Foxnews to become wikinews? has taken an unsuspected turn and become an open wiki site. For more info see Summary:

While browsing around the Fox News website, I found that directory indexes are turned on. So, I started following the tree up, until I got to /admin. Eventually, I found my way into /admin/xml_parser/zdnet/, in which, there is a shell script. Seeing as it’s a shell script, and I use Linux, I took a peek. Inside, is a username and password to an FTP. So, of course, I tried to login. The result? Epic fail on Fox’s part. And seriously, what kind of password is T1me Out. This is just pathetic.

And here’s something just too funny, something I hope will turn up on

Raptor porn

(originally located at, this is a mirrored copy)

Happy birthday securiteam blogs

As other recent posts have mentioned, these blogs have just turned 2 years old. In order to celebrate the event I wanted to look back at the archives and find a post that stood out. This is hard when you’re talking about a blog of this high calibre. I started various popular posts, they were all very well written, technically and linguistically, so I had a hard time choosing. I decided to take an alternate route, I decided to read the posts that were made around the time I joined the site, the ones that convinced me as to the greatness of this blog.

I went back to January 2006 and one post in particular jumped right out at me; Interview: Ilfak Guilfanov. This was a great post addressing what at the time was a major issue and something that made me realise just what type of people make up this blog. I suggest you have a read of that post and other similar great posts, they make great reading for a Monday morning/early afternoon.
Happy birthday blogs, may your next 2 years be even greater.

Burb Proxy open for orders

I’m writing this purely to pass on a message. If you’ve ever used the burp suite and have a comment about the software, now is the time to let the developers know. If you haven’t tried it yet, give it a go, you won’t regret it.

This is just to let you know that work is underway on the next release of Burp Suite, which should be available later this year. This will be a major upgrade with lots of new features in all of the tools.

At this point, it would be good to hear any other feature requests that you may have, however large or small. Please reply to me directly or join the discussion here:

and I’ll address as many as I can.

I’d be grateful if you would pass this email on to anyone else in your team who uses Burp Suite.

Firefox 3 to support HttpOnly cookies

HttpOnly cookies are a mechanism Microsoft developed for IE6 SP1 to add some security to cookies. The web developer would set a cookie (for instance the session cookie) to be HttpOnly (both ASP and PHP support setting HttpOnly cookies) and the browser would only ever use that cookie when sending HTTP requests, not when client side scripting asks to read the cookie. This means if there was a cross site scripting flaw on the website the JS wouldn’t be able to use the cookies. The solution isn’t perfect, but it does what it’s meant to do and doesn’t harm anyone.

Support for this is already in the Firefox 3 alphas, if you are inclined to use them, otherwise you’ll have to wait until November or so for the first official ff3 release.

If you are a web developer I suggest you start updating your code to use HttpOnly where applicable.

Accidental backdoor by ISP [updated x2]

Now I have full access to FTP in to their routers even if they have changed their passwords, I have full read and write access to things from DNS details to DMZ settings, from Wifi passwords to VPN keys. I can then upload the new file back to their router, log into it’s telnet daemon and load the new settings file.

Read More