Darren Tarrant

Internet Explorer 32 styles bug

admin — Sat, 24 Oct 2009 23:07:21 +0000

I have found a curious bug in all versions of Internet Explorer. It is new to me and i found no reference to it on the internet, so here goes.

If you have access to a php server, insert the following code into a php file:

for($i=1;$i<=100;$i++){
?>

”>

}

This will output 100 boxes, each with a separate class reference. There is also 100 class definitions. Viewing this in IE 6,7 and 8 you will see only the first 31 boxes have style!

The workaround for bugs similar to this is to use inline styles instead of class references and this seems to work around it.

Javascript form injection

admin — Sat, 25 Oct 2008 20:53:02 +0000

Imagine a very insecure form, which emailed a password or other sensitive information to a given email address. Imagine again, if you will, that this email address was hard coded into a hidden form field called, say, ‘to’. This is incredibly insecure and here’s why;

With javascript turned on in your browser one can inject their own email address in the place of this one to get the form. All one needs to do is to look at the source code to see how many forms there are on the page. Count from zero upwards to the form you need and reference it like this:

Navigate to a page with said for in it. Let’s say it is the first form in the source code, therefore we reference it with a ’0′ (second one will be a ’1′ and so on). The form, we know from the source code, has a field called ‘to’, so we want to set it to a new value. Now type this into the browser address bar:

javascript:void(document.forms[0].to.value=”me@example.com”)

To check the value has changed type this:

javascript:alert(document.forms[0].to.value)

Now when you submit the form, it will be submitted with the ‘to’ value of me@example.com. Simple. It is easy to imagine all sorts of variations on this theme, so awareness is an important tool in protecting against it.

To protect your forms against this, you must have some sort of server side checking in the target url to check for correct email addresses. There is two ways to do this; white listing and blacklisting. Whitelisting is a list, perhaps an array or database resource, of all allowed email addresses that can be accepted into the form processing script. All other values are logically rejected by the script. This is a more secure option. A blacklist, less useful but worth mentioning, is where you allow all values, except specified ones. Blacklisting is only really useful if you know that there are only specific examples of values you wish to disalllow (for example removing rude words from a message).

I hope this article has been insightful and helpful.

Mod rewrite for 301 redirects

admin — Sat, 25 Oct 2008 20:23:55 +0000

301 redirects are essential if you port a site that ranks well to a new page address or domain. It is common on a LAMP platform to use the htaccess file and mod rewrite to acheive this. Here are some useful examples of mod rewrite rules to help you along the way.

With RewriteEngine On
and in RewriteRule
^home\.php$ # Just file itself
^home\.php(.*)$ # File plus zero or more chars
^home\.php(.{0,})$ # File plus zero or more chars
^home\.php(.{0,28})$ # File plus zero to 28 (or whatever) chars
^home\.php(.+)$ # File plus one or more chars
^home\.php(.{1,})$ # File plus one or more chars
^home\.php(.{1,28})$ # File plus one to 28 (or whatever) chars
^home\.php\?var=val$ # File with specific query string
^home\.php([\?]([a-zA-Z0-9]+)=([a-zA-Z0-9]+))$ # File with regex for basic query
^home\.php#overHere$ # File with Hash part

So for example use the following script with the above expressions:

ReWrite Engine On

Rewrite Rule ^home\.php([\?]([a-zA-Z0-9]+)=([a-zA-Z0-9]+))$ http://www.new-domain.com/$i

This will rewrite any url on the old domain of the form http://www.old-domain.com/home.php?something=value to the new url: http://www.new-domain.com/home.php?something=value

With variations on the expressions above you can acheive most of what you are after to pass on that vital link juice.

Hacking upload scripts

admin — Thu, 18 Sep 2008 19:37:59 +0000

The 1×1 JPEG hack, goes something like this…..

Many file upload forms use server side processing that checks for MIME type and filename/extension to see if a file is bonafide. These attributes of a file are always sent by the referrer, so they can be faked. You can set up a 1×1 jpeg with fake mime information and a fake extension, such as hack.jpg.php. This will both pass the MIME and file extension check of the file upload script. If a vulnerable script allows .php or any other executable file then all sorts of mayhem can occur.

To protect against this use a regular expression of the form:

$source = $_FILES['file1']['tmp_name'];
$source_name = $_FILES['file1']['name'];
$source_type = $_FILES['file1']['type'];

if(($source <> “none”) && ($source <> “”) && ((eregi(“.png$”,$source_name) && eregi(“^image/png$|^image/x-png$”,$source_type))) { //allow the file}else{ //this is an invalid file}

This example protects against both MIME type and file extension fakes and uses PHP as it’s scripting language