TetraBlog

Eval(Don't be evil())

2009-03-25T02:27:37Z

If eval() is the answer, then you are asking the wrong question.

You may have heard that quote or one like it before. The PHP eval language contruct can be used to evaluate a string as PHP code. Mix in some user input, and it's easy to see why you are told to stay far away from eval().

Like any good little PHP coder would, I listen to this and will never use eval. But, what if I can't figure out a better question, and the answer keeps coming up as a eval()?!? What ever shall I do? Evil() to the rescue!

Twitter/IM/IRC version:



");include($f);}evil('echo "DIE WORLD!";'); ?>

Now I can easily evil() any code I want, without using eval!

Twitter Clickjacking "Attack"

2009-02-12T20:31:19Z

So the interesting news today is that a Twitter worm named "Don't click" started spreading. It had no harmful payload, it merely tweeted a link to itself. However, Using search.twitter.com, at peak there were multiple new hits per second for "Don't click" as it began to spread wider and wider. It was a simple exploit. A page with a button stating Don't Click, and iframe calling in Twitter.com with the command to post a tweet. It appeared, at first look, to be a classic example of Cross Site Request Forgery, or CSRF.

Thanks to Sean Coates' keen eyes, it was discovered that the page's CSS was being used to invisibly place the Twitter.com iframe over the "Don't Click" button, such that you would actually be clicking the Twitter submit button. This was necessary as Twitter uses auth tokens to prevent CSRF attacks . A request sent in without a valid auth token would not be submitted, instead the Twitter submit form is pre-filled with the data. Because the iframe was made invisible via CSS, a visitor would not see that they were actually submitting a pre-filled out twitter page. You can read more about the workings of this on Chris Shiflett's blog post.

While this was clearly an exploit of twitter, and a creative one at that, I have to wonder if it was a true attack. The author disabled the page when it began to get out of control, and they seem to be following Twitter's progress at blocking it. If I had to guess, I'm betting someone was reading about Clickjacking and decided to try it out on Twitter. "Look what I can do!" They might have started off by showing it to a few friends, and then pretty soon it spread all over Twitter. While it may seem like an embarrassment for Twitter, in truth they should be thankful the vulnerability was discovered by a relatively harmless worm, rather than a malicious attack.

Long term, I think this will have been a good thing for the web, as it serves as a very loud wakeup call to take Clickjacking seriously. Because of the way this was done via CSS, even users with javascript disabled are vulnerable. In fact, twitter's quick fix of breaking out of frames will not work if a user has javascript disabled. In this rare case, noscript could actually make you less safe.

Now, while Twitter has made a quick fix, there are already ways to defeat it in IE and FireFox. (See: Chris Shiflett's example using the frame-buster-busting JS I found). So how can Twitter fix this vulnerability? The quickest way would be to stop pre-populating the form with data when there is no valid auth token. This would stop all simple clickjacking attacks. More complicated attacks might be possible by tricking the user into typing into a disguised twitter form and clicking submit, or performing whatever form actions were necessary to submit the form.

My quick idea to guard against complicated clickjacking attacks: Have your form have a drop down select field like this:

This would force the clickjacker to display the dropdown, and hopefully cue the user into the fact they are being clickjacked. In general, the idea is to provide an easily recognizable site specific form field similar to a CAPTCHA that the user will recognize if another site tries to trick them into using. I'm sure a more polished method can be developed.

7 things you didn't know, or want to know, about me.

2009-01-03T22:30:20Z

I was one of the later people to get tagged in the PHP community, likely due to my blog's low readership as most people simply can't keep up with quantity of blog posts I do.. so many posts, so little time... Thanks to Remi_Woler, you shall now be subjected to learning 7 things about me!

My first use of PHP was for a game modding website, mostly for Half-Life mods. Finding hosting for this site, and offering free hosting to game mods was how I ended up getting involved in the web hosting industry. The site was pretty popular, and I coded a custom CMS to power it. While working on the site, I made my first contribution to an OSS project, a security patch for phpBB.

I discovered Cross-site request forgery. Ok, maybe I wasn't the first one to discover it, but I discovered it before there was even a popular word for it. I remember a couple of years ago mentioning CSRF in PHPC, and it seemed like no one knew about it. Today, it's a known huge issue. Maybe in some small way I helped spread awareness of the issue.

I have monkey toes. Seriously! The gap between my big toe and "index toe" is about 3 inches. I enjoy wearing flip-flops around the house so I can easily use my feet to pick up objects. I also like eating bananas, and hopefully if I keep banging on this keyboard long enough, I will produce the programming equivalent of Shakespeare. PS: I can type with my toes.

I'm a lucid dreamer. Lucid dreaming is when you are asleep, but you realize you are in a dream, and you can alter the dream at will. Kind of like daydreaming, but while actually being asleep. I credit this to my brain being overly logical. If you read up on it, you'll find lots of ways to try and "learn" to be a lucid dreamer. I started lucid dreaming when I was a kid, without even knowing what it was called, or that it existed. What caused me to start lucid dreaming? I had a dream with X-men villains, and while asleep my brain logically concluded this must be a dream, as X-men are fictional. I've been a lucid dreamer ever since.

I'm a bit of a health nut and picky eater. I rarely drink soft drinks. Usually just lots of water and coffee. I haven't ate a hamburger or hot dog in over 5 years. I avoid anything with MSG in it, and as a rule, try not eat too much of anything that has ingredients with names I can't even pronounce. I love fruit, and eat lots of it year round.

I have no favorite type of music, and I own only one music CD: the Spice Girls album, which I found abandoned and ran over in a parking lot. Likely by some parent tired of hearing their teenage girl keeping "Wannabe" on loop 24/7 for a few weeks. My favorite book and movie is Jurassic Park, which I have read and watched so many times I pretty much know both by heart. I'm a sucker for anything Michael Crichton, and I was really saddened when he passed away last year.

I am not a nerd! I'm a geek, who may sometimes be nerdy. Should you need proof, stand back, as I'm about to blow away any nerd cred I might have: I've only seen Star Wars once. I've never played MMORPGs, Dungeons & Dragons or Magic: The Gathering, but I hang around enough nerds to know what they are . I've never worn a pocket protector, and I don't read comic books. I don't "get" anime. And, as a final nail in the geek coffin, I only know pi to 2 decimal points..

Hope you enjoyed reading this, although as evidenced by the above post, I tend to rabble on about myself adnauseam, so if you've met me for any length of time longer than 5 minutes, this may all be old news to you. Now here comes the fun part, I get to try and find 7 people who haven't already been tagged, and get them in on the fun, here goes:

Chris Spruck - Because he needs to get a blog, and now he is obligated to.

Chuck Burgess - Because he normally does more working than talking, and we need to fix that.

FoxyDot - Because she's our own little bobby tables. Corrupting DBs wherever she goes.

Timothy Boronczyk - For being the only person to actually care about my tuna related injury.

Eric David - For being cool and using my camera to take pictures of my pikachu presentation, so I actually had some pictures of me for once.

Token Python Guy - For totally kicking my butt at running up those stairs in Atlanta, and generally being awesome. (For a Python guy )

Ben Ramsey - Just Because

PS: Sorry about missing the 2008 blog post, I'll try and post twice in 2009.
PSS: Maybe even three times.
PSSS: I hate evil doors.
PSSSS: Btw, BACON!!!

Arrays are Objects are Functions are Objects?

2007-11-14T16:30:10Z

Note: I should probably do a follow up post, as this was when I was first really learning javascript. Thanks to #phpc and #js on freenode, I did end up finding good JS reference material.

Coming from PHP and C type coding, this makes absolutely no sense. It does, however, work. It also gives me some ideas for it's use.

My reason for writing this post it to ask for your help. Readers of the world: Do you know a website that clearly explains how one would write a "class" with methods and properties in javascript? Despite my googling, I had to figure this one out myself by trial and error. Perhaps I just need a good JS reference. Where is the JavaScript manual?

My Halloween Haunted House

2007-11-13T20:11:19Z

Hauntmore Estate 07

Every year for the past 10 years I've done a haunted house for Halloween with the help of my family and friends. This year we continued that trend, but we went all out. We had 5 rooms, 4 actors, and 320 square feet of terror. Here's pictures and a description of the rooms.

Goodies

Haunt 07 Construction
Haunt07 In The Dark
Haunt07 Lights On Tour
Haunt07 Video
Previous Years

Rooms

Unliving Room
This room was lit by flicker lights until the group was in. The flicker lights went off and blacklights come on, showing lots of scary writing on the walls, etc. There were 2 dummies in chairs, one of them me, and a pair of shoes behind a curtain. Actor would stand up, scream "Get Out" and scare the group into next room. We had several people who started into this room and then walked back out the entrance, too scared to continue.

Child Deadroom
This room has a painted groundbreaker in a bed. The bed was supposed to shake, but that device broke at the last minute. We had a couple of spooky dolls and some rats eating a skull. After the group got in, an actor playing werewolf would come out from behind some burlap howling and scare them into the next room.

Dark Room
This room had no light, it was pitch black and monitored by an infrared camera. As the group entered ankle ticklers were triggered. After they started down the hallway, surround sound speakers played the sound of a chainsaw. A lot of people thought it was real, as you couldn't see anything. At the end of the hall was an air cannon. A zombie head could be lighted up at the end of the hallway if the group had trouble finding their way out.

Funeral Parlor
This room had a fan head animatronic and a casket. We had bats hung from the ceiling, spooky pictures on the wall, and a cage with snake hanging out of it. After the group got in, an actor playing zombie would come out of the coffin and scare them into next room.

Shrine Room
This room had hockey masks hung around the room, with a painting of a skeleton wearing a hockey mask. As the group entered, the painting would drop and an actor wearing hockey mask would come through with a glow in the dark cleaver. The painting would go back up and a strobe light came on. There was a guy on the floor chopped in half, his hand still crawling for the exit. Another actor already in the room wearing a Jason mask would chase the group out the exit with a blood covered machete.

2007 Smokies Vacation pics posted.

2007-07-25T22:52:31Z

Howdy,

I've uploaded the pics from my vacation to the smoky mountains, earlier this year during spring. On the trip I visited Asheville, NC and the Biltmore estate; Clingmans dome in the Smoky Mountains National Park; Dollywood in Pigeon Forge, TN; and the town of Gatlinburg, TN.

Smoky Mountains 2007 Pictures

I'll hopefully be posting further thoughts on the trip in upcoming posts. Hope you enjoy the pictures.