To reduce the database size and server load, all articles from 2004 or earlier are archived here.
- December 2004 (52)
- November 2004 (33)
- October 2004 (54)
- September 2004 (43)
- August 2004 (41)
- July 2004 (57)
- June 2004 (82)
- May 2004 (53)
- April 2004 (45)
- March 2004 (49)
- February 2004 (40)
- January 2004 (46)
- December 2003 (44)
- November 2003 (48)
- October 2003 (57)
- September 2003 (45)
- August 2003 (54)
- July 2003 (62)
- June 2003 (46)
- May 2003 (47)
- April 2003 (51)
- March 2003 (63)
- February 2003 (69)
- January 2003 (72)
- December 2002 (63)
- November 2002 (70)
- October 2002 (72)
- September 2002 (73)
- August 2002 (41)
- July 2002 (39)
- June 2002 (19)
- May 2002 (3)
- April 2002 (1)
Tue, 25 Feb 2003
Apple Security Update 2003-02-25 Mac OS X 10.2.4 Server
Mac OS X 10.2.4 Server Software Update is now available. It contains fixes for
the following potential security issues:
- QuickTime Streaming Server: Fixes CAN-2003-0050 QTSS Arbitrary command
execution. The QuickTime Streaming Administration Server relies on the
parse_xml.cgi application to authenticate and interface with the user. This CGI
can pass unvalidated input which could allow a remote attacker to execute
arbitrary code on the server and to gain root privileges. Credit to Dave G.
from @stake, Inc. for finding this vulnerability.
- QuickTime Streaming Server: Fixes CAN-2003-0051 QTSS Physical path revelation.
The QuickTime Streaming Administration Server relies on the parse_xml.cgi
application to authenticate and interface with the user. This CGI could be used
to reveal the physical path upon which the Darwin/Quicktime Administration
Servers are installed within. Credit to @stake, Inc. for finding this
vulnerability.
- QuickTime Streaming Server: Fixes CAN-2003-0052 QTSS Directory listings. The
QuickTime Streaming Administration Server relies on the parse_xml.cgi
application to authenticate and interface with the user. This CGI could be used
to reveal arbitrary directory listings due to the lack of user input validation
within the application. Credit to Ollie Whitehouse from @stake, Inc. for
finding this vulnerability.
- QuickTime Streaming Server: Fixes CAN-2003-0053 QTSS Login credentials. The
QuickTime Streaming Administration Server relies on the parse_xml.cgi
application to authenticate and interface with the user. A vulnerability in the
handling of error messages from this CGI could be used in a cross-site scripting
attack to gain valid login credentials. Credit to Ollie Whitehouse from @stake,
Inc. for finding this vulnerability.
- QuickTime Streaming Server: Fixes CAN-2003-0054 Arbitrary command execution
when viewing QTSS logs. If an unauthenticated user of QuickTime Streaming Server
makes a request to the streaming port, the request is then written to the log
file. It is possible to craft the request such that arbitrary code can be
executed when the logs are viewed by the system administrator via a browser.
Credit to Ollie Whitehouse from @stake, Inc. for finding this vulnerability.
- QuickTime Streaming Server: Fixes CAN-2003-0055 Buffer overflow in MP3
Broadcasting application. There is a buffer overflow in the stand-alone
MP3Broadcaster application. An MP3 file which has a filename of over 256 bytes
will cause a buffer overflow to occur. This could be used by local/ftp users to
obtain elevated privileges. Credit to Ollie Whitehouse from @stake, Inc. for
finding this vulnerability.
- Sendmail: Fixes CAN-2002-0906 Buffer overflow in Sendmail before 8.12.5, when
configured to use a custom DNS map to query TXT records, could permit a denial
of service attack and possibly allow execution of arbitrary code. Mac OS X
10.2.4 contains Sendmail 8.12.6 with the SMRSH fix applied to also address
CAN-2002-1165 .
- AFP: Fixes CAN-2003-0049 "AFP login permissions for the system
administrator". Provides an option whereby a system administrator may or may
not be allowed to log in as a user, authenticating via their admin password.
Previously, administrators could always log in as a user, authenticating via
their own admin password.
- Classic: Fixes CAN-2003-0088 , where an attacker may change an environment
variable to create arbitrary files or overwrite existing files, which could lead
to obtaining elevated privileges. Credit to Dave G. from @stake, Inc. for
discovering this issue.
- Samba: Previous releases of Mac OS X are not vulnerable to CAN-2002-1318 , an
issue in Samba's length checking for encrypted password changes. Mac OS X
currently uses Directory Services for authentication, and does not call the
vulnerable Samba function. However, to prevent a potential future exploit via
this function, the patch from Samba 2.2.7 was applied although the version of
Samba was not changed for this update release. Further information is available
from: http://samba.org/samba/whatsnew/samba-2.2.7.html
- Integrated WebDAV Digest Authentication: The mod_digest_apple Apache module
has been added to more easily enable digest authentication for an existing
WebDAV realm. This eliminates the need to maintain a separate digest file
containing the list of authorized users, passwords, and realms.
mod_digest_apple works in coordination with Open Directory for user
authentication. For further details, open the Help Viewer after installing Mac
OS X Server version 10.2.4, select Mac OS X Server Help in the drawer, and
search for "New: Enabling Integrated WebDAV Digest Authentication."
Mac OS X 10.2.4 Server Software Update may be obtained from:
- Software Update pane in System Preferences
- OR -
- Apple's Software Downloads web site:
Updating from Mac OS X Server 10.2.3:
http://www.info.apple.com/kbnum/n70171
The download file is named:
"MacOSXServerUpdate10.2.4.dmg"
Its SHA-1 digest is:
65d6411dbe5855e894c5406ac35228f568240f26
Updating from Mac OS X Server 10.2, 10.2.1, or 10.2.2:
http://www.info.apple.com/kbnum/n70172
The download file is named:
"MacOSXSrvrUpdCombo10.2.4.dmg"
Its SHA-1 digest is:
41e441d737165ed0ed5166691dc39caba5e1dbce
Information is also posted to the Apple Support web site:
http://docs.info.apple.com/article.html?artnum=61798
PHP-Nuke fix for Safari problem
For anyone who runs a PHP-Nuke based site, here's a patch for the Safari login problem.
Go to the Your_Account module in the Modules folder, open index.php and look for the following line in the function docookie:
setcookie("user","$info",time()+2592000);
Add an additinal "/" parameter to the function call so it looks like this:
setcookie("user","$info",time()+2592000,"/");
This will fix the problem with the cookie being set incorrectly for Safari.
Safari Login work-around
Here's a work-around for the problem Safari has with logging into PHP-Nuke based sites such as MacMegasite & MacMerc.
After you've attempted to log in to MacMegasite at least once, edit the file cookies.plist in ~/Library/WebFoundation and look for the following lines:
<key>Domain</key>
<string>macmegasite.com</string>
<key>Expires</key>
<date>2003-03-26T22:53:47Z</date> (date will vary)
<key>Name</key>
<string>user</string>
<key>Path</key>
<string>/modules.php</string>
Change the path string from "/modules.php" to "/" and the next time you run Safari, you should remain logged in properly.
Thanks to Jon Gales for this fix.
Bare Bones introduces TextWrangler 1.0
Bare Bones Software, the developers of BBEdit, have introduced a budget-priced text editor, TextWrangler 1.0.
TextWrangler is a...
- General Purpose Text Editor
- Programmer's Text Editor
- Unix And Server Administrator's Tool
- Powerful Text Transformer And Manipulator
- Product Developed In The Best Traditions Of Bare Bones Software
TextWrangler features...
- Flexible 'grep' style pattern-based search and replace based on PCRE (Perl-Compatible Regular Expression)
- Syntax coloring and function navigation for ANSI C, C++, and Objective-C
- Sort Lines and Process Duplicate Lines plug-ins offer grep pattern support for sorting, extracting, and handling text
- Ability to integrate TextWrangler with Unix tools and scripts on Mac OS X, by means of the "edit" command-line tool
- Extensive FTP support
TextWrangler sells for $50 and has many of BBEdit's features except HTML support, web site management features, additional language & scripting support, content management, and CodeWarrior integration.
For more information visit Bare Bones Software's web site.
Sony Ericsson Clicker
If you have a Bluetooth capable Mac & a Sony Ericsson phone, you'll want to get Sony Ericsson Clicker.
Sony Ericsson Clicker lets you use your phone as a remote control for Keynote, PowerPoint, iTunes, DVD Player, or any application that supports AppleScript.
It also features a proximity sensor that can pause iTunes when you leave the room and resume when you come back or trigger any AppleScript action.
Supported phones include Sony Ericsson's T39m, R520m, T68, and T68i.
For more information or to download a copy visit http://homepage.mac.com/jonassalling/Shareware/Clicker/index.html. The current preview release expires Mar. 1 but a new version should be ready before then.
I just ordered a T68i a few days ago - I can't wait for it to arrive so I can try this!
Fluid 2.0 Released
Newest version of popular screensaver offers exceptional enhancements.
February 25, 2003
Concept House released version 2.0 of their Fluid screensaver today. Fluid is a realtime fluid-dynamics model and rendering engine that uses OpenGL to create the effect of flowing liquid on your screen. The original version of Fluid has been one of the most popular screensavers for the platform and the newest version adds incredible new features such as 3D liquid surfaces that have shadows and highlights and even reflections, contour line rendering, streakline rendering, and a killer particle system.
The Fluid engine allows complete freedom to design your own unique Fluid Themes that can be saved, reloaded, traded, and even shared via Rendezvous with a Fluid Theme Server (included in the distribution). When you run a Fluid Theme Server every machine on the local network will have access to your saved Fluid Themes.
Another new feature is support for web-based background images. If you drag an image from your web-browser into Fluid's background imageWell then it will reload that image each time Fluid starts. In this way you can have your favorite webcam in the background while Fluid runs.
Fluid's performance and image quality have been enhanced too. Frame rates have been increased by about 15% over the previous version and a smoothing algorithm has been instituted for the bubbles to increase quality at lower resolutions of the model.
Fluid is "donation-ware." Concept House is not charging for Fluid but would appreciate it if you would donate to the development fund if you use Fluid on a regular basis or find it so mesmerizing that you can't stop staring at it. Months of development time have gone into Fluid so you should support the starving developers if you use it.
Fluid is available via the web at the following address:
http://www.concepthouse.com/products/