Ian Dunn

Cross Site Scripting Vulnerability in Subscribe2 Plugin

Ian — Fri, 18 May 2012 18:10:19 +0000

News of the XSS bug in Subscribe2 didn’t show up in any of my RSS feeds or mailing lists, even though it’s a fairly popular plugin, so I wanted to make a note of it in case anyone else missed it. Version 8.2 has a fix for it.

Creating Admin Notices From a WordPress Plugin

Ian — Tue, 15 May 2012 20:53:56 +0000

I just threw a couple small PHP classes up on GitHub that I use in almost every WordPress plugin I write. The first is IDAdminNotices, which is a clean and easy way for plugins and themes to send messages/errors to the user within the Administration Panels. The second is IDDescribeVar, which will outputs the type, length and contents of a variable in a readable format, and send it to wp_die(), die(), return, set_transient(), or an IDAdminNotice.

Virtual Workspaces for Windows

Ian — Mon, 14 May 2012 22:26:16 +0000

I’ve been using Linux since high school — which is longer ago than I care to admit ;) — and one of my favorite features of *nix window managers has always been the concept of workspaces, but for some reason it never occurred to me until today to search for a Windows tool that would create them. A few minutes on Google revealed several options:

VirtuaWin - This one is my favorite. It’s pretty much perfect.
- It even has an extra option to preserve the dynamic order of applications on the taskbar, so it’ll work with Taskbar Shuffle.
- When I first started it I got an error that the hotkeys couldn’t be registered, but I just had to disable the corresponding hotkeys in Winamp and the Intel Graphics control panel to avoid conflicts.
PowerToys Virtual Desktop Manager – This works pretty well, but there was some flickering for me when transitioning between desktops, and it takes up way too much room on the taskbar.
Dexpot – This works well, but the interface is kind of clunky.

This is pretty huge for someone as neurotic about organization as I am.

Why Short URLs are Evil and You Should Never Use Them

Ian — Fri, 11 May 2012 17:07:06 +0000

Ok, so maybe that title was a bit of a hyperbole, but this is one of my biggest pet peeves on the Web right now. Joshua Schachter has a comprehensive analysis of the concept of Short URLs and the myriad problems associated with it, but the biggest one for me is the fact that the true URL is hidden from the user. As a user, if you want me to go somewhere on the Web, you better damn well tell me where that is first, instead of expecting me to blindly trust you. Another primary reason short URLs should (almost) never be used is their potential as a massive attack vector for hackers.

In order to get around the “opaqueness” problem, there are several browser extensions that will automatically expand the short URL — my favorite is Explode – which goes a long way toward mitigating the negative impact on user experience, but doesn’t solve the fundamental design flaws or security concerns.

Preventing Callback Functions From Executing Multiple Times

Ian — Thu, 19 Apr 2012 17:52:33 +0000

Many actions in WordPress will fire multiple times, which can lead to performance drags and undesired/intuitiveness results. Pippin Williamson points out that you can check how many times an action has already run, and modify your code to respond accordingly.

Connecting to a PPTP VPN from an OpenVZ CentOS VPS

Ian — Wed, 18 Apr 2012 17:25:08 +0000

When setting up the PPTP and PPP packages on an OpenVZ VPS in order to connect to a VPN, there are a few extra steps you need to take that you don’t have to do with a non-virtualized box.

First, you have to load the following kernel modules on the hardware node and/or set them to automatically start during the boot up process:


modprobe ppp_mppe
modprobe ppp_deflate
modprobe zlib_deflate
modprobe ppp_async
modprobe ppp_generic
modprobe slhc
modprobe crc_ccitt

After doing that you should see something similiar to this when running lsmod


[root@me ~]# lsmod | grep ppp
ppp_mppe 39816 0
ppp_deflate 39168 0
zlib_deflate 52760 1 ppp_deflate
ppp_async 45056 0
ppp_generic 63632 4 ppp_mppe,ppp_deflate,ppp_async
slhc 39680 1 ppp_generic
crc_ccitt 35200 1 ppp_async

Second, you have to tweak the VPS’s conf file:


vzctl stop [VEnumber]
vzctl set [VEnumber] --features ppp:on --save
vzctl start [VEnumber]
vzctl set [VEnumber] --devices c:108:0:rw --save
vzctl exec [VEnumber] mknod /dev/ppp c 108 0
vzctl exec [VEnumber] chmod 600 /dev/ppp

Once that’s done, you can follow the normal instructions.

After that, you might need to uncomment the require-mppe-128 or mppe required,stateless line in /etc/ppp/options.pptp (depending on the VPN server). You may also need to manually create a static route to the network, with route add -net 10.1.1.0 netmask 255.255.255.0 ppp0.

You can check /var/log/messages for details about negotiation errors.

Discouraging Trolls

Ian — Wed, 18 Apr 2012 16:17:53 +0000

Jeff Atwood wrote a fascinating article on different methods to use to discourage trolling on social websites, including some discussion of their ethical merits. I wasn’t aware of slowbanning and hellbanning before, but I think they’re very clever ideas.

Principles to Apply When Preventing Brute Force Attacks

Ian — Wed, 18 Apr 2012 16:10:55 +0000

I just read a good article by Bryan Rite about the security principles involved in preventing dictionary attacks . He makes a good point about offloading the work to a service like OpenID if possible, and has some other tips to use if you have to implement it yourself. Some of it challenges the conventional wisdom, but I think he does... [more]

$( this ).attr( … ) Is Often Unnecessary

Ian — Mon, 09 Apr 2012 22:32:03 +0000

It’s often much more efficient to access DOM properties directly, rather than using jQuery. The downside to that approach is that there are differences between the various browsers, so in some cases it introduces bigger problems than the extra performance overhead.

Registering jQuery Event Handlers Before the Elements Exist

Ian — Mon, 09 Apr 2012 21:27:32 +0000

Dave Ward wrote an article Don’t let jQuery’s $(document).ready() slow you down that shows a few situations where execute the contents of a JavaScript file immediately, rather than wrapping it all inside jQuery( document ).ready(). The .live() method has been deprecated since he wrote the article, though; .on() is its replacement.