DaveNet: Web Servers and File Systems. This is the security alert I posted early this morning. The full scope of the problem wasn't clear at the time.
Netscape's been playing with scripting in web pages. Would someone please review this, I'm working on something else. It's been a busy day!
The Motley Fool solution to the IIS hole.
Amazing! Someone just sent me a URL that gets me the password for the frequent flier mileage database of a major US airline. I'm not publishing the URL. But given what I've seen today, security is so poor at major websites, you don't have to wait until Y2K for a likely meltdown. We should all go to school on choosing passwords. Hint hint.
SoftWing claims to have a fix that closes the hole in IIS. According to Jim Roepcke, the fix works.
Bob Denny, the lead developer of O'Reilly's WebSite checks in on the last round of security holes.
WindowsSources has the story now. (10:21AM)
I'm hearing from well-intentioned people who are able to access credit card information thru this loophole on major e-commerce sites. I'm not posting the URLs. But a heads-up, if I operated a Windows-based web server with script code of any kind, I'd shut it down while I did a complete site audit.
I just got a report that Allaire's Cold Fusion has the hole too. At 8:45AM I sent a private email to ten Microsoft people I work with telling them about the hole. At 9AM you can still access source code at microsoft.com, and there's no security advisory on their site as far as I can see. A security advisory should be the top item on www.microsoft.com right now, in big red letters.
The industry press is asleep at the wheel on this one. Here's a list of the sites I watch. None of them is carrying a security alert. Why?
AspCodeLock might help.
Allaire posted a security advisory on 6/29.
W3C: Security FAQ.
A pricing update for Frontier 5.1 with a new discount for server developers and a discount for orders of five or more licenses.
There was a lot of confusion created by our first customer mailing almost two weeks ago. We're getting a new one ready. We've learned a lot in the last few weeks. And re-learned a lot too! Thanks everyone for your patience and support.
Three new releases in the Frontier community this morning. Josh Lucas released a Java toolkit that allows applet code to talk XML-RPC. John Delacour's Mimi suite connects Frontier systems via email. And Alan Baer's TableLogic suite enhances Frontier's ability to generate HTML tables.
On a lighter note, another company bites the bullet and assumes the 'portal look'. There's gold in them thar hills?
© Copyright 1997-2005 Dave Winer. The picture at the top of the page may change from time to time. Previous graphics are archived.