PDF = Potential Death File?

Sven Vetsch has written about using a .pdf file to run arbitrary JavaScript on the site hosting the file. It seems that just host hosting PDFs you are putting your sites users at risk to all the evil doings JavaScript can perform.

Read More

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Acutenix denying web site flaws

A long standing thread going on in the sla.ckers forums has been busy posting XSS flaws of major companies. One of the many companies in this list is the aforementioned Acunetix. This thread was linked to by darkreading (who themselves have several XSS holes) and later by slashdot. Acunitex, when later contacted for a followup article for darkreading denied all knowledge of any XSS holes, saying their site is not vulnerable and that they always check for flaws.

Read More

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

XSSing with the expect header

I know that XSS is looked down upon by a lot of people in the security sphere but I feel XSS has been severely underestimated by a lot of people. Using it to steal cookies is really only the very start of it.

That’s besides the point, though I will post links to rarely used (or maybe just up and coming) uses for XSS later in this post.

Here’s HTTP Expect header as defined in the RFC:

The Expect request-header field is used to indicate that particular server behaviors are required by the client.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Should we kill IE?

Earlier today I stumbled across a link to explorerdestroyer.com which is a site trying to convince web developers to urge their IE users to switch to firefox. They ask web developers to employ one of a range of solution, from showing an advert of firefox to IE users to not allowing IE users near their pages.

To me their approach seems silly. The problem (as they see it) is that IE doesn’t support various standards and encourages proprietary features. If everyone used firefox then what’s to stop that from being the next “IE”? Won’t it get proprietary features which will then get used. As an example (last I read) firefox allows transparency via CSS but the W3C has no official support of transparency (IE and Opera also support this, but each in their own way).

I think there should be an even spread of browser usage. This would encourage sites being developed to the standards and more importantly would speed up browser improvements as all the various companies would have to constantly improve their browsers to maintain their user base.

I am reminded of a South Park episode where the people rebel against Walmart burning it down and instead all shop at a local shop turning it into the next Walmart, then repeating the whole process over again.

I’m all for people saying how bad one thing is and promoting another, but to me this seems too far. They go as far as saying that Firefox has to quickly gain users so that IE6 users don’t switch to IE7 and stay with it. IE7 is a good browser, it fixes a lot of issues that people hate about IE6. I think that IE6 users should switch to IE7 (when it’s released) and then leave it up to them to do whatever they want, but deliberately forcing people away from a good browser is simply not a clever idea. I’m glad that Mozilla aren’t affiliated with this site as I dislike the aggressive mannerisms, though I would enjoy reading Mozilla’s comment on it.

Oddly enough, the site I’ve linked to works perfectly fine with IE and they have no nag screens asking me to change over.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

…and one giant step for PHP security

While hosts are still undecided on whether to upgrade to PHP5 or not, the people pushing the limits of possibility are busy planning PHP6. PHP6 is mainly a cleanup of code and the addition of some object oriented features (and some other little bits which probably mean more to others than to me). Nevertheless in terms of security it’s something I’m already drooling over.

Read More

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Stupid people

All my life I’ve come across stupid people, I’ve come to expect people to be stupid, and I’m usually not let down by that assumption. When I find intelligent people I treasure them like Eskimos would treasure electric blankets covered in whale fat powered by a bucket sized cold fusion reactor. Of course I use the web more than is healthy, that’s one reason I always speak to stupid people, this is all fine and something I take in my stride. It’s when you come across people that aren’t meant to be stupid yet are that you lose that little faith you had left in humanity. It’s when an admin of a site which has thousands of members and has been running for 3 years doesn’t realise how bad it is that people can run HTML from PMs, signatures, usernames, forum posts or article comments.

You inform the admin about these flaws, explaining the dangers of XSS by taking the example of an attacker using JavaScript, you let them know they should run htmlentities() on all user input. What do they do? They either totally ignore you or they add some code to replace all instances of <script> with script. Idiots.

Here’s my theory; People who had Geocities accounts when they were 10 branched into 3 paths. They either 1) Got bored of the whole developer thing and started collecting Pokemon cards 2) Got good and now make efficient, secure web applications or 3) stayed at the Geocities level but got money and can afford their own domain. It is this 3rd category that now pollute the web with their binary waste. When you don’t realise that error checking is needed to prevent anyone from deleting a PM you need to find a cliff to jump off. When told so and your counter-argument is that no one can be bothered to manually browse to /remove_pm.php?message_id=1, …id=2, …id=3 Then a cliff simply won’t do the job, you’ll need to find something simpler. I suggest jumping on front of a car…. …yes, a moving one.

The lesson: I understand that people have to start at the basics of anything before they can get any better, but for the love of all that’s holy (Eskimos in their bucket sized cold fusion reactor powered, whale fat covered, electric blankets) read articles on the web, ask people, learn mistakes others’ made, experiment on your own computer or borrow books from a library before you go spending money to manage a web site. I understand that everyone makes mistakes but learn from them and learn to accept help from people who offer it.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Saying NO to messy user agents

I’ll ask you what should be a simple question and let’s see if you know the answer. What is the user agent of the browser you’re currently using? Well… granted it’s not something people try to remember, but that almost all the user agents start with “Mozilla/x.0 (…” doesn’t help.

Here are my current user agents:
Firefox: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
IE: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Sure you can tell them apart, but what’s with all the junk? Why do they both start with Mozilla, what’s the junk at the end of IE’s UA and why does Firefox has Windows in the string twice? In case you’re interested, the reason “Mozilla” exists in just about every UA string around is mentioned here

Why not start afresh and make it properly this time around. What works well? What kind of a system should the new UA be like? Well… think about it for a minute, the UA string usually holds information such as browser name, version, OS name and OS version. In essence it’s attribute, value, attribute, value. Why not make it like an XML tag? You could immediately scrap the < and > as they’d be pointless, but otherwise taking this approach should work.

Unlike XML the attributes should be fixed. Not having them fixed means we’ll end up with the same mess we have at the moment, on the other hand it means we have to put great thought to what the attributes are. Firstly the most important one would be UAtype which could equal browser, spider, download manager or other. The last option would include such things as PHP, applets loading a page and people’s own programs which download a file (unless they are download managers of course). It could also be used to inform the server that this could be a braille browser or a screen reader, though maybe they should come under another optional attribute.

The other attributes could be Organisation which would be the organisation which made the agent, UAname, which would be the name of the software, UAversion, which would be 1.5 in the case of firefox and 6.0 in the case of IE, OSname and OSversion. This would make my firefox UA string:
UAtype=”browser” Organisation=”Mozilla” UAname=”Firefox” UAversion=”1.5″ OSname=”Windows” OSversion=”XP Pro SP2″
This is much easier to read and understand. Obviously each attribute should be optional but you shouldn’t be able to add your own. Well… you could add your own but don’t expect it to make a difference.

Why do I want all this done? Image the difficulties that software developers have in creating the software that logs who visits your sites. With this is would suddenly be so very easy. If nothing else this would promote competition in that area which is always a good thing. It would also help the web developers who write JavaScript which is browser dependant and have to parse the UA string for various bits and bobs.

The change would not have to be overnight, it could be a gradual process of acceptance (or rejection, depending on how you look at it). New browsers could have their regular user agent and a second header called XMLUA which follows the pattern described here. Obviously there would be no way for PHP or JavaScript to read this new XMLUA header until the functions/variables are built into the languages. One possibility is to wait for the functions to be created or else the web servers could see if a XMLUA header exists and if so then replace the regular user agent with the new one. This would in fact brake the existing browser detection functions in every language so waiting for the languages to upgrade would be the ideal solution.

Eventually the regular UA string could be dropped.

Maybe you feel I missed out a crucial attribute, maybe you feel the current system works fine (why fix what ain’t broke?). Let me know.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Bypassing the random image anti-spam feature

A friend of mine has been playing a game which you play through the browser, some tasks can be automated which allows the player to earn money or increase stats quickly, or while not at the computer (this particular action does not interact with other players). My friend then create a bookmarklet (?) which would automate this task. All was hunky dory until the game asked the user to read an image and copy the text down. This is done precisely to prevent these automated bots, still…. it provides an interesting problem. How could you read the image and continue the game automatically?

I couldn’t sleep the first night I was presented with this problem, I went down more dead ends than I thought existed in this kind of a problem. Eventually I decided to take a break and start again. Logically how could JavaScript read an image? It can’t, it would need some other technologies, these would have to reside either on a remote domain if they are web based or on the local machine. JavaScript cannot run either of these, so it seemed I came to a dead end, again. In fact, it would be impossible to solve this using JS at all, you would infact need a seperate program precisely because you need to call either a remote web site or a local program. Realising this decreased my enthusiasm as now it was merely an experiment to see if it could be done.

I remembered a certain web service that I’d used a while back, namely WhatTheFont (WTF). This service can read an image and tries to deduce the font used from the characters it can find. I figured I could use this to read the characters in an image.
I found a random image such as Tokoy which is the kind of image the user has to copy. I tried uploading the image to the WTF site, but it failed to read the image. I noticed the sample images they provide are much larger, so I scaled up my image and submitted it again, this time WTF could read the image perfectly.

Now… if only I could get some PHP code to read an image file, scale it up, submit it to WTF and read the response.

I should say that the code I provide is very untidy, this is because it’s the result of sleepless nights and at points I hacked certain bits, then edited them later again. I explain the code just below the code itself.

function doIt()
$r = rand(100000,999999);
if (@imagecreatefromgif($_GET['img']))
$ext = 'gif';
$ext = 'png';
if (!@copy ($_GET['img'],$r.$ext))
$img = up_size($r.$ext,5,$ext);
$lines = file("http://www.myfonts.com/WhatTheFont/Upload?url=http://www.whiteacid.org/img_reader/".$r.$ext);


The code initially determines what image type the image is. The script only allows PNG and GIF. BMP wouldn’t be used as no one really uses it any more and JPG wouldn’t be used as it would blur the lines making it difficult for humans to read the letters. It then saves the image to the same folder the script resides in under a random name (or quits if there’s a problem). I did this because for some reason the script seemed to work better when the image was in the same folder, or at least on the same domain. I then scale the image up (that function is below), perform the request and run parseInput (again, code coming below). Finally I remove the image (which up_size() creates).
The up_size function’s code is here:

function up_size($imageUrl,$ratio,$extension)
if ($extension == 'gif')
$src_img = imagecreatefromgif($imageUrl);
$src_img = @imagecreatefrompng($imageUrl);
$origw = imagesx($src_img);
$origh = imagesy($src_img);

$dst_img = imagecreatetruecolor($origw*$ratio,$origh*$ratio);

imagepng($dst_img, "$imageUrl");

return $dst_img;


It reads the file and creates an image object, reads it’s width and height, makes a new image with a larger canvas and copies the old smaller image onto this canvas streching it to fit. That’s how it scales up images. Finally it saves this in a file.

Now that the image had been scaled up it was sent off to WTF and the reponse was stored in a variable ready to be parsed. Now, before I give the code for the parsing section you should know how the outputted HTML looks. Very simply WTF prints out;

<input type=’text’ name=’ch[0]’ id=’wtfchar0′ value=’T’ size=’2′ maxlength=’1′ style=’font-size:20; font-family:verdana; text-align:center;’>
<input type=’text’ name=’ch[1]’ id=’wtfchar1′ value=’o’ size=’2′ maxlength=’1′ style=’font-size:20; font-family:verdana; text-align:center;’>
<input type=’text’ name=’ch[2]’ id=’wtfchar2′ value=’k’ size=’2′ maxlength=’1′ style=’font-size:20; font-family:verdana; text-align:center;’>
<input type=’text’ name=’ch[3]’ id=’wtfchar3′ value=’y’ size=’2′ maxlength=’1′ style=’font-size:20; font-family:verdana; text-align:center;’>
<input type=’text’ name=’ch[4]’ id=’wtfchar4′ value=’o’ size=’2′ maxlength=’1′ style=’font-size:20; font-family:verdana; text-align:center;’>

There is more stuff and things in between those segments, but that’s what we’re after. The easiest thing to search for would be id=’wtfchar$n‘, then parse the value field after it. We’d have to note that if the character would not be identified the value attribute would be blank, so we could return a question mark instead, to let the user know that one character remained unknown. ok, the code

function parseInput($lines)
foreach ($lines as $line_num => $line)
if (strpos($line,"id='wtfchar$c'") != false)
$char = substr($line,strpos($line,"id='wtfchar$c' value='")+strlen("id='wtfchar$c' value='"),2);
if ($char == "' ")
$char = '?';
$char = substr($char,0,1);
echo $char;

For each line of output search for “id=’wtfchar$c'” where $c is an incrementing integer which starts at 0. Essentially if found (then you’re on the right line of code), then parse out the value or echo a question mark.

One more line of code is also required, you need to run doIt(), then you’re done.

That’s about it, using that code you can parse text from an image. This allows you to complete some forms automatically. This obviously could be used for spamming reasons, which is why instead of using images like I’ve used them people should use ones like hotmail and gmail:

Hotmail random image

To see the script in action I’ve made one script which allows you to create images of text and the other one as described here. I used to host examples of this code in action but my new host doesn’t allow file-access from a URL.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.