Was most disturbed to see a mugging done in broad day-light.. outside the FIT hostel gates… this man was being assaulted by two fijian youths dressed in dark clothing.. huge jackets and one with a beanie to hide his face I’m sure.. Joana, her Nau and I were on our way to town on the bus to run some errands. The bus must have startled them because they both ran off and I saw one of them with a knife… this isn’t the Fiji I know… it’s a show of desperate times.. I don’t feel so safe walking home alone anymore.. this was done just down the street from where we live.

Am guest blogging on here and will be popping in now and then to ramble.. while I have my own site that has been neglected for almost a year.. this seems easier to do.. lol..

Well that’s it from me tonight… I have a long night of wow ahead of me.. wewt wewt

Taking a look at the largest websites on the com.fj domain (Fiji domains) I was surprised that 8 out of the 11 websites I looked at had security flaws that can be detected in about 10 seconds (literally) with just a browser.

These websites were Vodafone, Connect, Fiji White Pages, AFL, Fiji Sun, Air Fiji, Fiji TV, Fiji Times among others.

Those that don’t have apparent security flaws:
Airports Fiji Limited
Air Fiji
Fiji Times

Those that have apparent security flaws:

Telecom Fiji Limited
Vulnerability: XSS, XSRF
Severity: Low
Note: No user accounts to exploit

Vodafone
Vulnerability: XSS, XSRF
Severity: Critical
Note: User accounts are affected. An attacker can log in as another user with their privileges

Connect
Vulnerability: XSS, XSRF
Severity: Critical
Note: User accounts are affected. An attacker can log in as another user with their privileges

Fiji White Pages
Vulnerability: XSS
Severity: Low
Note: There are no user accounts so users are not affected

Fiji Yellow Pages
Vulnerability: XSS, Blind SQL Injection
Severity: Medium
Note: There are no user accounts so users are not affected. However, the whole database is vulnerable to reading.

Fiji Sun
Vulnerability: XSS
Severity: Low
Note: There are no user accounts so users are not affected. Attack requires social engineering.

Fiji TV
Vulnerability: XSS, XSRF, SQL Injection
Severity: Critical
Note: User accounts are affected. An attacker can log in as another user with their privileges. Direct SQL injection can retrieve all user details and possiblity administrative access to the website.

South Pacific Stock Exchange
Vulnerability: Blind SQL Injection
Severity: Critical
Note: Blind SQL injection can blind read the database, and possibly gain administrative privileges.

Now this is quite a disturbing. I only tested two basic exploits, XSS and SQL Injection. The XSRF vulnerabilities are implied when XSS is present and user accounts are present on the same domain.

No need to panic, estimates claim that around 70% of the websites on the internet are vulnerable to XSS. What amazes me however, is that these are large corporate websites, their web developers should know better.

Disclaimer: I am not disclosing any details on the vulnerabilities found on the mentioned websites except the fact that they exists. You’ll have to take my word on it.

Update: As requested by JJ, here’s a look at the FVB website:

FVB
Vulnerability: XSS, Blind SQL Injection
Severity: Critical
Note: XSS can be used to log in as another user, possible gaining administrative privileges. Blind SQL injection can blind read the database, and possibly gain administrative privileges.

We spent the whole week in Vuda. What a nice break from Work and Suva.

Vara and Joana have been here since Friday last week. I came in during the week. We managed to get down to the beach, and swim for a while. Vara and Robbie had taken the lead, behind them, Joana and I nearly got lost trying to find a new path to the beach. The whole time Joana was saying - it’s kokay. I’m not sure who she was trying to reassure, me or herself. I don’t blame her, she was on my shoulders and I was lost in tall grass. If there happened to be an onlooker all they would have seen is Joana floating above the grass. Would have made quite a perculiar sight.

It’s approaching mango season again and the mago trees in the compound here are heavy with mostly green mangoes. The night I got here, which was around 12PM ’cause I caught the last Viti Minibus from Suva, a mango nearly fell on my head. I had told the Minibus driver to just drop me off at the turn in, and there I was walking along with absolute nonchalance when suddenly there was a loud thud right next to me that made me jump right out of my skin. It took me half a second to realize it was a mango, but too late, the mango had already skinned me - pwned.

We made a swing for Joana in the tree at the back of the house. She loves it so much you kind of get tired of pushing her while shes on the swing talking away, naming the objects around her - bird, tree, tractor. Yeah, tractor, they plowed the whole field by the house that Simon is developing. Joana and I took some sandwiches that Tiare and Vara had made over to the tractor drivers and Joana was quite facinated with the burnt sugarcane, plowed earth, tractors and all. Yesterday she was asking for the tractors again.

Well, Steven probably wants to get on and play some WOW, so I’ll get off.

Just got back from a playing touch rugby down at the nearby park. My knee is a bit injured, and I’m still playing with it. Today, because of that, I injured my ankle. When will I ever learn? when you have an injury, just relax the thing ga.. damn. But then again, you can’t just work all day and no play.

I was listening to some songs on Youtube yesterday and came across this lil girl, Alexis Jordan, that can really sing.

I haven’t bought an album in a long time, but if she puts out an album. I’m definitely the first to buy it.

Someone please sign her up already, we want to buy her albums.

Just testing out Google Chrome, which is an Open Source web browser developed by Google, and I must say I am very impressed. They are beyond any current browser in many ways.

The interface is awesome, very simple, and elegant. The most compelling aspect of Chrome however is how the development team designed it from the ground up to cater for todays modern websites. The browser is desinged like an operating system, each new tab has its own process just like each application in your OS. JavaScript is executed in a JavaScript Virtual Machine, which means… speed!

I encountered a bug however, when opening the built in JavaScript console. Noting serious.

A small quirk is that you can’t view the list of history pages for a single tab like in Firefox and IE. You have to view the whole browser history. Other then that, the browser rocks. (update: You can view the list of pages by clicking on the back button and holding)

Another browser also means more time debugging JavaScript (and xHTML/CSS). But I’ve just tested a few of the web based apps we’ve developed and they work fine. I’ve also heard the same news from other developers. (update: I’ve found a few bugs, some flash apps that talk to JS don’t work - same bug I’ve seen in Safari)

That reminds me, the browser testing is actually done automatically using Google’s Index of sites. They claim to be able to test new Chrome builds against thousands of sites within half an hour and I believe them. What a development edge over Mozilla - don’t think Firefox has such a super testing process.

Now the only thing I haven’t looked into is how easy it would be to write plugins - what they have in store for plugin/extension developers.

Google Chrome even has the built in functionality of the famous Firefox Extension, Firebug, with its Chrome Inspector. Good stuff.

Isa, what a beautiful day today in Suva.

I was up all night (again) working on the last pieces of the initial start of a project - enjoyed it though (usually I don’t). Then suddenly it’s light, 8:30am and the sun is getting a wee bit up there. It is a bit cloudy, so it might rain - you know, the usual Suva weather, take your umberella where ever you go no matter what the weather forecast is.

Well I lie about working all night, actually it was all night, but I finished around 5am, then started on some fun stuff.  Haha.. fun stuff, yeah… Fun stuff = more coding. It’s exactly the same thing as work, but only this time I choose what it is, so its… fun.

The fun stuff, was an SMTP Email Validation Class written in PHP. I had a bit of help from a dude on a PHP forum I participate on. Ok, I hear some yawns… I’m one of them - damn I need to go and sleep.

Well, in other news, I took my WOW toon to level 30 last week. Did you know you get mounts at level 30 now? Can’t wait to start pwn’ing some noobs.. Woot!

Oh yeah, Vara got a new computer. A sweet, 22 Inch screen and CPU frequency @ 5.6 Ghz. Me like it alooot. Tried out windows Vista on it, and I must say M$ did a really good job with Vista. I’ve heard a lot of complaints about Vista - except for my bro in Nevada, he liked Vista - and I’m thinking that maybe they are just too used to the piece of shit Windows XP to appreciate a better designed OS like Vista. I can almost compare Vista to Ubuntu, but not quite there yet.

Well well welly well, I should really get some sleep.

Beeeep…

Bula Vina’a,

Welcome to my new blog. I’ve decided to start blogging again, and host my own personal blog. A chance for me to get into wordpress also.

Well, be sure to leave a comment.

Moce to’a.