Language Selection

English French German Italian Portuguese Spanish

Latest Security and FUD

Filed under
Security
  • Userdir URLs like https://example.org/~username/ are dangerous

    I would like to point out a security problem with a classic variant of web space hosting. While this issue should be obvious to anyone knowing basic web security, I have never seen it being discussed publicly.

    Some server operators allow every user on the system to have a personal web space where they can place files in a directory (often ~/public_html) and they will appear on the host under a URL with a tilde and their username (e.g. https://example.org/~username/). The Apache web server provides such a function in the mod_userdir module. While this concept is rather old, it is still used by some and is often used by universities and Linux distributions.

    From a web security perspective there is a very obvious problem with such setups that stems from the same origin policy, which is a core principle of Javascript security. While there are many subtleties about it, the key principle is that a piece of Javascript running on one web host is isolated from other web hosts.

    To put this into a practical example: If you read your emails on a web interface on example.com then a script running on example.org should not be able to read your mails, change your password or mess in any other way with the application running on a different host. However if an attacker can place a script on example.com, which is called a Cross Site Scripting or XSS vulnerability, the attacker may be able to do all that.

  • FOSSID and BearingPoint Enter Strategic Partnership Around Open Source Software Governance

    FOSSID, a leader in open source software compliance and security, and BearingPoint, a leader in open source management services, today announced their strategic partnership around free and open source software governance. After successfully cooperating in selected projects for more than two years, BearingPoint decided to choose FOSSID as its strategic provider of open source analysis tools. FOSSID’s technology provides high performance and accuracy in the code analysis services performed by BearingPoint.

    [...]

    BearingPoint’s modular FOSS services provide companies with streamlined processes and infrastructure to deploy, manage, and govern their software throughout the product lifecycle, helping them to manage open source compliance and security. BearingPoint’s FOSS analysis services provide a timely and confidential analysis of the customers’ code base, including comprehensive compliance and security reports for their business decisions.

  • 5 ways to secure your applications from open-source vulnerabilities [Ed: Interesting, Proprietary software programs/code have no vulnerabilities? This is only an Open Source thing?]
  • How to make open source success less of a crapshoot [Ed: Typical Asay]

Container environments targeted by Kinsing malware attacks

  • Container environments targeted by Kinsing malware attacks

    Cybersecurity researchers at Aqua Security have identified a malware campaign that targets misconfigured open Docker Daemon API ports with thousands of attempts taking place daily. The researchers warn, “These are the highest numbers we’ve seen in some time, far exceeding what we have witnessed to date.”

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

F(x)tec Pro1-X Announced – with physical keyboard, Lineage OS and Ubuntu Touch support but dated Snapdragon 835

Today, F(x)tec has re-launched their Pro1 smartphone, but renamed as Pro1-X and running LineageOS out of the box combined with compatibility with Ubuntu Touch OS. The phone has been developed in partnership with XDA, hence the name. The hardware remains the same which includes the dated Qualcomm Snapdragon 835 chipset; however, this phone isn't about raw power, it is a productivity tool with a strong focus on privacy. It will then combine the chipset with 8GB of RAM a 5.99-inch FHD+ AMOLED display, an 8MP front-facing camera, and a 12MP camera at the rear. Read more

Python Programming

Announcing NetBSD 9.1

The NetBSD Project is pleased to announce NetBSD 9.1, the first update of the NetBSD 9 release branch. It represents a selected subset of fixes deemed important for security or stability reasons, as well as new features and enhancements. Read more Also: NetBSD 9.1 Released With Parallelized Disk Encryption, Better ZFS, X11 Improvements

today's howtos

  • Btrfs on CentOS: Living with Loopback | Linux Journal

    The btrfs filesystem has taunted the Linux community for years, offering a stunning array of features and capability, but never earning universal acclaim. Btrfs is perhaps more deserving of patience, as its promised capabilities dwarf all peers, earning it vocal proponents with great influence. Still, none can argue that btrfs is unfinished, many features are very new, and stability concerns remain for common functions. Most of the intended goals of btrfs have been met. However, Red Hat famously cut continued btrfs support from their 7.4 release, and has allowed the code to stagnate in their backported kernel since that time. The Fedora project announced their intention to adopt btrfs as the default filesystem for variants of their distribution, in a seeming juxtaposition. SUSE has maintained btrfs support for their own distribution and the greater community for many years. For users, the most desirable features of btrfs are transparent compression and snapshots; these features are stable, and relatively easy to add as a veneer to stock CentOS (and its peers). Administrators are further compelled by adjustable checksums, scrubs, and the ability to enlarge as well as (surprisingly) shrink filesystem images, while some advanced btrfs topics (i.e. deduplication, RAID, ext4 conversion) aren't really germane for minimal loopback usage. The systemd init package also has dependencies upon btrfs, among them machinectl and systemd-nspawn. Despite these features, there are many usage patterns that are not directly appropriate for use with btrfs. It is hostile to most databases and many other programs with incompatible I/O, and should be approached with some care.

  • How To List Filesystems In Linux Using Lfs - OSTechNix

    Lfs is a commandline tool used to list filesystems in Linux system. Lfs is slightly a better alternative to "df -H" command.

  • How to Install Debian Linux 10.5 with MATE Desktop + VMware Tools on VMware Workstation - SysAdmin

    This video tutorial shows how to install Debian Linux 10.5 with MATE Desktop on VMware Workstation step by step.

  • How to Install Mageia Linux 7.1 + VMware Tools on VMware Workstation - SysAdmin

    This video tutorial shows how to install Mageia Linux 7.1 on VMware Workstation step by step.

  • How to install Krita 4.3.0 on Deepin 20 - YouTube

    In this video, we are looking at how to install Krita 4.3.0 on Deepin 20.

  • How to install PHP 7.4 in Ubuntu 20.04? | LibreByte

    PHP-FPM is used together with a web server like Apache or NGINX, PHP-FPM serves dynamic content, while the web server serve static content

  • How to install the Blizzard Battle.net on a Chromebook

    Today we are looking at how to install the Blizzard Battle.net on a Chromebook. Please follow the video/audio guide as a tutorial where we explain the process step by step and use the commands below.

  • How to install the MGT GTK theme on Linux

    MGT is a modern theme that is based on the Materia GTK theme. It comes in 4 different colors (Grey, Semi-Dark, Light, and Dark) and brings the Google Material Design look that many Linux users love. In this guide, we’ll show you how to install the MGT GTK theme on Linux.

  • How to install the RavenDB NoSQL database on Ubuntu 20.04 - TechRepublic

    If you're looking to deploy a powerful NoSQL database on Linux, let Jack Wallen walk you through the process of installing RavenDB.

  • Implementing a self-signed certificate on an Ubuntu Server > Tux-Techie

    In this tutorial, we will show you how to create a self-signed certificate with OpenSSL on an Ubuntu 20.04 server and discuss its use cases.