Grab bag: Parties and Python

Remix culture: NASA’s bootleg Snoopy from 1969

I had read about NASA’s use of Snoopy and the Peanuts characters as unofficial mascots for Apollo 10 (it was well documented in Charlie Brown and Charlie Schulz, which sat on my Pop-Pop’s bookshelf alongside the Peanuts Treasury), but don’t remember seeing this. Courtesy Google Image Search and the LIFE archives:

As good an argument for the Commons as I’ve ever seen. The irony is, of course, that it sits in Google Images with no reasonable licensing in place. Even this bootleg image is claimed as copyright LIFE magazine.

WordPress 2.6.3 CSRF security vulnerability

No link, because I’m posting this from my iPhone. But it looks like WordPress 2.6.3, the latest version, has a cross site request forgery vulnerability. The way CSRF works, if you have your WP site open and are logged in, an attacker can use another web page that’s open at the same time to perform actions on your blog, like deleting users. No word yet that I’ve seen about a fix. I’ll post more about CSRF in a while.

Update: Here’s the official published vulnerability (CVE-2008-5113) from the National Vulnerability Database. And here’s a good description of how CSRF works from OWASP. The scary bit is that if the application isn’t patched, there’s not a lot you can do to mitigate the attack. I haven’t seen anything official from WordPress yet on this vulnerability, but there’s an interesting discussion trail on the bug. Bottom line for app developers: don’t trust user input, and yes the HTTP request needs to be considered user input.