Ten Points Random

Tag: hacking


by on Dec.17, 2011, under Interface, Technology

I’ve been working on a protocol for communicating with many generic devices easily.  Much there is that I can say about it, but it’s still fairly early prototype. I already incorporated some work from linmctool. With it, some glue, and carefully setup systems, I have been able to write a simple thunderzipper client that functions as a basic DMX light board – controlled exclusively with a PS3 controller.

It’s still quite an early prototype – and all the settings are hardcoded – but it’s still functional and a optimistic proof-of-concept of what I can do with  this protocol.

I need to get work on my main “glue” application that routes everything thunderzipper.

In other news, I just pushed a commit that makes basic WiiMote buttons available and functional. (And without the need for a scan utility or setup.)

Comments Off :, , , , more...

Too Good – Simulated MJPEG Video Streaming

by on Mar.21, 2010, under Technology

This was just too good.  I was playing with video codes for real-time streaming of data off my webcam-crane-contraption and decided to try MJPEG.  I wasn’t a fan of rewriting code to put it in the proper format, so for now I thought I’d just set a JPEG to refresh frequently.

So I did.

And it worked, moderately well:

The best part though: It also works on my iPod! Plain ‘ol Safari and JavaScript.  I thought that was pretty cool.  I guess Google, in building Google Chrome to handle the next generation of applications, wasn’t too far off the path.

Comments Off :, , , more...

Zen Cart Fail

by on Aug.21, 2009, under Technology

On the list of stupid things to do and big security holes, one of the best (or worst) I’ve seen to date is one that was built into our beloved E-commerce solution: Zen Cart.

You don’t have to login to get into the admin.

I’ve tried it personally on versions 1.2.6 and 1.3.7, and to my knowledge, it works almost every other version.

I haven’t tested it myself, but I’ve looked through the files, and it looks like the most current version you can download from their website (1.3.8a) is also just as vulnerable. (edit: I tried it, fortunately it’s not vulnerable.)

Most security holes require a little bit of knowledge of web technologies to exploit, but this one’s so bad, just about anyone can do it.  Here’s how stupid it is:

  1. Find your Zen Cart, say it’s http:/example.com/store
  2. Find your admin.  Usually it’s /admin/
  3. Choose an admin page.  How about sqlpatch.php?
  4. Add /password_forgotten.php (versions 1.3) or /login.php (versions 1.2) to the end of that.
  5. Visit it: http://example.com/store/admin/sqlpatch.php/password_forgotten.php
  6. Bingo!  Full access without ever logging in.

This is bad.  If you have Zen Cart on your site, PATCH IT NOW, before someone kinder than me goes looking for you and uses this to take control of your hosting account.

How it works:

Most web servers stop processing the directory once they hit a (PHP) file.  This allows you to do things like example.com/index.php/some/random/pseudo/rewrite.  That’s fine.

But Zen Cart did it wrong.  When they go to check to see if you should be logged in they do this:  (code rewritten for simplicity)

if(basename($PHP_SELF) != 'index.php' && 
   basename($PHP_SELF) != 'password_forgotten.php') {
  //Send them to the login page and exit

Did you catch that?

They use basename() on PHP_SELF!  PHP_SELF is basically the request URI without the “search” variable on it. So, if I go to “http://example.com/store/admin/sqlpatch.php/password_forgotten.php”, PHP_SELF is “store/admin/sqlpatch.php/password_forgotten.php”

If I send that to basename (which is a string parsing function only), “sqlpatch.php” is considered part of the directory name and we get “password_forgotten.php” for the filename.  Zen Cart checks that and lo! It’s allowed!

What should have been used was $_SERVER[‘SCRIPT_FILENAME’] which will always give you the name of the currently executing “parent” script, not what the user typed in.

Why this is bad:

Zen Cart’s admin is great!  You can run SQL patches (SQL injection), upload files with various names (arbitrary code execution), and edit the template .php files for certain pages (XSS, arbitrary code execution,  etc.) all from the comfort of the admin!

Once someone gets in, it’s easy for a malicious user to to upload a shell script that does his/her mindless bidding, be that viral site attacking, spam bots, porn mirror, etc.

The End of Zen Cart

Of course the Zen Cart developers found out about it.  What was their advisement?  That you should have changed the path to your admin folder, but since some of you don’t think that’s security we also made a patch. (The wording is mostly mine, the font sizes, not so much.)

That’s you attitude towards something so critical as this?

I bid thee farewell Zen Cart.

Comments Off :, , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...