July 29th, 2010
Its a misconception amongst some PHP programmers that because MongoDB doesn’t use SQL (all queries are passed in as either BSON or PHP objects which have been converted into BSON) it isn’t vulnerable to SQL injection. It is pretty easy to show that if your lazy and complacent when you code you can leave yourself just as vulnerable to attack.
Lets assume we have a table of users with a username and password field. In MySQL you’d be asking for trouble if in your authentication function you did the something along the lines of the following:
if (mysql_query(“SELECT * FROM users WHERE username=’$_GET['username']‘ AND password=’” . $_GET['password'] . “’”)) {
do_auth();
}
And someone passed in
‘ OR ‘1′=’1
into your password field. If you simply checked the response and authenticated the user based on if a row was received from the MySQL Database the user would authenticate as the $_GET['username'] every time. The correct approach would be to sanitize your $_GET parameters before you pass them into MySQL.
In MongoDB you might be tempted to do something like
if ($result = $mongo->test->users->findone(array(”username” => $_GET['username'], “password” => $_GET['password']))) {
do_login();
}
No query language no SQL injection right? Wrong. Epic fail. Don’t forget in PHP when you append [] to a $_GET['variable'] it turns into an array within php.
http://woot.php?variable[]=hello
$_GET['variable'] is now a PHP array(0 => ‘hello’). We can even assign the key of the array like this
http://woot.php?variable[ne]=hello
Now $_GET['variable'] is a PHP with array with a key array(’ne’ =>’hello’). When you pass this to mongo db as your password paramater it evaluates to “Password does not equal ‘hello’” which will pass every time.
What can you do? Sanitise your input. Don’t allow multi dimensional arrays to be passed as a input parameters to mongo. Surprisingly there isn’t a function built into the mongodb pecl extension to do this, With more and more large sites turning to MongoDB its only going to be a matter of time before a large website is found to be vulnerable to this type of attack.
Tags: Injection, MongoDB, MySQL, PHP, Security
Posted in MySQL, PHP, Security | No Comments »
June 20th, 2010
Im currently writing a fully functioning chess engine written in PHP with a JQuery front end. Its going to support a dictionary of openings, endgame tables, pondering and use a minimax game tree with alpha beta pruning….
Check out a screen shot below
Hopefully I’ll have something up which people can play by the end of the week, tho it might not support all the features mentioned above straight away.
Update 29th July I got side tracked with some other stuff, I’m still working on this, its just going to take a while to finish off. So far I’ve got a basic move generator which passes perft tests I’m still working on the board evaluation function.
Posted in HTML, PHP | No Comments »
February 12th, 2010
So you lock yourself out of MySQL and see the following error when you try and change the password using the –skip-grant-tables option
mysql> GRANT ALL PRIVILEGES ON *.* TO “w000t@%” IDENTIFIED BY ‘passwordthinggy’;
ERROR 1290 (HY000): The MySQL server is running with the –skip-grant-tables option so it cannot execute this statement
Its because the grant tables still have to be loaded – if you want to change the password so you’ll need to
FLUSH PRIVILEGES;
Before you issue your grant statement.
Tags: MySQL
Posted in MySQL | No Comments »
January 22nd, 2010
According to the Australian Computer Society and DIAC (The department for immigration) there is a massive shortage in Australia of “Computing Professionals specialising in Network Security/Firewall/Internet Security”.
No surprise there, whats more of a shocker is that the very people who assess the skills of would be migrants to Australia can’t even secure their own website against the most basic types of Injection attacks – namely cross site scripting (I’m guessing its down to the skills shortage)
Security flaw
The ACS however don’t seem to be concerned – I’ve emailed them twice at the beginning of the week about the fault and they’ve yet to reply to my email or even fix it. The carefully crafted link below will generate the above screen shot.
http://www.acs.org.au/index.cfm?action=load&temID=search&searchtxt="><h1>hello</h1><script>alert(document.cookie);</script><input type="hidden"&pageno=1&display=1&searchbtn.x=53&searchbtn.y=16
The code is not malicious, the above script will just output the current cookie to the screen. With security flaws like this lets hope the ACS aren’t “shaping our future”…
Update 27th January It appears that someone at the ACS has fixed the issue, but only to the extent of filtering the <script></script> tags from the input string… HTML injection is still possible, wouldn’t it have been easier just to use html_entities() or similar asp.net function to sanitize the string before displaying it? HTML injection is still a big security risk.
Tags: ACS, CSRF, HTML, JavaScript, Security, XSS
Posted in HTML, Security | 2 Comments »
November 12th, 2009
Ive been trying to get the HUAWEI E1550 dongle working with my Debian (lenny) installation all day with little success. My first problem was that the dongle would show up as a USB drive and not a modem and required modem-switch to be run to make it show up as a modem on /dev/ttyUSB0.
I couldn’t get modem-switch to compile because it needs udev 1.45 and lenny only has 1.41. Luckily I found a usb_modeswitch which would compile easily enough and does pretty much a similar job. My next issue was that the H flag on usb_modeswitch for HUAWEI didnt work. However, I found on the web these config lines to stick in /etc/usb_modeswitch.conf which seem to work just fine and removes the need for the -H switch.
DefaultVendor = 0×12d1
DefaultProduct = 0×1446
MessageEndpoint = 0×01
MessageContent = “55534243000000000000000000000011060000000000000000000000000000″
Upon running usb_modeswitch it now switched my dongle on. I installed wvdial and used wvdialconf to configure the config file. I then adjusted the phone number in accordance with some forum entries I had read to read..
[Dialer Defaults]
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
Stupid Mode = 1
Modem Type = Analog Modem
Phone = *99***#1
New PPPD = yes
Modem = /dev/ttyUSB0
Username = guest
Password = guest
I was getting an “invalid dial command” message every time I tried to dial out.
–> WvDial: Internet dialer version 1.60
–> Cannot get information for serial port.
–> Initializing modem.
–> Sending: ATZ
ATZ
OK
–> Sending: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
OK
–> Modem initialized.
–> Sending: ATDT*99***#1
–> Waiting for carrier.
ATDT*99***#1
ERROR
–> Invalid dial command.
–> Disconnecting at Thu Nov 12 11:09:27 2009
Turned out there was nothing wrong with my modem configuration – I’d just inserted the SIM card upside down. ooops. My main issue now is I dont have any 3g coverage where I am.
–> WvDial: Internet dialer version 1.60
–> Cannot get information for serial port.
–> Initializing modem.
–> Sending: ATZ
ATZ
OK
–> Sending: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
OK
–> Modem initialized.
–> Sending: ATDT*99#
–> Waiting for carrier.
ATDT*99#
NO CARRIER
The conclusion is tho that the E1550 appears to work with linux – even if its a pain to setup. I wont know it works for sure till I can find somewhere with 3 coverage.
Tags: Debian, HUAWEI E1550, modem_switch, usb_modeswitch
Posted in Linux | No Comments »