’ll get a welcome mail that will link you to login and enter your Twitter account (or set one up if you don’t have one yet) and VOILA!  Twiike will auto post to Twitter every time you sync after a run.

I’d love feedback on what people like and what people think sucks and where it can be improved enhanced.

Click here to try it out.

Here’s what it looks like on Twitter

Right-click menus for redesigned Facebook using Firefox!

August 13, 2008

With the recent redesign of Facebook, I’ve been getting questions regarding whether the add-on for Firefox is compatible with the newly redesigned version of Facebook.  After confiming over the last couple weeks with some of the ~500 daily users and the 2,000+ downloaders who have shared emails, the current version of UltimateFacebook is not only fully-compatible with Firefox 3 (and naturally Firefox 2), but also with the newly redesigned version of Facebook.  Install it by clicking here.

The add-on enables you to right-click any Facebook user and:

  • write on their wall
  • send them a message
  • poke them
  • add them to your friends
  • view their friends
  • see a thumbnail of them by rolling over their name in a news feed, photo gallery, etc
  • see how you connect to them
  • tag them
  • bookmark them – a.k.a ‘save them as a crush’ (invisibly — kept private)

UltimateFacebook added to Softpedia and certified 100% Clean of Spyware, Adware and Viruses!

August 5, 2008

Woot!  Got an email from the folks at Softpedia!  They’ve just added and reviewed UltimateFacebook, the Mozilla Firefox add-on that makes using Facebook easier and more fun.  It’s beed certified to be 100% Clean of spyware, adware and viruses.  Very cool.  With several 1,000 people now using the add-on, it’s cool to see the social graph grow from the my graph of 200 or so friends in May to almost over 900,000 Facebook users in the graph today.

Here are the links

http://mac.softpedia.com/get/Internet-Utilities/UltimateFacebook.shtml

http://mac.softpedia.com/progClean/UltimateFacebook-Clean-38864.html

http://apps.new.facebook.com/ultimatefacebook/

Injection attack vulnerability in phpMyAdmin w/ fix

November 12, 2007

phpMyAdmin

Over the last several weeks Jason Lidow of DigiTrust Group and I have been chatting back-and-forth about a number of vulnerabilities he and his team have been finding in open-source packages using MySQL and PHP. In particular, his DigiTrust Group guys have been uncovering a gaggle of exposures in phpMyAdmin, the most widely used control panel for managing MySQL from virtual hosts (I use it on more than a couple of my web apps).

Over the weekend, Jason sent over an issue that piqued my interests. It details potential injection attacks in phpMyAdmin. I hate these things. They’re dirty, and I don’t mean in the good way. The attack described would let normal users take over administrator’s accounts..

This one in particular is more evil than others I’ve come across as it’s a one-time action with an evergreen effect.

The phpMyAdmin folks have developed a patch/fix for the exposure and is now available at http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-7.

The super-geeky report of the vulnerability is available here:
http://www.digitrustgroup.com/advisories/tdg-advisory071108a.html.

To read more about Jason’s crack team go here http://www.digitrustgroup.com. These guys are probably the best I’ve seen at what they do (they actually scare me a little). DigiTrust Group has, over the last several years, turned from a few wunderkind genius hacker types to a serious consulting org that works for everyone from Fortune 1000s to small and medium-sized companies as they grow and need help finding potential IP and infrastructure exposures.

What’s an injection attack???:

This type of XSS vulnerability is also referred to as a stored or persistent or second-order vulnerability, and it allows the most powerful kinds of attacks. It is frequently referred to as HTML injection. A type 2 XSS vulnerability exists when data provided to a web application by a user is first stored persistently on the server (in a database, filesystem, or other location), and later displayed to users in a web page without being encoded using HTML entities. A classic example of this is with online message boards, where users are allowed to post HTML formatted messages for other users to read.

These vulnerabilities are usually more significant than other types because an attacker can inject the script just once. This could potentially hit a large number of other users with little need for social engineering or the web application could even be infected by a cross-site scripting virus.

The methods of injection can vary a great deal, and an attacker may not need to use the web application itself to exploit such a hole. Any data received by the web application (via email, system logs, etc) that can be controlled by an attacker must be encoded prior to re-display in a dynamic page, else an XSS vulnerability of this type could result.