Wednesday, 8 April 2015

水 - 生命、纯洁、宁静 - 美文诗歌
















水~~它意味着生命、纯洁、宁静……

水是最普通的东西。
风霜雨雪,都是水,不同状态的水。在我们的生活中它处处皆是,我们是如此的忽视它,竟忘记了它是如此的重要……

水是生命之源。
人自呱呱坠地,直至生命的终结,没有一刻可以离开它。当你远离水的时候,就像在沙漠之中,就会对它产生渴望与幻想。
地球上有75%被水所覆盖,要在浩瀚的宇宙中找寻一个地球的扩展空间,其中的一个决定因素就是那个星球上有没有液态水!

水是污浊的荡涤。
人们起床的第一项工作往往就是清洁一下自己,刷牙、洗脸,让我们每天以清新爽朗面对生活,这是水的功劳!
墨池,王羲之练字,久而久之,一池清水竟呈墨色。一池清水奉贤了自己的洁净,成就了一位况绝古今的大书法家。

山水近高天,水也为蒙尘的心洗礼!
青山绿水,高山流水,小桥流水,清江泛舟,只有在这种远离尘嚣的清新、宁静之中,人们才会忘记尘俗的勾心斗角,揭去负累的面具,素面朝天,才有了心灵的升华。

溶霜化雪渗入泥,
清净怀远呈智霖。
花红柳绿源头是,
荡尽尘嚣有冰心。


CVE-2014-7291 Springshare LibCal XSS (Cross-Site Scripting) Security Vulnerability Weakness


CVE-2014-7291  Springshare LibCal XSS (Cross-Site Scripting) Security Vulnerability Weakness

Exploit Title: Springshare LibCal Multiple XSS (Cross-Site Scripting) Security Weakness
Product: LibCal
Vendor: Springshare
Vulnerable Versions: 2.0
Tested Version: 2.0
Advisory Publication: Nov 25, 2014
Latest Update: Nov 25, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7291
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Solution Status: Fixed by Vendor
Credit: Wang Jing [SPMS, Nanyang Technological University (NTU), Singapore]








Recommendation Details:


(1) Vendor & Product Description:


Vendor:
Springshare


Product & Vulnerable Versions:
LibCal
2.0

Vendor URL & download:




http://springshare.com/libcal/ 


Product Introduction Overview:
“LibCal is an easy to use calendaring and event management platform for libraries. Used by 1,600+ libraries worldwide, LibCal makes it a breeze to manage online calendar of events, offer room bookings online, manage the opening hours for various locations."

    "Manage Calendar & Event Registrations
    Create custom Registration Forms
    Manage Consultation Appointments"
    Create an Online Room Booking System
    Display Library & Departmental Hours
    Share Calendar/Event Info via Widgets"





(2) Vulnerability Details:
Springshare LibCal web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Several Springshare LibCal products vulnerabilities have been found by some other bug hunter researchers before. Springshare LibCal has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation's most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has published suggestions, advisories, solutions details related to Springshare LibCal vulnerabilities.


(2.1) The first code programming flaw  occur at “/api_events.php?” page, with “&m” and “&cid” parameters.







(3) Solutions:
2014-10-01: Report vulnerability to Vendor
2014-10-15: Vendor replied with thanks and vendor changed the source code







References:

醉清風 – 弦子 – 唯美空靈的音樂


醉清風 – 弦子 – 唯美空靈的音樂

喜歡醉清風空靈的意境,明月,清風,孤人,琴聲,把酒當歌,令人陶醉, 特制作壹視頻,以為回憶。萬事萬物,誰是誰非,誰又能說清道明


歌曲 & 歌詞

醉清風 歌手:張弦子

月色正朦朧

與清風把酒相送

太多的詩頌

醉生夢死也空

和妳醉後纏綿

妳曾記得

亂了分寸的心動

怎麼只有這首歌

會讓妳輕聲合

醉清風

夢境的虛有

琴聲壹曲相送

還有沒有情濃

風花雪月顏容

和妳醉後纏綿

妳曾記得

亂了分寸的心動

蝴蝶去向無影蹤

舉杯消愁意正濃

無人寵

是我想得太多

猶如飛蛾撲火那麼沖動

最後

還有壹盞燭火

燃盡我

曲終人散

誰無過錯

我看破

月色正朦朧 與清風把酒相送

太多的詩頌 醉生夢死夜空

和妳醉後纏綿

妳曾記得

夢境的虛有琴聲壹曲相送

還有沒有情濃風花雪月顏容

和妳醉後纏綿

妳曾記得

夢境的虛有

琴聲壹曲相送

還有沒有情濃

風花雪月顏容

和妳醉後纏綿

妳曾記得

亂了分寸的心動

蝴蝶去向無影蹤

舉杯消愁意正濃

無人寵

是我想得太多

猶如飛蛾撲火那麼沖動

最後

還有壹盞燭火

燃盡我

曲終人散

誰無過錯

我看破