Ten Points Random

Several hundred dollars of keybard and some PVC pipe later…

by on Oct.03, 2009 @ 12:26 pm, under General


My music toys

Mmmm.  Audiodelicious.

MY new keyboard, the one on the bottom, is full-size, complete with weighted (scaled hammer) keys.  Very nice to play.

Comments Off : more...

GIMP Lives!

by on Sep.19, 2009 @ 10:29 am, under Technology

One of the things that I’ve hated about my favorite photo editing program since they release version 2.6 was that the tool boxes jumped on top of everything (like always-on-top for just the application).  Despite my best efforts, I never found the option to change that until today.

Because the option is named very, very poorly. :-(

As is pointed out here, the name of the option you are looking for that will change the window behavoir back to how it used to be in previouse versions is hidden under Edit -> Preferences -> Window Management -> “Window Manager Hints”.  Yeah that’s right.  Poorly named to anyone but the developer that made it.  Under that change the Hint for toolbox/other docks options to “Normal Window” instead of “Utility Window”.

Restart and there you go!

Comments Off :, more...

A car

by on Sep.11, 2009 @ 10:47 pm, under General


Pictured: Foreground: my new (used) car.  Background: my old (beaten) car.

Comments Off :, more...

Zen Cart Fail

by on Aug.21, 2009 @ 06:33 pm, under Technology

On the list of stupid things to do and big security holes, one of the best (or worst) I’ve seen to date is one that was built into our beloved E-commerce solution: Zen Cart.

You don’t have to login to get into the admin.

I’ve tried it personally on versions 1.2.6 and 1.3.7, and to my knowledge, it works almost every other version.

I haven’t tested it myself, but I’ve looked through the files, and it looks like the most current version you can download from their website (1.3.8a) is also just as vulnerable. (edit: I tried it, fortunately it’s not vulnerable.)

Most security holes require a little bit of knowledge of web technologies to exploit, but this one’s so bad, just about anyone can do it.  Here’s how stupid it is:

  1. Find your Zen Cart, say it’s http:/example.com/store
  2. Find your admin.  Usually it’s /admin/
  3. Choose an admin page.  How about sqlpatch.php?
  4. Add /password_forgotten.php (versions 1.3) or /login.php (versions 1.2) to the end of that.
  5. Visit it: http://example.com/store/admin/sqlpatch.php/password_forgotten.php
  6. Bingo!  Full access without ever logging in.

This is bad.  If you have Zen Cart on your site, PATCH IT NOW, before someone kinder than me goes looking for you and uses this to take control of your hosting account.

How it works:

Most web servers stop processing the directory once they hit a (PHP) file.  This allows you to do things like example.com/index.php/some/random/pseudo/rewrite.  That’s fine.

But Zen Cart did it wrong.  When they go to check to see if you should be logged in they do this:  (code rewritten for simplicity)

if(basename($PHP_SELF) != 'index.php' && 
   basename($PHP_SELF) != 'password_forgotten.php') {
  //Send them to the login page and exit

Did you catch that?

They use basename() on PHP_SELF!  PHP_SELF is basically the request URI without the “search” variable on it. So, if I go to “http://example.com/store/admin/sqlpatch.php/password_forgotten.php”, PHP_SELF is “store/admin/sqlpatch.php/password_forgotten.php”

If I send that to basename (which is a string parsing function only), “sqlpatch.php” is considered part of the directory name and we get “password_forgotten.php” for the filename.  Zen Cart checks that and lo! It’s allowed!

What should have been used was $_SERVER[‘SCRIPT_FILENAME’] which will always give you the name of the currently executing “parent” script, not what the user typed in.

Why this is bad:

Zen Cart’s admin is great!  You can run SQL patches (SQL injection), upload files with various names (arbitrary code execution), and edit the template .php files for certain pages (XSS, arbitrary code execution,  etc.) all from the comfort of the admin!

Once someone gets in, it’s easy for a malicious user to to upload a shell script that does his/her mindless bidding, be that viral site attacking, spam bots, porn mirror, etc.

The End of Zen Cart

Of course the Zen Cart developers found out about it.  What was their advisement?  That you should have changed the path to your admin folder, but since some of you don’t think that’s security we also made a patch. (The wording is mostly mine, the font sizes, not so much.)

That’s you attitude towards something so critical as this?

I bid thee farewell Zen Cart.

Comments Off :, , more...

Nuking and Actions

by on Aug.15, 2009 @ 07:24 pm, under General

It’s not that nothing has been happening.

I just haven’t been writing about it.

Got some good stories, including the biggest hole in Zen Cart I’ve ever seen, a house I almost bought that was falling to pieces, and also, I bought a guitar.

But right now, I’m fed up enough with Windows Crapista.  So I’m gonna nuke it and hope it can, after this, go back to performing simple tasks such as showing me the contents of a folder in less than 40 seconds.

Comments Off :, more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...