Eldar Marcussen: November 2009 Archives

Making me publish this stupid post and managing yet another login to a site I don't personally use. Ok, so maybe it's not such a bad idea to allow blog claiming, and supporting logins... BUT they should be able to index blogs without having someone make a claim, or at the very least allow the authorization to be added as a html comment or as a separate file. I suppose they consider the forced posting to be a marketing tool. To me it tastes awful...


Photo stream

Created a photobucket account and uploaded some content that won't make it into blog posts, but might still be of interest to some. Starting albums include some strret views of the google street view car & rigg (periscope build) and beers with @cmlh and @snyff at the eureka belgian beer cafe. Check it out at http://photobucket.com/wireghoul

Pack of xss

I had some spare time last weekend and decided to go XSS hunting. Yeah I know old news, old vectors, boooring...

Unfortunately even though XSS is old news in the security community and there are well established techniques to mitigate the attack it is still ridiculously easy to find XSS vulnerabilities in most websites today. It seems the message isn't getting through.

Get all the details after the break, or use the quick links below


Graudit version 1.4 released

This will be a short lived release, it's actually more like 1.5RC1. Anyway, there are some improvements to the PHP signatures so if you really can't wait until the start of December for version 1.5, then grab a copy from the graudit download page.

Ok, so this post might be a sell out, but since none of the movable type seo advice tutorials I've seen so far do it right I thought it was time for someone (me) to do better. I assume you have done some research so I won't go through the purpose of the meta tags. In this example I will be adding author, keywords and description meta tags.

In your entry template find the line <mtsetvarblock name="html_head"> and add the following lines.
<meta name="author" content="<$MTEntryAuthor$>" />
<meta name="keywords" content="<$MTEntryKeywords encode_html="1"$>" />
<meta name="description" content="<$MTEntryExcerpt encode_html="1"$>" />
Do the same for the page template, but use the variables MTPageAuthorDisplayName, MTPageKeywords and MTPageExcerpt.

The final result should look like;

[Entry template]
<mtsetvarblock name="html_head">
<meta name="author" content="<$MTEntryAuthor$>" />
<meta name="keywords" content="<$MTEntryKeywords encode_html="1"$>" />
<meta name="description" content="<$MTEntryExcerpt encode_html="1"$>" />

[Page template]
<MTSetVarBlock name="html_head">
<meta name="author" content="<$MTPageAuthorDisplayName$>" />
<meta name="keywords" content="<$MTPageKeywords encode_html="1"$ >" />
<meta name="description" content="<$MTPageExcerpt encode_html="1"$>" />

The big difference between my method and most others is that I supply the encode_html directive. This means that if your entry contains html tokens, such as the double quote (") it will be encoded as &qout; inside the meta tags, rather than breaking your html which the " by itself would do.

For the index lists, such as the index page, archives, author entry list and so forth I would recommend using static content for seo. The reason for this is that the MT tags we have just used are context sensitive. So if you used the entry tags in the author list it would only display the content of the last entry for this author due to the context.

Good luck!
The changes to package kit which allows non privileged users to install fedora signed packages without escalation privileges makes me glad I'm not a fedora user. There is just a crapton of potential for breakage and security abuse bundled in here and since I'm a reasonable fellow I will even supply some examples

Graudit, reducing false positives

Some anon called "R" left a comment today, but it was on a page where I had accidentally left comments on, so I won't publish it. He complained about false positives in graudit, and it is not the first time I have head this, or seen it for that matter. So I thought I would address it publicly, R's comment was;

"graudit seems to trip on things like "update_profile(", proudly hilighting "file(" :)"

This is true (I mostly see it around function names containing mail) and I would very much like to correct all the false positives matches and avoid any false negative ones too for that matter. However, this is a hobby project for me. I am not a company selling software, nor am I paid or given time off by my employer to work on graudit. Therefore my contribution to the project very much depends on my real life activities.

Graudit is meant to be a rough auditing tool. You run it against large/new projects so you can pick some starting points for your audit or even spot some low hanging fruit. It is not a complete solution and cannot validate whether what it highlights is exploitable or not. Since it uses grep it saves me from spending time on parsing engines for the supported languages, but it does make it harder to write signatures that are completely free of false positives. Regular expressions aren't that great for parsing :(

However, it is opensource, feel free to fix the issue and submit a patch, otherwise you will probably have to wait for version 1.5+ before any radical changes to the signatures happen. Until then I guess you will have to live with some false positives.

Apache::LogRegex deb package

I was doing some apache log processing from the command line and recalled using a simple perl module for processing in the past. A quick cpan search later and I had packaged it for debian.

If you don't feel like running dh-make-perl you can grab a copy here;

Karmic annoyance

One of my pet hates about dist upgrades is the unknown that sits on the other side of the upgrade, especially when using binary drivers. To be honest, dist-upgrade is very usable these days. I usually only have to reconfigure x to use binary drivers after a dist-upgrade these days, whereas it did render the system inoperable in the past.

With my latest upgrade from jaunty jackalope to karmic koala (Ubuntu release names) I only experienced one VERY annoying issue. My speakers were constantly crackling, it was as if they were repeatedly initializing. Even when I plugged in headphones, both the speakers and the headphones were crackling. Adjusting the volume helped some as the crackling got muted, but did not stop the issue.

The solution as it turned out was to disable the power saver option for my sound card. I simply commented out the last line of /etc/modprobe.d/alsa-base.conf so it became;

# Power down HDA controllers after 10 idle seconds
#options snd-hda-intel power_save=8 power_save_controller=N

Graudit lightning talk

I will present a graudit lightning talk at the 2009 AISA Annual Seminar Day.
As a result I will aim to release new  versions more often, so I can present more bells and whistles. Expect graudit to version 1.6 by Christmas 2009!

For the full 2009 AISA ASD agenda please see http://www.aisa.org.au/index.php?page=243

Multipacket three way handshake

Tod Beardsly over at breakingpoint labs has identified a rarely recognized section of RFC 793  that allows you to deviate from the normal three way handshake. Rather than doing
A ----syn-----> B
A <---synack--- B
A ----ack-----> B

Which is the "normal" way of doing the three way handshake you can instead do:
A ----syn-----> B
A <---syn------ B
A ----synack--> B
A <---ack------ B
The change in direction could allow you to bypass stateful firewalls, bypass intrusion detection or prevention devices and perhaps change the synflood or spoofing landscape. He has successfully tested this against the major OS's.

Read the full post, containing packet captures and more at http://www.breakingpointsystems.com/community/blog/tcp-portals-the-three-way-handshake-is-a-lie

Old advisory

It's that time of the year, and this christmas we're all giving away old bugs.
So here is an advisory that never made it, until now.

Vircom vopmail / modusmailinformation disclosure

Graudit version 1.3 released

The latest version of Graudit is here, version 1.3. The most exiting news about this release is the added support for ASP and JSP. That's right, Graudit now supports 5 languages.
There are also some new signatures and bug fixes for the existing rules.

You can obtain the latest version from the graudit download page.
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.