r3ck0rd’s Blog

One XSS from WP-Statpress, where you can put XSS in the referrer by modifying the referrer with a program like Achilles (not available to download anymore, but you can search for it, or use a Firefox Plugin). Take a look at here:

1146: $referrer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '');
1147: $userAgent = (isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '');

Which means, it is vulnerable if someone modifies the referrer through Achilles (I’ll show you how sometime), and put an xss script (something like: http://abc.de/’>”><script>alert(/xss/)</script>), and modify the user agent and put an XSS script. As you know, this can be used for stealing cookies.

Affected Version: 1.2.9
The author has released the patch, update your plugin now from your plugins tab.

Original Post:
http://blog.rogeriopvl.com/archives/statpress-plugin-xss-vulnerability-disclosure - by c0nde

Read more:
http://wordpress.org/support/topic/184321 - WP.org support topic
http://chrispederick.com/work/user-agent-switcher/ - for the user agent modifying.
http://zoiz.web.id/xss-corner/wp-statpress-xss.html - quickly explained by Zoiz.
http://zoiz.web.id/xss-corner/useragent-xss.html - XSS from user agent
https://addons.mozilla.org/en-US/firefox/search?q=HTTP+Headers - Firefox Add-on search page

Yesh! Titled Puzzle Part 1 (level 50) has been completed! If you reach that level, contact me

BTW, don’t forget to check out the walkthrough blog too if you need help

Hey there! I finally got home! Well actually at Saturday. But at Saturday, I was really tired. Sunday, I have work to do. Monday, too lazy to do this. Heh-heh.

Last Sunday after I went off from church, and after I had lunch at Taman Anggrek, I went to shop books at Gramedia Bookstore. I took two magazines, they’re the newest edition of Indonesian CHIP magazine and the economic edition of InfoLINUX. Then I went to the computer books sections. OK, it’s been a long time since I last visit a bookstore this before. And guess what? I found more useless books! Starting from “How to crack Passwords” (most techniques have already out of date), “How to download music files”, all by Dominikus Juju and Matamaya Studio, and they’re on the highlight shelf. And, “Gaul Ala Friendster” (don’t know the exact English for “Gaul”). And saw two groups of teenagers reading it, and one of them took it. Oh man. Then I saw an old man, is reading the “how to crack passwords” book. Glad he put it down again. You can find more in there.

Sure, there is nothing I can buy except “Tips and Trick: Monetizing from Google” (you know, I can find that on the internet too, I’m just too lazy right now). Jubilee Enterprise’s books now I found not interesting for me anymore. Well then I see a group of teenagers were seeing those useless books too. Hah… OK so then I left.

I was walking to the comics section, that was where I see my PCS leader, ko” Willy and friends there (PCS leaders and members too), ha-ha what a co-incidence (co, incident? stop playing words ha-ha). Seems to be they just arrived from the same church :). After they left (don’t know where), I saw one good book. It is titled “Slandering Jesus” (Indonesian: Memfitnah Yesus), by a pastor from Moody Church, Dr. Erwin Lutzer (you can find him at our beloved Wikipedia). It’s a one good book. And an eye catching title and cover. Recommend you to buy one. Hehe.

So that’s my Sunday at Gramedia Bookstore TA.

Hello again! It’s been a long time since I wrote a tutorial about Windows Registry. Well today I’m not going to write about Windows Registry, because I haven’t found something fresher. And I’m busy working on my Titled Puzzle. And tommorow, RPK (Remaja Pantekosta Ketapang) have a youth camp until Saturday, so I can’t write for two days (yes I hope I can write about the youth camp Saturday night). Can’t wait until tomorrow, to see more souls saved!

So this is my last post today, I hope I don’t faint when I’m home Saturday night. Enjoy today’s nicknacks!

BTW, just an info for BackTrack lovers, Remote Exploit has released BackTrack 3 Final! Check out their site!

Read more »

Hey there buddies! Now the game “Titled Puzzle” has its own official hints blog! It’s located in here:

Titled Puzzle Official Blog

Now, if you want to ask for more hints, ask there!

Hey there guyz, our game Titled Puzzle has reached its first checkpoint (lvl 25)! Now the game is under progress of level 28! If you haven’t know Titled Puzzle, just play it: here.

General Changes in Titled Puzzle as of Monday, June 23rd 2008

• The main start page has been edited.
  • Added how.to.play.
  • Added rule.of.play.
  • Added hit counter.
  • Hall Of Fame information added.
  • Modified the copyright text.
• Completed level 27. Enjoy playing

Thanks,

r3ck0rd

Hi there fellas! Do you know that me and my friend, yamiza, has planned to build a riddle game, web-based. Like tktQ+, thisisnotporn. In fact, it has been published. Pay a visit! Currently, I’ve finished the level 15 (not actual, ok).

Titled Puzzle

Enjoy playing

UPDATE June 20: You can find the “Hall Of Fame” page in the sidebar.

Howdy fellas, glad you come to read my new post. This is about Friendster. Friendster again? Am I not bored? Of course I do, it’s my fun! Hacking is for fun, don’t you think so? Of course you don’t if you have already made hacking as a job. It’s no fun anymore, isn’t it? It’s about work. Or if someone still say it’s fun whether it’s a job or not, glad to hear that!

OK to the point. Monday when I have a trip to Tanah Lot in Bali, my friend ymm0t called me and send me his advisory. It’s about Friendster’s log out problem. Well, I found it earlier than him, but never thought of writing this.

Read more »

Hello there readers,

Now is Tuesday, 9.55 am, Bali time (WITA). Yes, I’m posting this in a hotel’s cafe in Bali using my dad’s iPhone. I’m using no GPRS and I didn’t turn on WiFi. I see no internet connection setting here. Well, I already nullified the EDGE/GPRS setting, and turned off WiFi. Now, that’s strange enough. I can access the internet like this since last night. I wonder how, I saw the Safari pointing to http://hotspot.cbn.net.id/iphone-success-new.html. Does anybody know what is happening. I can’t find any CBN’s hotspot around.

Well today I’ll check out and take a plane back to Jakarta. Yipee, home sweet home. After I’m home, I’ll post an advisory from my friend, ymm0t, again, about Friendster. Stay tune to my blog, I’m gonna take a shower and ready to go home!

Kuta, June 17, 2008,

r3ck0rd :confused:

EDIT: An hour after I nullified the EDGE setting, I can’t access the Internet then. After I set the APN again to xlgprs, I can surf again. Hahahaha…………………………………. crap.

Site Update: Mon20080526

Alright, time to announce site updates again…

Playing and testing .name

I just want to play with .name, and went to freeyourid.com for a free .name for 90 days, and here is what I register:

ww.r3ck0rd.name
calvin.r3ck0rd.name

As I like ww.r3ck0rd.name so much, so I play with ww.r3ck0rd.name:

ww.r3ck0rd.name/fs redirects to my Friendster Profile Page.
e-mail: ww@r3ck0rd.name

Well that’s all, haha I’m a little lazy to post this. :oh: