Posts Tagged ‘security’

This is how you don’t write PHP

Sunday, March 29th, 2009

A friend (and client) of mine started building a site using Jupiter CMS, so I decided to take a quick audit of it. It’s pretty much an example of how not to write code, and in my opinion the people who wrote it should take up farming or something instead.

Two years ago there was this file inclusion bug. Hey, no problem – it’s been patched. Or has it? Here’s the vulnerable code block again, with absolutely patently retarded mitigation in place:

if(isset($n))
        if(file_exists("$n.php"))
                if(strpos($n, "../") !== false) 
                        header("location: $PHP_SELF?i=error");
                else include("$n.php");
        elseif(!file_exists("$n.php")) 
                header("location: $PHP_SELF?i=error");

Whee! The only check made is if the file exists when it’s got .php on the end of it, and whether or not it has ../ in it. Delicious.

Obviously that stops this from working:

index.php?n=/../../../../../../../../../../etc/passwd%00

But what about this?

index.php?n=/etc/passwd%00

Or hey, if you could drop a file anywhere on the server in a known location, it gets executed as PHP. A cursory try on doing remote-file-inclusion fails because it doesn’t pass the file_exists() check, but there’s probably some other clever tricks to get around that too.

What’s up with that retarded !file_exists()?  It’s obvious they don’t get security, but maybe they don’t grok if-then-else at all? I might just add this to a list of software people can’t run on my servers.

Tags: ,
Posted in Internet | No Comments »

I’m ashamed of people

Tuesday, March 24th, 2009

Seriously, do you ever have those moments where you’re just out and out ashamed of who you are, because of the actions of an unrelated third party? Like when you see some Neo-Nazi douchebag, and for just a moment you’re ashamed to be white?

I’m like that with the web hosting industry right now. For those who aren’t caught up in this mess, WebHostingTalk, a rather large webmaster/host community, got hacked – their tables dumped then dropped. Now there’s quite a few people out there with a good head on their shoulders, but there’s some people who probably shouldn’t even be qualified to operate a Windows computer.

It’s a recurring theme, people whining about their “passwords being out there on someone’s desktop”. If it’s just Mr Tom who wanted to make an informed decision about which $10/year hosting package, okay it makes you face-palm but maybe he hasn’t taken the time to educate himself on security.

But when you see people who seem to be web hosts making these kinds of whines, it’s time for a super-mega-face-palm, the kind where you actually hang your head and wheep for the fate of humanity for a few moments before composing yourself.

So, Internet, it’s time for Password Security 101. Your password is not important. Your password is not a tiny broken fragment of you. Your password is not an insight into your very soul.

Your password is a small string of characters to provide a basic authentication that you are who you say you are – it should be throwaway. You shouldn’t be using the same password for years (though I admit to having done this cardinal sin with things that aren’t important), and you fucking well shouldn’t have the same root password on your web host machine as you do some forum you just go on to be a pretentious asshole at times.

If you enter your password into a phishing site by accident, oh well – change your password (after authenticating it’s the correct site of course). No big deal. A site you have an account on gets hacked? No problem, change your password. You should be able to take your password and post it to Usenet without blinking, only to go change all your passwords in the next 5 minutes.

In fact you know what? e9a834c6c657. That was my gmail password up until a couple minutes ago. See how easy that was? Passwords are disposable. I did it without blinking. I’m a stone-cold password killer.

The fact these morons think their password ending up on some dox dump somewhere is a big deal is, frankly, scary.

I know we’re not all perfect – for being an arrogant asshole I damn sure commit a lot of password no-nos that I probably shouldn’t. A vast number of the websites and goofy little forums I sign up to have the same stupid password I used on WHT, and I changed the ones I could be bothered changing – if any others get owned well then it’s not a huge deal. The effort:risk ratio of changing all of them was just too high, and it’s not like it’s for anything important anyway.

So do me a favour, if you’re in the web hosting industry, the computer security industry, or the systems administration field in any sense, and your password to some forum getting exposed causes you any distress at all – start practicing the line “would you like fries with that?” because you’re unfit for your current job.

Tags: ,
Posted in Internet | 1 Comment »

Solve this…

Sunday, March 15th, 2009

… and you solve basically all the problems with computers in the entire security world – at least the problems that aren’t directly related to user stupidity.

What I’m talking about is how to vet information which comes from remote systems that you don’t control. In this latest instance, it’s people griping about how VALVe haven’t patched out the “fake full servers” that you connect to and they redirect you to another (probably empty) server.

In the past, it’s been people griping about MMORPGs like MapleStory, in which the clients are responsible for large amounts of the game logic. The root cause of the problem is that any time you rely on any information that comes from an untrusted source (what security concious programmers sometimes refer to as “the filthy userland”), the information is always suspect.

However there’s only so much you can do to vet this information before it becomes inefficient – that is you reach a point and you might as well just move all the logic back to your own machines so you can ensure the integrity of the data.

In layman’s terms, look at it this way: You and I both take walkie talkies to a large building and go off in different directions, and after a certain amount of time we agree to tell each other what color the rooms are painted. If you decided it were in your best interests to lie to me, how could I tell you weren’t? The obvious answer is that I walk over there and check it myself, but how long do we do that before it becomes inefficient?

Basically, if you solve this dillemma you solve one of the biggest problems in computer security – the issue of trusting an endpoint. We have encryption to ensure that data doesn’t get tampered with in transit, but as I try to impress upon people all the time – encryption is a giant, mostly impenetrable tunnel through which things travel unmolested. However, if you can get to either end of the tunnel you can influence what goes through it without much effort at all.

So, having said all that, how would you solve the problem of servers lying to Valve’s master servers about player counts?

Tags:
Posted in Internet | No Comments »