<< May 10, 2007 | Home | May 12, 2007 >>

About

Links

RSS | Atom | E-mail

Navigate

Tags | Advanced Search

Tags

Recent Blog Entries

Real World Browser Performance
We are currently building a web application for the financial services sector that is highly depending on client side JavaScript and DOM manipulation. Each time the user changes an input parameter the following steps are executed: the data is collected ...
IntelliJ IDEA 8.0
JetBrains has released IDEA 8.0. It has support for a few new frameworks like JBoss Seam, Struts 2, GWT 1.5, RESTful webservices and updated support for Spring like Spring 2.5, Spring Webflow, Spring MVC and Spring Dynamic Modules. Templates languages ...
Openfire Server Multiple Vulnerabilities
Andreas Kurtz has published a security advisory regarding multiple critical security vulnerabilities in Openfire's admin console. There is also a posting to full-disclosure. The issues allow a remote attacker to circumvent authentication and run arbitray ...
Spring's New Maintenance Policy
SpringSource, the company behind the popular Spring Framework has announced a new maintenance policy: SpringSource Enterprise Maintenance Policy, effective September 2008. After a lot of discussion in the community they have now added a Frequently Asked ...
mvn deploy:deploy-file with WebDAV
Though most of the Java libraries are already in the official Maven repository you will from time to time encounter artifacts that are not available there. Reasons for this include licensing issues (e.g. Oracle JDBC drivers and some Sun Java APIs) and a ...
Estonia
Estonia is a small country in the north east of Europe in the Baltic region. As a former Soviet republic it became independant in 1991 and is a member of NATO and the European Union since 2004. Estonia has a strong information technology sector and ...
Book: Openfire Administration
Packt has released a new book on Openfire a Java based Instant Messaging server. Openfire Administration by Mayank Sharma is a step-by-step guide for everybody who wants to setup an internal IM server for private or corporate use. It walks you through ...
Kuschelworkshop
Wenn ich von meiner Teilnahme am diesjährigen MinD Camp berichte, taucht eine Frage immer wieder auf: Was hat man sich eigentlich unter dem Programmpunkt "Kuschelworkshop" vorzustellen?Read more...Tags : life mhn
Using Namespaces in XSLT and XPath
You can use namespaces in XSLT and XPath like xsl:value-of select="//a:account/...
Dear Sir, Please Advise!
Those emails to mailing lists come even from well-known consulting companies like Accenture. Three emails with almost the same question within a few hours each time including the full 25 lines long company disclaimer. I wonder if it is known to the ...

Recent Responses

Re: Empty Windows in Swing Applications on Ubuntu 7.10
The export AWT_TOOLKIT=MToolkit trick also worked for me for some other java applets. Thanks for the tip.
Re: Using OpenOffice.org from Java Applications
Hi. Your HowTo is very interesting. I am also developing a web-application for creating reportfiles with open-office. But I have a problem with multiuser-mode. Every time I tried to create a reportfile with two clients at same time I get a ...
Re: Spring MVC: Null or an Empty String?
thnx for the info :)
Re: Open Archive 1.0.1 for Openfire 3.3.2 released
Does open archive store non-standard message stanzas? One problem we are having with Openfire's stock archiving is that our messages that have data not in the "body" tag, are not being stored. Any suggestions would be most helpful. Thanks, ...
Re: Spring's New Maintenance Policy
Good news! http://blog.springso...

Summary of blogs

reucon blogs

Stefan Reuter - My personal blog

Asterisk-Java - The free Java library for Asterisk PBX integration.

Christian Kienle

Why the C preprocessor is a bad thing

Christian has posted a follow-up to a discussion on the good old C preprocessor a few years ago. My opinion was (and still is) the C preprocessor is a "feature" hacked into the language to overcome its shortage and is ugly by design.

Nevertheless, as one comment notes it all sums up to "use the right tool for the job". Replacing inline functions and C++ templates by preprocessor macros does not qualify in most cases though there may be situations in which there is no easy to use alternative. One of these situations is making sure a header file is only included once:

#ifndef _STDIO_H
# define _STDIO_H       1
...

#endif /* !_STDIO_H */

This is a common pattern for which I am not aware of a suitable alternative in C land. Fortunately all modern programming languages have introduced other means to solve the problem.

Christian finishes with a link to this very "cool" macro - nothing to add to this one ;)

Tags : c

Responses[2]

Posted by Stefan Reuter on May 11, 2007 2:10:00 AM CEST #

Openfire 3.3.1 fixes critical Security Issue

Ignite Realtime has released Openfire 3.3.1 which fixes a critical security issue in all versions prior to 3.3.1. I had reported the issue last week, so thanks to the Openfire guys for the quick fix.

The security issue allows malicious people to remotely upload code to Openfire via the built-in admin console. The code is executed with the permissions of the user running Openfire. It is highly recommended that users upgrade their server instances to fix this security issue.

As a workaround access to the admin console port (9090 by default) can be limited via firewall rules.

The full changelog is available here.

Update June 27, 2007:

Now over a month later that users had enough time to upgrade I can release a few more details about the issue:

Basically the problem was a missing filter mapping in web.xml which caused the beans used to install plugins which are exposed through DWR to be available without authentication.

Openfire Plugin Management

So you could easily open http://somehost:9090/dwr/test/downloader and upload a malicious plugin that would run with the privileges of Openfire and with full access to the Openfire database.

References: Secunia Advisory: SA25427, CVE-2007-2975, JM-1049

Tags : openfire security

Add a comment

Posted by Stefan Reuter on May 11, 2007 1:16:00 AM CEST #

May 2007
Sun	Mon	Tue	Wed	Thu	Fri	Sat
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31
Apr \| Today \| Jun

Username
Password