BugBlog

Hello,

as some of you already know: I bought a hackable bike.

It’s a very nice batavus intermezzo easy deluxe.Just to answer the questions why I bought this device:

I’m about to get my drivers license (yes I still have fail a test, and maybe some day pass one), but since I’m getting older I do need to keep myself a bit healthy and riding a bike everyday is a good way to do that. However since I also have to work I can’t afford it to normally bike an average workday for a very long period of time (for instance to visit hack42). And I just like cycling.

Read the rest of this entry »

1 Microsoft Office
1 Alfresco sharepoint connector.

One of our customers had decided they wanted alfresco instead of microsoft sharepoint (a very wise decision). However since alfresco is by default http and not https it would be very stupid to run it on the internet and it would probably not in sync with the contracts they sign about being confidential with customerdata. This does ask for a very simple solution: Run apache in front of tomcat, talk ajp to tomcat and serve everything over https.

This works very fine just out of the box. Even if the apache runs on a seperate machine. (Did I mention my general hate for java already). However to make sharepoint a very good sharepoint replacement you have to talk a seperate webdav/xml-rpc alike protocol that office does understand.

Alfresco coders decided that it would be too much of a hassle to put this into a nice tomcat web application talking via tomcat with the outside world. Instead they opted to create a:
Tomcat webapp that runs a webserver on it’s own on a seperate port.
If you haven’t had enought of this idea please continue reading..

Read the rest of this entry »

Last days I’ve been busy investigating various email problems. I would like to share a few nice ones with you.

If you start an SMTP session you get a 220 welcomes messages. Which can be one line like:

220 Welcome at our mailserver

Or more lines like:

220-Welcome at our mailserver, we very like te keep spam out of the door and
220 one line is really not enough to put in our crap about policies

The only real thing that matters is that every line starts with 220 and the last one (and only last one) with 220<space>

Now enter the age of cisco-security-by-obsurity-censoring-devices:

Read the rest of this entry »

I’m the proud new user of a linksys-by-cisco SGE2000 switch. It turns out that the very nice switch not only has a very crappy HTML interface and a very limited telnet interface, but also a very nice CLI interface which almost completely resembles a real commandline.

To start it just telnet/ssh into your SGE20XX switch, login and after login type Control+Z. After this you will get a commandline marker

>

Just type

> lcli

Now login again.

Profit!

Minor note: It might also work on other linksys-by-cisco business switches, please let me know.

The admin interface:

Reality

One of my IP cams does send a lot more traffic when it’s dark, by analyzing the data traffic you can see when it gets dark outside, when it’s sunny and when it’s a generally dark day:

Welcome to the wonderfull world of motion JPEG…

Read the rest of this entry »

Enumeration is the first and nicest web bug these days.

First the most stupid example. Some company had put me on one of their nice ‘newsletters’. Without asking of course. They use a self written mailinglist manager with very simple webinterface to unsubscribe:

http://www.domain.tld/pages/Unsubscribe.aspx?mid=42&uid=$number

The content of this page was:

Are you sure you want to sign out ?
Your email address is: mendel@mobach.nlYes                               No

Since I’m very allergic to people publishing my email address in this way I started fiddling with numbers. It turned out they start with 1 and end with 3479. Guess their number of subscribers…

A nice oneliner gave me all the addresses. After informing them and about 4 days of time they still did not fix it.

The bad that can happen out of this:

1. I can unsubcribe all their members
2. They leak their (almost) complete client and supplier list

Than the older case but still a bit interresting.

Once upon a time some company called OV-Fiets decided that it would be nice to send people a news letter with a nice ‘automatic login URL’. It could not be more stupid:

The URL containted a md5 hash, after opening it you got a cookie and you had been logged in automatically. But since they already had a basic lesson they decided to create the md5 in a special way:

Take a secret number, xor it with the database ID(*1). Take the result of this XOR in plain text, create an md5 of it and use that as the hash. Since I do like hashes I posted it into google and got immediately the source of the MD5 hash. Since I knew my customer ID (you have to use it as a login) I could subtract it from the XOR and I got the secret number.

The bad that could happen:

1. I could see everybodies barcode number (and create them myself)
2. I could see (hello unencryption, cleartext nice website) everybody’s password
3. I could see everybodies PIN that goes with 1
4. I could all the payment information
5. I could rent real world bikes on someone elses name
6. I could not return 5 and let other people have misery because of my laziness with returning them

And the fix? They disabled the autologin, nothing else. They still display your password in cleartext, they still store it in cleartext, they still did not require everyone to change their pincode, they did nothing.

Kind Regards,

Mendel Mobach - time to rent a bike

*1: everybody with a little bit of clue knows this is just secret+dbID

Note: I will write about har2009, but later.

If, one day, you would dream of smoking bad stuff, please don’t use the stuff the creators of PHP use:
> php -r "echo crc32('bla1234').' ';";uname -m
3766889681 x86_64
> ssh host "php -r \"echo crc32('bla1234').' ';\";uname -m"
-528077615 i686

Thanks to lucumo for pointing this known BOGUS bug out to me.

Alles in de CC en To… het is toch om ziek van te worden?

Zie de disclaimer……….. ik zie de klacht wel tegemoet.

From: Corny Vierbergen
To: 42 geadresseerden
CC: Nog 4 of 5
Subject: Veiligheidsregels Heros Sluiiskil B.V.
Geachte,

Via deze weg willen wij U er op attent maken dat er voor ons bedrijf
strikte algemene veiligheidsregels gelden.
Met name het dragen van reflecterende werkkleding op het terrein is
verplicht en dient het lichaam volledig te bedekken. Dus het dragen van
een korte broek is niet toegestaan!

Verder gelden er op ons terrein nog de volgende veiligheidsregels:

-          Veiligheidshelm
-          Veiligheidsbril
-          Veiligheidsschoenen
-          Reflecterend veiligheidshesje

Vriendelijk verzoeken wij U bovenstaande veiligheidsregels nog eens
onder de aandacht van uw chauffeurs te brengen.

Met vriendelijke groet,

Corny G.M. Vierbergen

Heros Sluiskil B.V.

Postbus 1, 4540 AA  Sluiskil

Oostkade 5, 4541 HH  Sluiskil

Tel.:  +31 XXXXXXXXXXXXXX

Fax:   +31 XXXXXXXXXXXXXX

Mobiel: 06 - XXXXXXXXXXXXX
Email: XXXXXXXXXXXXXXX@XXXXXXXXXXXX
____________________________________________________________________
DISCLAIMER:  Dit e-mailbericht is uitsluitend bestemd voor de
geadresseerde en kan vertrouwelijke informatie bevatten. Verspreiding
van dit e-mailbericht of van de informatie die dit e-mailbericht bevat
door een ander dan de geadresseerde is verboden. Indien U dit
e-mailbericht per abuis heeft ontvangen verzoeken wij U de afzender
hiervan op de hoogte te brengen en het origineel te vernietigen. De
onder de Heros Groep vallende bedrijven zijn niet verantwoordelijk en/of
aansprakelijk voor eventuele gevolgen en/of schade die verzending en
ontvangst alsmede inhoud van dit e-mailbericht betreffen.

The NLUUG (Dutch (professional) Unix User Group is not what is used to be in earlier days.

I attended one of their conferences last may and by mistake they didn’t send the right invoice. That can happen, no blame yet. But after it was clear that I still wanted the right invoice I asked them to email me a pdf (that should save printing for a start).

What they did was: Print out the invoice, scan it (about 7 degrees turned clockwise), put the JPEG image in a pdf and send it by mail.

On the internet we used to make jokes of that kind of actions back in 2001 or earlier. Not in 2009 from a professional Unix User Group.

Now waiting for the HTML email with invitation for their conference about text processing or so…..