October 27th, 2005
In (hopefully) unrelated news, I was just notified that there is a security vulnerability in Snoopy, and hence Magpie. Apparently there is an attack that leverages the fact that Snoopy passes unfiltered arguments to curl that allows for arbitrary code execution. Here is a note I just sent to the mailing list
If you’re running Magpie in a context where you allow people to submit
unreviewed URLs, and you have PHP compiled with cURL SSL support then
this vulnerability effects you.
Given a specially crafted (and very simple) URL, an attacker can
execute arbitrary code in the web server context. There is no
escalation possibly with this vulnerability, though potentially it
could be combined with other attacks to allow some sort of permissions
I’ll will release a patch, and a new version this evening unless
someone beats me to it. (unfortunately we haven’t been given a grace
Its a variation on the traditional PHP null terminated string attack. (Does make me wish I had made it to Chris’ talk when he was here a few weeks ago, rather then being 1 of 3000 people turned away from the Murakami talk at MIT)
update 2005-10-28T15:33Z: I’ve got a patch out, waiting for a few people to sanity check it, before rolling out a new release.
October 27th, 2005
Someone seems to have successfully modified the content of a post on the WordPress powered Magpie blog to insert link spam into the content of an existing post. Is there a known vulnerability that allows this? I admit I’ve been remiss in following WordPress security advisories?
Interestingly only one post has been altered, and that post has the distinction of being the post with an embedded Paypal donation button.
I’ve yanked the blog down for now until I have time to figure out what happened. (and I just got LM back online)
May 28th, 2005
Dan from GeekUprising is now the official maintainer of XML::RSS. I imagine his first major change will be to incorporate the patch he sent me last Fall splitting the RSS creation logic from the RSS parsing logic (while still being transparent to people who don’t want that kind of thing). Congratulations, and welcome.
cvs2rss has been missing since the last server move, but well placed nudge from Phil got me to dig up the archives today, so voila, as they.
My aggregator for WordPress, affectionately known as wp-agg is officially superseded by FeedWordPress. Charles has done a great job growing the idea to something useful to someone other then me, and polished it off by actively maintaining it. Nice work. I’ll be switching the Magpie blog as soon as I get a chance.
Sourceforge stats after a 6 month hiatus (or was it 18 months? now I’m forgetting), are finally back, now with largely useless graphs. I had a hunch that usage had continued to grow and it has, with 5,000 page views a day, and 6,000 downloads a month. Wow. Really need to revive the website to handle the enlarged community. Need a good domain name first.
You know, now that I’m a contractor again, if someone wanted to hire me for 20-25 hours of work I’ve got a list of features that I’d love to have time to roll out as MagpieRSS version 0.8.
April 1st, 2005
PHP 5.0.4 came out this morning. If you’re using XML and PHP5 you need this upgrade right away. (for example if you’re using a little script to parse RSS). If you’re an ISP offering PHP5 believe me you want this upgrade or spend all your time killing zombie processes.
March 17th, 2005
One of the keys to any decent social software project is making it useful enough to the individual that they generate the data that makes the network useful. FeedTagger seems poised to do this.
The idea is simple. FeedTagger is a web based aggregator that allows you to browse not only by feeds and folders like existing aggregators but also by tags, tags you assign on a per feed, or per item basis.
Right now the emergent social knowledge community is just a flicker of potential, but in the mean time its a very interesting re-thinking of the aggregator.
And Chris is blogging about his experience building it, including using Magpie to run smack into PHP5’s XML parsing bugs. (fixed in the PHP5 nightlies)
update: this bug
February 15th, 2005
Haven’t seen the official announcement yet, but WordPress 1.5 has officially been released. If you’re still using 1.2.x release then expect to wowed. Of course the most important new feature (for certain idiosyncratic definitions of important) is that Magpie is now included in the core. It’s a version of 0.6.x ( which means no multiple charset support) that has been cleverly modified to cache to the database. (removing one of Magpie’s major support burdens)
update: the official announcement
January 3rd, 2005
I’ll be attending the BostonPHP user group/Boston PHP meetup this Thursday (Jan 6th), at 7:30pm, at Neptune Web (in Davis Sq.). (and I’ll try to play nice with the Red Hat users who apparently will also be attending)
p.s. note that the topic, “customizing phpBB” isn’t the most fascinating ever, I’m going for the meetup aspects.