Elliott C. Back: Internet & Technology

Squidoo XSS Exploit Leads to Wordpress Spam Deluge

Posted in Adsense, Hacking, Monetization, Spam, WP, Wordpress, YouTube by Elliott Back on July 2nd, 2007.

I’ve been getting a lot of Wordpress comment / trackback spam pointing to Squidoo these days, because it doesn’t valid the HTML markup users can enter into their pages. This makes it easy for spammers to put in an iframe with an external src that basically redirects the browser to their spam (usually porn) page. If the javascript were nice it would look like this:

window.onload=function(){
window.location = "http://wpi.biz/in.cgi?5&parameter=porn";
}

The page you get redirected looks like a bunch of adult-themed Youtube vidoes–they’re just images, actually, which I’ve censored–that prompt you to download something that’s probably spyware. I didn’t really investigate this further, it’s obviously very evil:

youtube.png

The code actually sitting on Squidoo’s servers looks like this:

squidoo-wp-spam-iframe.png

And the comments left on my blogs are of the form:

New trackback on your post #1852 "Coding Horror: Hot Tech Blog"
Website: hot ebony men (IP: 190.72.74.193 , 190-72-74-193.dyn.dsl.cantv.net)
URI : www.squidoo.com/some-nasty-url/
Excerpt: hot ebony men...

I’ve sent email to both the Akismet team and the Squidoo team about this, hopefully they will:

  1. Implement kses-based filtering on their html input *immediately*
  2. Add some spam-weight to the squidoo domain until this is fixed

There’s no excuse for an XSS attack of this simplicity to exist. Javascript, iframes, etc should be disallowed. Just let basic markup through, and strip out the rest! For now, I also recommend adding the word “squidoo” to your blacklist in the Wordpress discussion options.

Update: According to the Squidoo blog, iframes will banned as of July 12th. I can’t think of anything you can do with an iframe that you can’t do with regular HTML except untrusted stuff, like redirects or arbitrary JS.

4 Comments

Top 7 Free Wordpress Themes

Posted in Blogging, Interface, WP, Web 2.0, Wordpress by Elliott Back on May 22nd, 2007.

Good Wordpress theme are hard to find now that the market it deluged with sponsored-link bearing crap. A search for “wordpress themes” in Google brings up advertisements to the max, most of which seem to be created by color-blind SEOs looking to get link-love and a buck with Google. Still, there are truly great new themes being made, you just have to be able to separate them from the noise.

Why? I want to add something to the WP Theme Community, which is my selection of the best themes. This post is intended to cut down on the noise.


Theme #1) Andreas 1.12

free-theme-01.png

It looks like Wordpress’ default theme should have. Simple, with three columns, nice blue colors, and big text. It’s also got the Kubrick inspired top header image for your customization or monetization delight.


Theme #2) Presscut 1.0

free-theme-02.png

The thing that got me about this one is the brilliant use the left and right column whitespace to put up a patterned background / extra-wide border.


Theme #3) Iceburgg

free-theme-03.png

Iceburgg, dogg. The one thing that can be said about this cute, blue, cold, colorful theme is that it suits–and only suits–a winter season. If you were to use this as your general theme, you should probably customize and genericize all the graphics to taste.


Theme #4) Gridlock 1.4

free-theme-04.png

The only thing I don’t like about gridlock is the large, grey right hand column, which seems out of place with the rest of the theme. Overall it has a very magazine-style text-based approach that works well.


Theme #5) Deep Red

free-theme-05.png

Unique, this theme is thick. It’s got Web 2.0 written all over it, with big regions of text and color. The innovation is in the massive right-sidebar and header which wrap the content with text, rather than widgets or images.


Theme #6) Beautiful Day

free-theme-06.png

Yep it’s the same theme directory again, but this one gets a nod for its well-done colorspace and menu bar. The image overlay hovers are beautiful, and the blue colors make it look as good as Windows Aero.


Theme #7) Dark Theme

free-theme-07.png

Bartelme, again, shows us how it’s done. I thought I’d end this list with BIG BANG, and here it is. This is the theme that powered his site until he recently redesigned it into a sleeker, sharper look. If you like wide, you can’t get wider than this. And, it’s professional–this guy’s a web designer by trade!

15 Comments

Wordpress Spam Rate Limiting

Posted in Computers & Technology, Spam, WP, Wordpress by Elliott Back on May 12th, 2007.

I just had a brilliant idea to really slow down the spammers. First, go install mod_limitipconn. Then, add something like this to your .htaccess file to limit the number of simultaneous spam comments:

<IfModule mod_limitipconn.c>
<Location /wp/wp-comment-post.php>
MaxConnPerIP 1
</Location>
</IfModule>

This will prevent them from streamlining requests, essentially denying them the right to post multiple times at once. This is good, because it means that you have turned spammers from parallel to sequential machines!

3 Comments
« Previous PageNext Page »