So I did.

And it worked, moderately well:

The best part though: It also works on my iPod! Plain ‘ol Safari and JavaScript.  I thought that was pretty cool.  I guess Google, in building Google Chrome to handle the next generation of applications, wasn’t too far off the path.

K'nex, RC servos, a Phidget, and if you look closely, me!

Codename: TelePlaymutte.  ‘Cause I wanna play games remotely.  VOIP, CheckersOIP, DNDOIP, etc.

My garage this past Halloween

Last year I did something similar, but simpler.  This year was a bit more complex.

It seemed simple enough a task for the trick-or-treater: walk in, enjoy the spooky ambiance (and random lasers stabbing thorough the upper level of fog), grab a reward from the yellow glowing pumpkin, and move on to the next house.

Right?

Looking up as you walk in

Not with me around.  (Haha – trick or treak? Trick!)  With the help of my sister, we ushered all the, um, victims into the cage (a repurposed dog “kennel”).  Once the kids were sure the smiling Goth-dressed-female wasn’t going to bite them, and that everyone was clear of the door, the lights would suddenly drop out.  An enormous thunder and lightning strike from directly in front of them would illuminate a monster, arms outstretched and ready to grab them!  Before anyone could but turn around, the door to the chain-link cage would swing shut, chains clanking loudly against the metal.  You were trapped!

Though you could get away without a trick? Didja?

And then . . . we let them go.  We didn’t scare the really litl’ ones.

Here’s an AVI movie, I’ll have to get me a flash player setup sometime.  The microphone normalises stuff too much so you can’t really hear things.

By the end we had fog, black light, strobes, lasers, subs, amps, a laptop . . . so pretty much an instant rave party afterwards.

Behind the scenes

Thanks to the fam for helping get things setup!

My music toys

Mmmm.  Audiodelicious.

MY new keyboard, the one on the bottom, is full-size, complete with weighted (scaled hammer) keys.  Very nice to play.

Because the option is named very, very poorly.

As is pointed out here, the name of the option you are looking for that will change the window behavoir back to how it used to be in previouse versions is hidden under Edit -> Preferences -> Window Management -> “Window Manager Hints”.  Yeah that’s right.  Poorly named to anyone but the developer that made it.  Under that change the Hint for toolbox/other docks options to “Normal Window” instead of “Utility Window”.

Restart and there you go!

Pictured: Foreground: my new (used) car.  Background: my old (beaten) car.

You don’t have to login to get into the admin.

I’ve tried it personally on versions 1.2.6 and 1.3.7, and to my knowledge, it works almost every other version.

I haven’t tested it myself, but I’ve looked through the files, and it looks like the most current version you can download from their website (1.3.8a) is also just as vulnerable. (edit: I tried it, fortunately it’s not vulnerable.)

Most security holes require a little bit of knowledge of web technologies to exploit, but this one’s so bad, just about anyone can do it.  Here’s how stupid it is:

1. Find your Zen Cart, say it’s http:/example.com/store
2. Find your admin.  Usually it’s /admin/
3. Choose an admin page.  How about sqlpatch.php?
4. Add /password_forgotten.php (versions 1.3) or /login.php (versions 1.2) to the end of that.
5. Visit it: http://example.com/store/admin/sqlpatch.php/password_forgotten.php
6. Bingo!  Full access without ever logging in.

This is bad.  If you have Zen Cart on your site, PATCH IT NOW, before someone kinder than me goes looking for you and uses this to take control of your hosting account.

How it works:

Most web servers stop processing the directory once they hit a (PHP) file.  This allows you to do things like example.com/index.php/some/random/pseudo/rewrite.  That’s fine.

But Zen Cart did it wrong.  When they go to check to see if you should be logged in they do this:  (code rewritten for simplicity)

if(basename($PHP_SELF) != 'index.php' &&
   basename($PHP_SELF) != 'password_forgotten.php') {
  //Send them to the login page and exit
}

Did you catch that?

They use basename() on PHP_SELF!  PHP_SELF is basically the request URI without the “search” variable on it. So, if I go to “http://example.com/store/admin/sqlpatch.php/password_forgotten.php”, PHP_SELF is “store/admin/sqlpatch.php/password_forgotten.php”

If I send that to basename (which is a string parsing function only), “sqlpatch.php” is considered part of the directory name and we get “password_forgotten.php” for the filename.  Zen Cart checks that and lo! It’s allowed!

What should have been used was $_SERVER['SCRIPT_FILENAME'] which will always give you the name of the currently executing “parent” script, not what the user typed in.

Why this is bad:

Zen Cart’s admin is great!  You can run SQL patches (SQL injection), upload files with various names (arbitrary code execution), and edit the template .php files for certain pages (XSS, arbitrary code execution,  etc.) all from the comfort of the admin!

Once someone gets in, it’s easy for a malicious user to to upload a shell script that does his/her mindless bidding, be that viral site attacking, spam bots, porn mirror, etc.

The End of Zen Cart

Of course the Zen Cart developers found out about it.  What was their advisement?  That you should have changed the path to your admin folder, but since some of you don’t think that’s security we also made a patch. (The wording is mostly mine, the font sizes, not so much.)

That’s you attitude towards something so critical as this?

I bid thee farewell Zen Cart.

I just haven’t been writing about it.

Got some good stories, including the biggest hole in Zen Cart I’ve ever seen, a house I almost bought that was falling to pieces, and also, I bought a guitar.

But right now, I’m fed up enough with Windows Crapista.  So I’m gonna nuke it and hope it can, after this, go back to performing simple tasks such as showing me the contents of a folder in less than 40 seconds.

Powered by Twitter Tools.