Posts Tagged ‘oops’

This is how you don’t write PHP

Sunday, March 29th, 2009

A friend (and client) of mine started building a site using Jupiter CMS, so I decided to take a quick audit of it. It’s pretty much an example of how not to write code, and in my opinion the people who wrote it should take up farming or something instead.

Two years ago there was this file inclusion bug. Hey, no problem – it’s been patched. Or has it? Here’s the vulnerable code block again, with absolutely patently retarded mitigation in place:

if(isset($n))
        if(file_exists("$n.php"))
                if(strpos($n, "../") !== false) 
                        header("location: $PHP_SELF?i=error");
                else include("$n.php");
        elseif(!file_exists("$n.php")) 
                header("location: $PHP_SELF?i=error");

Whee! The only check made is if the file exists when it’s got .php on the end of it, and whether or not it has ../ in it. Delicious.

Obviously that stops this from working:

index.php?n=/../../../../../../../../../../etc/passwd%00

But what about this?

index.php?n=/etc/passwd%00

Or hey, if you could drop a file anywhere on the server in a known location, it gets executed as PHP. A cursory try on doing remote-file-inclusion fails because it doesn’t pass the file_exists() check, but there’s probably some other clever tricks to get around that too.

What’s up with that retarded !file_exists()?  It’s obvious they don’t get security, but maybe they don’t grok if-then-else at all? I might just add this to a list of software people can’t run on my servers.

Tags: ,
Posted in Internet | No Comments »

Disable Javascript in Adobe Acrobat Reader

Sunday, March 1st, 2009

If you haven’t already done so, this would be a really good idea. A “0-Day” was released a few days back for Adobe Reader, which allows one to write a malicious .pdf file to put a payload of malware on your computer. Adobe have been dragging their feet in fixing this, and of course the assholes out there have to put it to work when given an opportunity.

Basically, you open a malicious .pdf, and you have malware on your PC. A site my wife went to had one in a popup, and she’s probably spending the next hour or two cleaning up the mess. The solution is pretty simple:

  1. Open Adobe Reader in standalone mode (from the Start Menu).
  2. Under the Edit menu, click Preferences.
  3. Find the Javascript tab or category.
  4. Uncheck “Enable Javascript in Adobe” or “Enable Acrobat Javascript“.
  5. Click OK.

Adobe Reader 9 is supposed to be updated the 11th, and versions 7 and 8 are getting theirs the 18th.

Tags:
Posted in Internet | No Comments »

Curse you, Thunderbird!

Thursday, February 12th, 2009

In order to more effectively manage problems that arise at Sabrienix, I started looking for a ticketing system. We’re not a big enough operation yet to warrant spending the money on something like Kayako (even though I think we could use it, my wife gave me “that look” when I showed her the pricing options) so I was looking for something that’s free and doesn’t suck.

Let me tell you, it’s like trying to find a needle in a haystack. RT looks good, but I found it somewhat broken on FreeBSD. I’ve spent much of my time lately doing PHP, so I figured something written in PHP would be nice. Unfortunately, PHP makes it easy for anyone to be a programmer so you’ve got a lot of really terrible software that goes along with it. After going through many, many projects and checking the vulnerability history of each, I finally came across Eventum. It’s MySQL AB’s open source issue tracking system, and I think it rocks.

Anyway, in the course of setting it up, I learned that two of the email addresses for Sabrienix had been being ignored. Why? I checked those by POP3 over SSL, and Thunderbird didn’t agree with the server about the ins and outs of SSL so it decided just to silently give up. I was able to check support just fine, because it goes through a mailing list – but I’d been ignoring sales emails for about a week now, and that looks terrible.

Who’s dumbass idea was it for that behaviour? Not just when it automatically checks, no – even if you click “check email” it will still silently skip over any connections it can’t negotiate SSL with. Nothing in error console. Of course I’ve rectified the situation and made arrangements to ensure it can’t happen again (our ticketing system sends me an SMS if I take too long to acknowledge a new request), but needless to say I’m just the tiniest bit irritated at Thunderbird.

Tags: ,
Posted in Internet | No Comments »