Affinity Photo for iPad available now!

Professional photo editing on iPad

Developed without compromise, Affinity Photo for iPad is the first full blown, truly professional photo editing tool to make its way onto the Apple tablet. Built from exactly the same back-end as our award-winning desktop version, and fully optimised to harness the full power of the iPad’s hardware and touch capabilities. Affinity Photo for iPad offers an incredibly fast, powerful and immersive experience whether you are at home, in the studio or on the move.

Engineered for iOS, reimagined for touch

We have been fastidious in our approach to developing the iPad version of Affinity Photo. Every tool, panel and control has been completely reimagined to optimise for touch. All rendering, adjustments and filter effects have been fully hardware accelerated. The result is an all-new way to interact with your images, with performance you will find hard to believe.

Capabilities never seen before on iPad

Multi-Touch gestures for enhanced productivity. Metal accelerated to achieve blazing-fast performance even when editing large images. Sensitive to pressure, tilt and angle, Affinity Photo harnesses the full power and precision of Apple Pencil. And full iCloud drive integration allows for seamless file management, storage and sharing.

All the details here: https://affinity.serif.com

SQL Injection Vulnerability in NextGEN Gallery for WordPress

As part of a vulnerability research project Sucuri, have been auditing multiple open source projects looking for security issues. While working on the WordPress plugin NextGEN Gallery, they discovered a severe SQL Injection vulnerability. This vulnerability allows an unauthenticated user to grab data from the victim’s website database, including sensitive user information.

This vulnerability can be exploited by attackers in at least two different scenarios:

  1. If you use a NextGEN Basic TagCloud Gallery on your site, or
  2. If you allow your users to submit posts to be reviewed (contributors).

This issue existed because NextGEN Gallery allowed improperly sanitized user input in a WordPress prepared SQL query; which is basically the same as adding user input inside a raw SQL query.

Using this attack vector, an attacker could leak hashed passwords and WordPress secret keys in certain configurations.

Technical Details

The golden rule is “never trust the input”. This leads to better security and safe customers.

In every scenario the developer must ask a few simple questions:

  • Is this input safe enough?
  • Is it sanitized?
  • Do we follow any framework-specific rules and best practices?

WordPress uses the PHP vsprintf function in order to prepare SQL statements in $wpdb->prepare(); which means that the SQL statement uses a format string and the input values as its arguments.

The conclusion is that’s never a good idea to supply user input in the format string because it may not be sanitized against characters that could create valid arbitrary sprintf/printf directives.

More infos can you find here: SQL Injection Vulnerability in NextGEN Gallery for WordPress

The December 2016 WordPress Attack Activity Report – Wordfence

Wordfence published today an interesting report: the WordPress Attack Activity Report.

This new of a kind report shows the attack data for the previous month from the 1st to the end of the month and provides an analysis on the attack activity targeting WordPress websites.

The report includes a table that lists the most active attack IPs for December 2016. Ukraine still owns the top spot. Ukraine absolutely dominates the report. Out of 25 top IPs 13 are based in Ukraine.

Enjoy the rest of the report here: https://www.wordfence.com/blog/2017/01/december-2016-wordpress-attack-activity-report/

typewolf.com

WHAT’S TRENDING IN TYPE

Typewolf is the absolute best resource available for everything related to typography on the web.

Typewolf is an independent site that features typefaces from all type foundries regardless of where the fonts can be purchased.

Critical Vulnerability in PHPMailer. Affects WP Core

A critical remote code execution vulnerability in PHPMailer has been discovered by Polish researcher Dawid Golunski.

The vulnerability was announced on legalhackers.com yesterday but proof of concept exploit details were not included.

Unfortunately someone posted a proof of concept to exploit-db and to github demonstrating how the vulnerability can be exploited in the PHPMailer library, but not targeting any web application that is in use.

Source: https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/