Recently, I have been playing with some map technologies, which I am trying to integrate with a wiki for some fun. Nothing out yet. But upon testing, I found this rather malicious nuisance that bugged me for hours yesterday.
I am using Virtual Earth APIs to do this job. The code is basically loading the map information, then paste a layer of pushpins onto the map. And this piece of code below :
<script>
/* a set of includes ... */
var map = null;
function AddMap()
{
map = new VEMap();
map.LoadMap();
}
function AddLayer()
{
var layer = new VELayerSpecification();
layer.Type = VELayerType.GeoRSS;
layer.ID = 'Foobar';
layer.LayerSource = 'mapdata.xml';
layer.Method = 'get';
map.AddLayer(layer);
}
function OnPageLoad()
{
AddMap();
alert('Added map');
AddLayer();
alert('Added layer');
}
</script>
<script>OnPageLoad()</script>
Well, nothing fancy than just sample code. Assuming my website is "http://www.website.com", when placed in the div tags, it is rumored to cause IE to throw an exception : "Internet Explorer cannot open the Internet site http://www.website.com . Operation aborted." This code works fine in Firefox, but truly not in IE. ( There were some that worked, but truly this is a problem that exists out there. ) After some googling, it seems to be some sort of IE implementation that causes this. The suggested workaround at Ryan Grant's blog was to make it an onload script. Which makes the calling :
<script>OnPageLoad()</script>
to be changed into :
<script>window.onload = OnPageLoad;</script>
Sure, it works. But at the code stopped its control flow after adding loading the map, without reaching "alert('Added Map');". I do not know how this happened and how to even google this problem ( well... "javascript" + "control flow" ? nothing really came out ). This creates a problem, it actually caused my layer script to stop function.
The workaround, by using defer script :
Change
<script>window.onload = OnPageLoad;</script>
into
<script>
if ( window.attachEvent )
{
window.attachEvent("onload", AddMap);
window.attachEvent("onload", AddLayer);
}
else
{
window.addeventListener("load", OnPageLoad, false);
}
</script>
If the script stops. No problem. We'll just do it one by one. This code works for me even when the javascript has been dynamically called and embedded between some div tags. I hope this makes the frustrated feels better.
References :
http://channel9.msdn.com/wiki/default.aspx/Channel9.InternetExplorerProgrammingBugs
http://www.viavirtualearth.com/wiki/DeferScript.ashx
http://ryangrant.net/archives/internet-explorer-cannot-open-the-internet-site-operation-aborted-google-map-api
Saturday, April 28, 2007
Thursday, April 12, 2007
Email Spoofing
It is something I have not done before. It came into my mind, and I decided to try it, while mourning at the death of my grand computer.
The poor victim happened to be my University's departmental mail server and a automated-registration roster that I attempted upon.
The automated script is simple, you are going to send an email with the subject title "Registration" without quotes plus some lines of text ( which is unnecessary, which I found out ), and your email will be appended to the roster.
Of course, it is very easy to use my own email to do it. It will be merely several clicks.
First to state, I am having VPN access. I have no computers at this moment to do any non-VPN access though.
I attempted at first by using a program to do it, but turned out to be more than necessary ( but it is quite interesting, anyway there was some problems and it failed sadly, but I will check it out later ). Then, I resolved to raw protocol talk and succeeded.
I also built my own mail-server ( qmail ) to test. The results are more or less the same, with some differences.
RFC 821 is a good start.
Thoughts :
1. The mail server did not check very much on the details ( was it because of VPN it assumed it is already authenticated? Possibly they put it into a list of authenticated hosts. ) ( it is the one used in horde , the link is here. ). I have not checked deeply into whether it is the mail server configuration or so.
2. There is a field that I did not go into deeply trying to spoof, but I will go into testing the difficulty to spoof it well.
3. It definitely is a perfect look from the outside but there is a single field ( above ) that leaves traces for a perfect lockdown, no good. ( As verified in ethereal easily ) Got to know how to fix that.
4. How could you spam "well" into a mail server? Again, I have not yet checked how the mail server automates spam finding.
5. How can this be extended to general spamming and how is industrial spamming done? As mine is extremely naive. ( Yes! Definitely! )
The poor victim happened to be my University's departmental mail server and a automated-registration roster that I attempted upon.
The automated script is simple, you are going to send an email with the subject title "Registration" without quotes plus some lines of text ( which is unnecessary, which I found out ), and your email will be appended to the roster.
Of course, it is very easy to use my own email to do it. It will be merely several clicks.
First to state, I am having VPN access. I have no computers at this moment to do any non-VPN access though.
I attempted at first by using a program to do it, but turned out to be more than necessary ( but it is quite interesting, anyway there was some problems and it failed sadly, but I will check it out later ). Then, I resolved to raw protocol talk and succeeded.
I also built my own mail-server ( qmail ) to test. The results are more or less the same, with some differences.
RFC 821 is a good start.
Thoughts :
1. The mail server did not check very much on the details ( was it because of VPN it assumed it is already authenticated? Possibly they put it into a list of authenticated hosts. ) ( it is the one used in horde , the link is here. ). I have not checked deeply into whether it is the mail server configuration or so.
2. There is a field that I did not go into deeply trying to spoof, but I will go into testing the difficulty to spoof it well.
3. It definitely is a perfect look from the outside but there is a single field ( above ) that leaves traces for a perfect lockdown, no good. ( As verified in ethereal easily ) Got to know how to fix that.
4. How could you spam "well" into a mail server? Again, I have not yet checked how the mail server automates spam finding.
5. How can this be extended to general spamming and how is industrial spamming done? As mine is extremely naive. ( Yes! Definitely! )
Wednesday, April 11, 2007
XSS in small places
Today I was idle waiting for my windows XP to install. Writing some code and then, and suddenly I came to two places on the internet ( one is my friend's page and one is a blog ) which is vulnerable to malicious attacks. I am a pretty novice one so please feel free to discuss should you feel interested.
The first one is a Local File Include Vulnerability in a php script that did not sanitize the input properly ( well I am guessing that he did not even do so ). So I am free to read anything on the server. Though, there are magic quotes on, how can I get around them? I tried using urldecoding schemes but to no success. More to try soon.
The second one is an XSS vulnerability on the input fields of a profile, which will show public. This allows malicious users to secretly send cookies away to a server for collection. Of course, the server is actually performing some sanitizing using ( seemingly ) the default magic quotes of PHP at some places. But for the place I exploited most easily seems to contains no sanitizing ( that nothing was escaped ). I will look further into it.
OOT - I caught the attention of the administrator of the blog and he deleted my account after like a few minutes when he discovered my account to be so suspicious. Hah. That is bad.
The first one is a Local File Include Vulnerability in a php script that did not sanitize the input properly ( well I am guessing that he did not even do so ). So I am free to read anything on the server. Though, there are magic quotes on, how can I get around them? I tried using urldecoding schemes but to no success. More to try soon.
The second one is an XSS vulnerability on the input fields of a profile, which will show public. This allows malicious users to secretly send cookies away to a server for collection. Of course, the server is actually performing some sanitizing using ( seemingly ) the default magic quotes of PHP at some places. But for the place I exploited most easily seems to contains no sanitizing ( that nothing was escaped ). I will look further into it.
OOT - I caught the attention of the administrator of the blog and he deleted my account after like a few minutes when he discovered my account to be so suspicious. Hah. That is bad.
Subscribe to:
Posts (Atom)