Piwigo y seguridad

PIWIGO

Reportes de seguridad:

Piwigo Blind SQL Injection Vulnerabilities

8 May. 2015

SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit.

Vulnerable Systems:
* Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2

Immune Systems:
* Piwigo after 2.7.2

This bug was found using the portal without authentication. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. It is possible to inject SQL code in the variable “rate” on the page “picture.php”.

CVE Information:
CVE-2014-9115

Disclosure Timeline:
Original release date: 12/23/2014
Last revised: 12/23/2014

http://www.securiteam.com/securitynews/5PP2V2AFQA.html

 

Piwigo LocalFiles Editor Plug-in Cross-Site Request Forgery Vulnerability

https://tools.cisco.com/security/center/viewAlert.x?alertId=31407

Version Summary: Piwigo LocalFiles Editor plug-in contains a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site request forgery attacks on a targeted system. Updates are unavailable.
Description
A vulnerability in the LocalFiles Editor plug-in of Piwigo versions prior to 2.4.7 could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks.

The vulnerability is due to improper validation of certain user-supplied HTTP requests by the /admin.php script. An attacker could exploit this vulnerability by convincing an authenticated administrative user to follow a malicious URL. When processed, the URL could allow the attacker to hijack the authentication of the administrator and could create arbitrary PHP files on the remote server. Successful exploitation could allow the attacker to conduct further attacks.

Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available.

Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.

For additional information about CSRF attacks and potential mitigation methods, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Request Forgery Threat Vectors.

Piwigo has released a bug report at the following link: Bug ID 0002844

Piwigo has released updated software at the following link: Piwigo 2.4.7

 

———-

Linux + Wacom

Cómo establecer el parámetro de modo relativo para la tableta cuando no hay panel o interfaz gráfica.

Si tenemos xserver-xorg-input-wacom hay un comando llamado xsetwacom para establecer los parámetros desde la línea de comando.

xsetwacom -v –set “Wacom BambooFun 6×8 eraser” Mode “Relative”
xsetwacom -v –set “Wacom BambooFun 6×8 stylus” Mode “Relative”
xsetwacom -v –set “Wacom BambooFun 6×8 cursor” Mode “Relative”

Hay que tirar un

xsetwacom -s –list devices

Para que nos liste los dispositivos y sus nombres para poner “Wacom BambooFun 6×8 …”

Continue reading “Linux + Wacom”

diseño libros

The 20 best graphic design books of 2014 so far

Tablet Publishing with InDesign Digital Publishing Suite (350)

http://tjpa.com/350

https://www.quora.com/Is-there-an-InDesign-app-for-the-iPad-Or-a-similar-tablet-publishing-app-not-including-MS-Word?share=1

https://layergloss.com/

http://www.quark.com/Products/DesignPad/

http://www.opensourcealternative.org/alternatives/graphic-editors/open-source-alternative-to-indesign/

https://www.lucidpress.com/users/registerLevel?t13=A&t4=A&t5=H&t9=A&tP=1&t3=D&t6=A&t7=A&t10=A&t8=A&t12=C&t11=A

https://es.wikipedia.org/wiki/Scribus

http://www.scribus.net/downloads/stable-branch/

https://github.com/jmoenig/Snap–Build-Your-Own-Blocks

GIT encriptado

Primera aproximación al tema:

http://stackoverflow.com/questions/2456954/git-encrypt-decrypt-remote-repository-files-while-push-pull

http://stackoverflow.com/questions/2154948/how-can-i-track-system-specific-config-files-in-a-repo-project/2155355#2155355

git-scm.com/docs/gitattributes

https://github.com/shadowhand/git-encrypt

http://git.661346.n2.nabble.com/Transparently-encrypt-repository-contents-with-GPG-td2470145.html

Segunda revisión del tema

Al parecer hay varias formas y algunas tiene ciertas controversias que no llego a entender del todo.

En la pregunta de Stackoverflow git encrypt/decrypt remote repository files while push/pull se nombra el mismo planteo en otros foros (July 2009: thread.gmane.org/gmane.comp.version-control.git/123466/…)

Y un método incluido en GIT

smudge/clean attribute filter driver

phyton on android

https://duckduckgo.com/?q=run+python+on+android&t=trisquel&ia=qa

https://play.google.com/store/apps/details?id=com.hipipal.qpyplus

http://geeknizer.com/install-run-python-apps-scripts-on-android/

http://stackoverflow.com/questions/101754/is-there-a-way-to-run-python-on-android

http://kivy.org/#download

https://code.google.com/p/python-for-android/

http://python-for-android.readthedocs.org/en/latest/toolchain/

https://github.com/ctso/python-android