Dear readers,
This blog has been abandoned in favour of my new blog log0.wordpress.com . So please find my new blog there. I will focus on security features, particularly web application security. I hope to share with you my findings in the quest of web application security learning.
Thank you very much for visiting!
Tuesday, June 10, 2008
Saturday, April 28, 2007
Internet Explorer cannot open the Internet site. Operation aborted.
Recently, I have been playing with some map technologies, which I am trying to integrate with a wiki for some fun. Nothing out yet. But upon testing, I found this rather malicious nuisance that bugged me for hours yesterday.
I am using Virtual Earth APIs to do this job. The code is basically loading the map information, then paste a layer of pushpins onto the map. And this piece of code below :
<script>
/* a set of includes ... */
var map = null;
function AddMap()
{
map = new VEMap();
map.LoadMap();
}
function AddLayer()
{
var layer = new VELayerSpecification();
layer.Type = VELayerType.GeoRSS;
layer.ID = 'Foobar';
layer.LayerSource = 'mapdata.xml';
layer.Method = 'get';
map.AddLayer(layer);
}
function OnPageLoad()
{
AddMap();
alert('Added map');
AddLayer();
alert('Added layer');
}
</script>
<script>OnPageLoad()</script>
Well, nothing fancy than just sample code. Assuming my website is "http://www.website.com", when placed in the div tags, it is rumored to cause IE to throw an exception : "Internet Explorer cannot open the Internet site http://www.website.com . Operation aborted." This code works fine in Firefox, but truly not in IE. ( There were some that worked, but truly this is a problem that exists out there. ) After some googling, it seems to be some sort of IE implementation that causes this. The suggested workaround at Ryan Grant's blog was to make it an onload script. Which makes the calling :
<script>OnPageLoad()</script>
to be changed into :
<script>window.onload = OnPageLoad;</script>
Sure, it works. But at the code stopped its control flow after adding loading the map, without reaching "alert('Added Map');". I do not know how this happened and how to even google this problem ( well... "javascript" + "control flow" ? nothing really came out ). This creates a problem, it actually caused my layer script to stop function.
The workaround, by using defer script :
Change
<script>window.onload = OnPageLoad;</script>
into
<script>
if ( window.attachEvent )
{
window.attachEvent("onload", AddMap);
window.attachEvent("onload", AddLayer);
}
else
{
window.addeventListener("load", OnPageLoad, false);
}
</script>
If the script stops. No problem. We'll just do it one by one. This code works for me even when the javascript has been dynamically called and embedded between some div tags. I hope this makes the frustrated feels better.
References :
http://channel9.msdn.com/wiki/default.aspx/Channel9.InternetExplorerProgrammingBugs
http://www.viavirtualearth.com/wiki/DeferScript.ashx
http://ryangrant.net/archives/internet-explorer-cannot-open-the-internet-site-operation-aborted-google-map-api
I am using Virtual Earth APIs to do this job. The code is basically loading the map information, then paste a layer of pushpins onto the map. And this piece of code below :
<script>
/* a set of includes ... */
var map = null;
function AddMap()
{
map = new VEMap();
map.LoadMap();
}
function AddLayer()
{
var layer = new VELayerSpecification();
layer.Type = VELayerType.GeoRSS;
layer.ID = 'Foobar';
layer.LayerSource = 'mapdata.xml';
layer.Method = 'get';
map.AddLayer(layer);
}
function OnPageLoad()
{
AddMap();
alert('Added map');
AddLayer();
alert('Added layer');
}
</script>
<script>OnPageLoad()</script>
Well, nothing fancy than just sample code. Assuming my website is "http://www.website.com", when placed in the div tags, it is rumored to cause IE to throw an exception : "Internet Explorer cannot open the Internet site http://www.website.com . Operation aborted." This code works fine in Firefox, but truly not in IE. ( There were some that worked, but truly this is a problem that exists out there. ) After some googling, it seems to be some sort of IE implementation that causes this. The suggested workaround at Ryan Grant's blog was to make it an onload script. Which makes the calling :
<script>OnPageLoad()</script>
to be changed into :
<script>window.onload = OnPageLoad;</script>
Sure, it works. But at the code stopped its control flow after adding loading the map, without reaching "alert('Added Map');". I do not know how this happened and how to even google this problem ( well... "javascript" + "control flow" ? nothing really came out ). This creates a problem, it actually caused my layer script to stop function.
The workaround, by using defer script :
Change
<script>window.onload = OnPageLoad;</script>
into
<script>
if ( window.attachEvent )
{
window.attachEvent("onload", AddMap);
window.attachEvent("onload", AddLayer);
}
else
{
window.addeventListener("load", OnPageLoad, false);
}
</script>
If the script stops. No problem. We'll just do it one by one. This code works for me even when the javascript has been dynamically called and embedded between some div tags. I hope this makes the frustrated feels better.
References :
http://channel9.msdn.com/wiki/default.aspx/Channel9.InternetExplorerProgrammingBugs
http://www.viavirtualearth.com/wiki/DeferScript.ashx
http://ryangrant.net/archives/internet-explorer-cannot-open-the-internet-site-operation-aborted-google-map-api
Thursday, April 12, 2007
Email Spoofing
It is something I have not done before. It came into my mind, and I decided to try it, while mourning at the death of my grand computer.
The poor victim happened to be my University's departmental mail server and a automated-registration roster that I attempted upon.
The automated script is simple, you are going to send an email with the subject title "Registration" without quotes plus some lines of text ( which is unnecessary, which I found out ), and your email will be appended to the roster.
Of course, it is very easy to use my own email to do it. It will be merely several clicks.
First to state, I am having VPN access. I have no computers at this moment to do any non-VPN access though.
I attempted at first by using a program to do it, but turned out to be more than necessary ( but it is quite interesting, anyway there was some problems and it failed sadly, but I will check it out later ). Then, I resolved to raw protocol talk and succeeded.
I also built my own mail-server ( qmail ) to test. The results are more or less the same, with some differences.
RFC 821 is a good start.
Thoughts :
1. The mail server did not check very much on the details ( was it because of VPN it assumed it is already authenticated? Possibly they put it into a list of authenticated hosts. ) ( it is the one used in horde , the link is here. ). I have not checked deeply into whether it is the mail server configuration or so.
2. There is a field that I did not go into deeply trying to spoof, but I will go into testing the difficulty to spoof it well.
3. It definitely is a perfect look from the outside but there is a single field ( above ) that leaves traces for a perfect lockdown, no good. ( As verified in ethereal easily ) Got to know how to fix that.
4. How could you spam "well" into a mail server? Again, I have not yet checked how the mail server automates spam finding.
5. How can this be extended to general spamming and how is industrial spamming done? As mine is extremely naive. ( Yes! Definitely! )
The poor victim happened to be my University's departmental mail server and a automated-registration roster that I attempted upon.
The automated script is simple, you are going to send an email with the subject title "Registration" without quotes plus some lines of text ( which is unnecessary, which I found out ), and your email will be appended to the roster.
Of course, it is very easy to use my own email to do it. It will be merely several clicks.
First to state, I am having VPN access. I have no computers at this moment to do any non-VPN access though.
I attempted at first by using a program to do it, but turned out to be more than necessary ( but it is quite interesting, anyway there was some problems and it failed sadly, but I will check it out later ). Then, I resolved to raw protocol talk and succeeded.
I also built my own mail-server ( qmail ) to test. The results are more or less the same, with some differences.
RFC 821 is a good start.
Thoughts :
1. The mail server did not check very much on the details ( was it because of VPN it assumed it is already authenticated? Possibly they put it into a list of authenticated hosts. ) ( it is the one used in horde , the link is here. ). I have not checked deeply into whether it is the mail server configuration or so.
2. There is a field that I did not go into deeply trying to spoof, but I will go into testing the difficulty to spoof it well.
3. It definitely is a perfect look from the outside but there is a single field ( above ) that leaves traces for a perfect lockdown, no good. ( As verified in ethereal easily ) Got to know how to fix that.
4. How could you spam "well" into a mail server? Again, I have not yet checked how the mail server automates spam finding.
5. How can this be extended to general spamming and how is industrial spamming done? As mine is extremely naive. ( Yes! Definitely! )
Wednesday, April 11, 2007
XSS in small places
Today I was idle waiting for my windows XP to install. Writing some code and then, and suddenly I came to two places on the internet ( one is my friend's page and one is a blog ) which is vulnerable to malicious attacks. I am a pretty novice one so please feel free to discuss should you feel interested.
The first one is a Local File Include Vulnerability in a php script that did not sanitize the input properly ( well I am guessing that he did not even do so ). So I am free to read anything on the server. Though, there are magic quotes on, how can I get around them? I tried using urldecoding schemes but to no success. More to try soon.
The second one is an XSS vulnerability on the input fields of a profile, which will show public. This allows malicious users to secretly send cookies away to a server for collection. Of course, the server is actually performing some sanitizing using ( seemingly ) the default magic quotes of PHP at some places. But for the place I exploited most easily seems to contains no sanitizing ( that nothing was escaped ). I will look further into it.
OOT - I caught the attention of the administrator of the blog and he deleted my account after like a few minutes when he discovered my account to be so suspicious. Hah. That is bad.
The first one is a Local File Include Vulnerability in a php script that did not sanitize the input properly ( well I am guessing that he did not even do so ). So I am free to read anything on the server. Though, there are magic quotes on, how can I get around them? I tried using urldecoding schemes but to no success. More to try soon.
The second one is an XSS vulnerability on the input fields of a profile, which will show public. This allows malicious users to secretly send cookies away to a server for collection. Of course, the server is actually performing some sanitizing using ( seemingly ) the default magic quotes of PHP at some places. But for the place I exploited most easily seems to contains no sanitizing ( that nothing was escaped ). I will look further into it.
OOT - I caught the attention of the administrator of the blog and he deleted my account after like a few minutes when he discovered my account to be so suspicious. Hah. That is bad.
Wednesday, March 28, 2007
Unknown SATA error
The error message :
[17223237.380000] ata3: command 0x25 timeout, stat 0xd0 host_stat 0x61
[17223297.380000] ata3: translated ATA stat/err 0xd0/00 to SCSI SK/ASC/ASCQ 0x47/00
Now, my server stalls at such states or so. I have no idea what it is. If any of you happens to know I would appreciate it. Meanwhile I will go onto finding the solution to the problem.
Updated : 11 April 2007
It was a problem due to the SATA - controller . It is the faulty component. It is of type 3124. Look out for this defective design.
[17223237.380000] ata3: command 0x25 timeout, stat 0xd0 host_stat 0x61
[17223297.380000] ata3: translated ATA stat/err 0xd0/00 to SCSI SK/ASC/ASCQ 0x47/00
Now, my server stalls at such states or so. I have no idea what it is. If any of you happens to know I would appreciate it. Meanwhile I will go onto finding the solution to the problem.
Updated : 11 April 2007
It was a problem due to the SATA - controller . It is the faulty component. It is of type 3124. Look out for this defective design.
Sunday, March 25, 2007
Undefined Operations in GCC
Schedules have been tight.
Recently, a friend of mine showed to me very naive code.
#include "stdio.h"
int main()
{
int count = 0;
while ( count < 8 )
{
printf("%d %d",count,count++);
}
return 0;
}
Simple, and I was tricked into answering :
0 0
1 1
2 4
...
Well, not quite true, it turned out it is evaluated from right to left in C ( printf is a procedural call, after all ). It caught me really off guard for such a problem. After researching awhile, PERL seems to react the same. But not for PHP. No tests for JAVA and javascript yet. All of the tests are done on an IntelX86 machine.
Now that makes me think what could be the cause of such eerie results. No idea. I thought it could have been compiler differences, conventions. I talked this with a friend of mine, and interesting we find that the gcc compiler with the -Wall option on, yields this :
a.c: In function `main':
a.c:8: warning: operating on `count' may be undefined
a.c:8: warning: operating on `count' may be undefined
Well, he later gave me a link of this :
http://www.ddj.com/dept/cpp/184403851/
Problem solved? Guess so...? I still cannot answer what is for PERL and PHP though.
Recently, a friend of mine showed to me very naive code.
#include "stdio.h"
{
int count = 0;
while ( count < 8 )
{
printf("%d %d",count,count++);
}
return 0;
}
Simple, and I was tricked into answering :
0 0
1 1
2 4
...
Well, not quite true, it turned out it is evaluated from right to left in C ( printf is a procedural call, after all ). It caught me really off guard for such a problem. After researching awhile, PERL seems to react the same. But not for PHP. No tests for JAVA and javascript yet. All of the tests are done on an IntelX86 machine.
Now that makes me think what could be the cause of such eerie results. No idea. I thought it could have been compiler differences, conventions. I talked this with a friend of mine, and interesting we find that the gcc compiler with the -Wall option on, yields this :
a.c: In function `main':
a.c:8: warning: operating on `count' may be undefined
a.c:8: warning: operating on `count' may be undefined
Well, he later gave me a link of this :
http://www.ddj.com/dept/cpp/184403851/
Problem solved? Guess so...? I still cannot answer what is for PERL and PHP though.
Saturday, February 24, 2007
Ubuntu USB device name
Due to serious hardware failures, all my computers went down. Now it is only down to a live CD... Ubuntu here.
The USB is my only storage after all. It, however, did not appear at /dev/sda1 instead at /dev/sdd1 . How did I discover it? Simple, at first :
$sudo dmesg
However, that is not good enough.
$sudo fdisk -l
Device Boot Start End Blocks Id System
/dev/sdd1 * 1 1956 500720 e W95 FAT16 (LBA)
That's better. You can then :
$sudo mkdir /tmp/mnt
$sudo mount -t vfat /dev/sdd /tmp/mnt
You need to specify the USB virtual file system, which I found mine to be vfat ( some guessing only, unfortunately ). And that is all.
By the way, there is an auto-mount feature.
The USB is my only storage after all. It, however, did not appear at /dev/sda1 instead at /dev/sdd1 . How did I discover it? Simple, at first :
$sudo dmesg
However, that is not good enough.
$sudo fdisk -l
Device Boot Start End Blocks Id System
/dev/sdd1 * 1 1956 500720 e W95 FAT16 (LBA)
That's better. You can then :
$sudo mkdir /tmp/mnt
$sudo mount -t vfat /dev/sdd /tmp/mnt
You need to specify the USB virtual file system, which I found mine to be vfat ( some guessing only, unfortunately ). And that is all.
By the way, there is an auto-mount feature.
Subscribe to:
Posts (Atom)