Martin Geisler Online

Here in Buchs, Aargau there’s no water in sight but all over the south and western parts of Switzerland they have all the water they need — and then some…

This morning Stéphanie told me that the Thun sea 70 cm over the “damage level”, and that she wouldn’t be able to go the direct way with train from Brig to Berne (and from there onto Aarau). I assume that the “damage level” is the highest level is can reach before flowing into the surrounding areas?

There is an alternative (about two hour longer) route going over Lausanne but the SBB are urging people to stay put and not travel around the country unless necessary. So she’ll wait in Wallis for now. It’s good that she’s going by train and not by car — just look at this image:

Flodding is an almost unknown concept for us Danes, but the Swiss is not so fortunate: parts of Berne as well as large areas around Lucerne are flooded! As far as I’ve understood it, then it started at some point last night when some of the rivers in central Switzerland could no longer handle the heavy rain we’ve been having the last couple of days. The rain will go East in the next days, but until it’s gone people are still fighting the water.

I’ve taken some screenshots from my tv-card — it’s incredibly how much debris the water can pull along on its way. The first picture below is from Berne. It’s very strange for me to see the streets in Berne like that, for I’ve been on some of them…

Stéphanie is down in Wallis right now with her parents, and she has to stay there for an unknown while since the trains no longer run between Brig and Aarau. I wonder how long it will take before the water is gone and the trains can resume? And if the tracks still are where they were before?

Lately my site has seen a bunch of spam comments about Phentermine, Alprazolam, and other drugs… luckily they have all been caught by the builtin spam filters in WordPress. But what are all those drugs about anyway, and will people really buy drugs from some website (usually with a not so trustworthy name…) found via a link buried deep in a discussion about PHP Shell?!

A quick search on Google explains that Phentermine is used for loosing weight by lowering the appitite, and Alprazolam is used to relieve anxiety, nervousness, and tension. But is there really such a big market for such drugs?

I guess so, just as there has to be a market for all stuff email spam try to sell us. You know, those appliances and drugs that promise to enlarge various body parts in no time! :-)

Another computer related thing needing attention when I got home was [WordPress][]… version 1.5.2 has just been released to fix yet another security hole, although their announcement has no specifics (as usual).

They write “We’re happy to announce that a new version of WordPress is now available for download.” How can they be happy that a security hole has been found in their “extremely stable 1.5 series” once again?! They have released version 1.5.1 (May 9th, renamed to version 1.5.1.1), 1.5.1.2 (May 27th), 1.5.1.3 (June 29th), and now 1.5.2 (August 14th) in response to security holes being found.

I think that’s a bit too much for me to call this think “extremely stable” (I obviously believe that security is an important feature of a “stable” application.) It’s good that they react to the security holes and they try to fix them fast, but I don’t like the way they just write that they have “addressed all the security issues that have been circulating the past few days”. Some questions immediately spring to mind:

• How many security holes were there?

• What was the nature of the hole(s)?

  • Could they “just” change the database? If so, which parts of it?

  • Could they upload files to my server? If so, could they overwrite my previous files?

• How can I see in my log files if I’ve been exploited?

Instead of being vague I would like to see specific information about the problems. Browsing through the changesets doesn’t really help either, for the WordPress developers seems to make a point out of obscuring their fixes.

Take this changeset (revision 2779) for example, which committed on the 1.5 branch two days before the announcement of version 1.5.2 with the innocent message of “Move above”. Some lines are really moved up a little further in wp-settings.php — they deal with undoing the work of the infamous register_globals setting in PHP. But the lines are not just moved, an extra check is added to ensure that the variable $table_prefix isn’t unset. Why? Is this one of the security problems they’re talking about? Given the extreme lack of comments we can only guess…

Or maybe the fix was smugled in with revision 2780, together with fixes for seven small bugs and feature requests? The change to wp-admin/users.php in that changeset involve replacing

$id = $_GET['id'];

into

$id = (int) $_GET['id'];

and to my eyes this could be the fix they’re talking about. Especially since $id is used in an SQL query next… So if this analysis is correct then WordPress 1.5.2 was sent out to guard against an SQL injection attack. If anybody else has information about this then I would of course be interested!

I’m back again — I arrived at Zürich yesterday afternoon. The last two weeks have passed by with an increadibly speed, I’ve been visiting lots and lots of people back home. It was good.

Today I’ve tried to regain some sense of control over my inbox and all the other mailboxes I have. It’s a bit daunting at first when [Gnus][] presents you with 500 or more unread messages, but with the right use of the k key on my keyboard (bound to the gnus-summary-kill-same-subject-and-select function) I was quickly able to cut my way through it. And thanks to adaptive scoring Gnus will automatically kill new articles in those boring threads in the future. The manual describes it as “artificial stupidity”, but I find it very useful nonetheless :-)