Ten Points Random

Let’s see, so I bought a house, switched to Linux and now am hacking away at this:

K'nex, RC servos, a Phidget, and if you look closely, me!

Codename: TelePlaymutte.  ‘Cause I wanna play games remotely.  VOIP, CheckersOIP, DNDOIP, etc.

One of the things that I’ve hated about my favorite photo editing program since they release version 2.6 was that the tool boxes jumped on top of everything (like always-on-top for just the application).  Despite my best efforts, I never found the option to change that until today.

Because the option is named very, very poorly.

As is pointed out here, the name of the option you are looking for that will change the window behavoir back to how it used to be in previouse versions is hidden under Edit -> Preferences -> Window Management -> “Window Manager Hints”.  Yeah that’s right.  Poorly named to anyone but the developer that made it.  Under that change the Hint for toolbox/other docks options to “Normal Window” instead of “Utility Window”.

Restart and there you go!

On the list of stupid things to do and big security holes, one of the best (or worst) I’ve seen to date is one that was built into our beloved E-commerce solution: Zen Cart.

You don’t have to login to get into the admin.

I’ve tried it personally on versions 1.2.6 and 1.3.7, and to my knowledge, it works almost every other version.

I haven’t tested it myself, but I’ve looked through the files, and it looks like the most current version you can download from their website (1.3.8a) is also just as vulnerable. (edit: I tried it, fortunately it’s not vulnerable.)

Most security holes require a little bit of knowledge of web technologies to exploit, but this one’s so bad, just about anyone can do it.  Here’s how stupid it is:

1. Find your Zen Cart, say it’s http:/example.com/store
2. Find your admin.  Usually it’s /admin/
3. Choose an admin page.  How about sqlpatch.php?
4. Add /password_forgotten.php (versions 1.3) or /login.php (versions 1.2) to the end of that.
5. Visit it: http://example.com/store/admin/sqlpatch.php/password_forgotten.php
6. Bingo!  Full access without ever logging in.

This is bad.  If you have Zen Cart on your site, PATCH IT NOW, before someone kinder than me goes looking for you and uses this to take control of your hosting account.

How it works:

Most web servers stop processing the directory once they hit a (PHP) file.  This allows you to do things like example.com/index.php/some/random/pseudo/rewrite.  That’s fine.

But Zen Cart did it wrong.  When they go to check to see if you should be logged in they do this:  (code rewritten for simplicity)

if(basename($PHP_SELF) != 'index.php' && 
   basename($PHP_SELF) != 'password_forgotten.php') {
  //Send them to the login page and exit
}

Did you catch that?

They use basename() on PHP_SELF!  PHP_SELF is basically the request URI without the “search” variable on it. So, if I go to “http://example.com/store/admin/sqlpatch.php/password_forgotten.php”, PHP_SELF is “store/admin/sqlpatch.php/password_forgotten.php”

If I send that to basename (which is a string parsing function only), “sqlpatch.php” is considered part of the directory name and we get “password_forgotten.php” for the filename.  Zen Cart checks that and lo! It’s allowed!

What should have been used was $_SERVER[‘SCRIPT_FILENAME’] which will always give you the name of the currently executing “parent” script, not what the user typed in.

Why this is bad:

Zen Cart’s admin is great!  You can run SQL patches (SQL injection), upload files with various names (arbitrary code execution), and edit the template .php files for certain pages (XSS, arbitrary code execution,  etc.) all from the comfort of the admin!

Once someone gets in, it’s easy for a malicious user to to upload a shell script that does his/her mindless bidding, be that viral site attacking, spam bots, porn mirror, etc.

The End of Zen Cart

Of course the Zen Cart developers found out about it.  What was their advisement?  That you should have changed the path to your admin folder, but since some of you don’t think that’s security we also made a patch. (The wording is mostly mine, the font sizes, not so much.)

That’s you attitude towards something so critical as this?

I bid thee farewell Zen Cart.

So I went and spent some money, (again) and got an HP TouchSmart (an IQ526 from the 22″ widescreen IQ 500 series).

Big, touchy.

Initial impressions (good):

• Made by HP, but surprisingly, didn’t have nearly as much preinstalled junk as usual.
• Looks pretty good.  Aesthetically.
• The wireless mouse and keyboard work well and at a decent range.
• Once you get used to the touchscreen responding to the center (I’m used to center of pressure, like my tablet laptop), hitting the “small” buttons on the normal programs (FireFox, Windows, etc.) isn’t very difficult (especially compared to my tablet with its tiny screen but high resolution).
• It’s a big 22″ screen/computer/all-in-one that you can freakin’ touch for a few hundred dollars more than a regular touchscreen of the same size.  (This price comparison was my primary purchasing reason.)
• Though nothing that comes with the computer supports it directly, and HP is shy on releasing the “drivers,” the touch hardware supports two-point multitouch.
• The included remote works well, and you can use it to navigate up/down/left/right even outside “TV” (read: Media Center) applications.
• The internal speakers are much better than I expected.  They aren’t tin cans and don’t sound like tin cans.

And bad:

• The touchscreen, an IR sensor made by NextWindow, will detect a “press” even a couple millimeters from the glass.
• The “HP TouchSmat” application it comes with, supposedly the “primary” touch application you will use is crap.  Slow, clunky, and it doesn’t support any multitouch when they easily could have (see below).
• No VESA wall-mounting holes.  The larger (screened) model, the IQ800 series, has an adapter bracket you can buy from HP.  If you want to wall-mount this model (IQ500), you either need to DIY something or get this compatible wall mount for it.
• The screen beeps when you touch it.  You can turn it off in the control panel, but the beep comes back as soon as you sleep/resume.  (This can be fixed, see below.)
• Not the cheapest computer around, but a well-integrated one.
• For some random reason (probably crap software I haven’t removed yet…) my F3 keypresses get intercepted and instead the volume jumps up and down and mutes like a ghost is around.

For the most part, I’m pretty impressed with it.  Right now it’s just sitting next to my main computer until I can get it to a more permanent home in or near kitchenspace.

Some information on the touch screen I found after much searching:

• The touchscreen is made by NextWindow and almost fully supports two-finger multi-touch.
• You can tweak the options and remove the annoy beep permanently by downloading their Touch+ software suite.  The TouchSmart has a USB (not Serial) interface.  When the config screen pops up and says “USB Device not connected” just wait a second.  It will detect it then give you the options.  Change the sound “time” to zero and save it the the device’s permanent memory.
• If you are into Windows 7 (which apparently supports multitouch), the drivers for it are here.
• It also has an API that programmers can use to get to the multiple touches with.  I haven’t found anything that will bridge this input with TUIO, the protocol used in most of today’s multi-touch software, yet.  (Well, I did find one that might work from a commercial manufacturer, but I’m not looking to spend money on this point because:)  I will probably just build my own bridge myself later.
  [Edit: I found a program that does this.  Here’s what you want to do:
  1. Download that (TouchsmartTUIO).
  2. Google around or go some where to download TUIO-enabled (multi-touch) programs.
  3. Start TouchsmartTUIO
  4. (Optional, but needed for some TUIO applications) Go to Pen and Input Devices in your Control Panel and, under touch, uncheck “User your finger as an input device.”  This will prevent certain applications from interpreting mouse clicks and finger touches on the smae point as two different touches.
  5. For flash-based TUIO apps that have a .swf instead of a .exe extension: Go to your Flash settings and enable exceptions for the TUIO .swf files you want to use.  Then get the projector (choose the “Flash Player 9 Projector content debugger”).  Open the .swf with this application (usually you can double-click the .swf after you instlal the projector).  Once it’s open, press ctrl-f to make it full screen (if it’s not), then . . .
  6. Enjoy the multi-touchiness!

  ]

And some more random information I found about multi-touch:

• touchlib is one of the more common multi-touch libraries out there.  Out of the box it supports grabbing input from a video capture device (usually a infrared modified USB camera) and turning the images to touch points.  From there the interpreted data is passed to a FlashOSC server that translates the data and relays it to a local (or remote) port that Flash applications can read from.  The data is sent in TUIO format, which is an extension/subset of the Open Sound Control (a “descendant” of the MIDI protocol).
• See also reacTIVision

Whee!  Big touchscreen!

I might have to build a real touchwall one of these days.

You know what they say: Use your head.

I got a better idea: Use your feet.

I originally built my foot interface for MIDI/gaming applications but I found another great application: image editing.

I was going about filling around some lines with colors in The GIMP, and as I was working I thought, Hey, I keep switching back and forth between the paint tool and the eraser tool pretty often. When I had to switch I either needed to skim through the giant tool pallet to find my new tool, or laboriously, lift my head and chin from my left hand so I could press the appropriate keyboard shortcut.  It got old, but then I thought: Hey, I’ll just use my feet.

So I fired up my AutoHotkey editing skillz and bound a couple of buttons on my foot controller to the paint and erase tools (or rather the keyboard shortcuts for them).  Viola!  Instant speedup.

Now I can waste away my life painting away at pointless things much more quickly!

Also, I bound another couple buttons to undo/redo to help speed up fixing my mistakes.  Now I just need to figure out how to make the tools pressure sensitive using the foot pedals . . .

Edit: I also set Page Up/Page Down to buttons.  Imagine how convenient it is for me to just lean back and read something long, hands free!