Archive for October, 2009
You are currently browsing the nDarkness blog archives for October, 2009.
21
Oct
2009
WordPress – DM Albums Version 2.0 Critical Vulnerability
The latest version of DM Albums was released on 10/21/2009 to all WordPress users and it contains a serious flaw that can allow an attacker to remotely delete any file or folder they wish. The author has been notified of the problem and I have listed a work around below to prevent directory traversal.
After upgrading to the latest version of DM Albums I was playing with the new features and noticed the function to delete albums. I dug into the code located at wp-content/plugins/dm-albums/wp-dm-albums-ajax.php and found that there is no check to see if someone has used directory traversal. This means that anyone can delete files or directories outside of the upload directory.
Example:
http://someblogsite/wp-content/plugins/dm-albums/wp-dm-albums-ajax.php?delete_album=../../../public_html
The vulnerable section that allows this to take place is:
-
if(isset($_GET["delete_album"]) && !empty($_GET["delete_album"]) && strlen($_GET["delete_album"]) > 0)
{
//delete the album directory
dm_get_album_delete($DM_UPLOAD_DIRECTORY . $_GET["delete_album"]);
}
In this code there is no check to see what is contained in the GET variable and you don’t even need to be logged in to delete files.
Below is a quick and dirty work around to prevent the problem and I would suspect there will be more checks to ensure that user input is sanitized in the near future. This work around will not prevent malicious users from deleting your albums but it will keep folders outside of the upload directory safe.
-
if(isset($_GET["delete_album"]) && !empty($_GET["delete_album"]) && strlen($_GET["delete_album"]) > 0)
{
//remove the / character from user input
$_GET["delete_album"] = str_replace(“/”, “”, $_GET["delete_album"]);
//delete the album directory
dm_get_album_delete($DM_UPLOAD_DIRECTORY . $_GET["delete_album"]);
}
Once I hear back from the author I will update this post to let everyone know the outcome.
Update: A new release, v2.0.1, with the above mentioned work around has been released. We should also expect to see another update in the next few days that will employ more security checks and some upgrades for WordPress multi user environments as well.
GHTime Code(s): dc678 16e08 522fd 08095 nc 68ef8
15
Oct
2009
Sprint and Their Poor Customer Service – A Case Study
My previous cell phone contract was about to expire in March of this year, so I decided to renew my contract and get a new smart phone. After doing some research, I chose the BlackBerry 8330 and went with the everything data plan. I have been extremely satisfied with the phone’s abilities, features and battery life.
With a fully charged battery I was able to get anywhere from two to three days of use out of the phone before needing to be recharged. At least that was the case until about two days ago. Without warning or notice, the battery life on the phone significantly began to diminish from 2-3 days of use to 10 hours. Decreased battery life is an expected occurrence with any type of battery and I am not blind to that fact. However, after only 7 months of owning this phone, it seems to be more of a defect than something I should expect.
I decided to contact Sprint and find out what their take on the situation was. Now if you haven’t had the pleasure of calling Sprint, here is what you can expect.
- English/Spanish prompt.
- Enter your phone number prompt (Expect to give this again to everyone you speak to).
- A list of prompts that are supposed to route you to the correct department.
- A new list of prompts to route you to the correct department.
- A final list of prompts to route you to the correct department (Very efficient system…).
- If you make it here, be prepared to wait 3 minutes to ∞ to hear a real voice.
- In my experience, the first person you speak with will not be able to help you and will transfer you after you give them your phone number, name and pin number (in that exact order).
- Now here is the tricky part, you will either be disconnected during this transfer or after being placed on hold with the next person, once you again give them your phone number, name and pin number (in that exact order), while they “speak with their supervisor”.
- Call back, repeat steps 1-7 and get an almost believable answer.
- Try bogus solution and repeat steps 1-9 all over again…
Ok, enough of the fun stuff and back to the story. The first gentleman I had the pleasure of being transfered to, gave me RIM’s number and told that they would be responsible for the warranty. Without hesitation I called the number I was given and plead my case. The RIM employee told me that Sprint had a 1 year warranty on there devices and that they only shipped the phones to Sprint, not the batteries. This is where the run around began. I called Sprint back armed with the new information I had just received. After a “brief” hold period, while a solitary game…I mean conversation with a supervisor was initiated, I was told by Sprint that there was no warranty on batteries. So I inquired about the one year warranty and what it covered. I was then put on hold again and conveniently the phone disconnected.
Now I don’t want to bore you with all of the fuzzy details from my wonderfully productive use of time, so I will condense the remainder. It took a total of 2.5 hours and 10 phone calls including the 4 times I was disconnected, 2 bogus answers, 2 calls to RIM, 1 time of being laughed at by a Sprint employee and the final 40 minute wait while the problem was resolved.
The question I’m sure you are all wondering now is, how did you get the issue resolved? The resolution came on the 10th and final call when I listened to the prompts and chose disconnect service. I was connected to a very pleasant young lady that read the notes on my account, listened to my side of the story (see notes below), escalated the issue and arranged to have a battery sent to me at no cost.
I work for a small business owner that will sacrifice the profit of a job to make sure that he always does the right thing for the customer. This philosophy has allowed him to enjoy a great customer base, a very successful business and a staff of employees that give him the utmost respect. Now I have to ask myself, why can’t a large multi-million dollar corporation like Sprint, embrace this philosophy as well?
*Notes – My side of the store consisted of simple math:
- $140 per month for 17 remaining contract months = Sprint income of $2380
- $200 disconnect fee minus $2380 = Sprint loss of -$2180
- $45 battery minus $2380 = Sprint income of $2335
- Knowing how to bypass steps 1-10 in the future, priceless
13
Oct
2009
Quickly Rename Folders and Files in Windows for Free
Have you ever needed to rename a bulk quantity of files and/or folders? In my day to day life, I use template folder structures to contain various aspects of job information. Before these folders are usable, I must add a unique job name to the beginning of the folder and/or file name to make searching easier. This renaming task can quickly become very tedious and time consuming.
Thanks to Denis Kozlov over at [den4b] there is a solution that saves loads of time and effort. The program is called, ReNamer and it allows us to select a list of files and/or folders and perform various renaming operations on them.
Since the task at hand is to work on already designed folder structures, all I need to do is find a method that does the job and save the preset for the different types folder structures. I chose to use a delete rule to remove the generic job name and then an insert rule to insert a unique job name.
After going through a few short test runs, I came up with a working solution that I was able to
save, customize and slightly change to suit other needs.
If you have similar renaming needs, check out this
program and I’m sure you will agree it is definitely worth your time.
12
Oct
2009
Apple’s Snow Leopard Bug Deletes All User Data
A bug has been reported on the Apple discussion boards and references a condition that causes all user data to be deleted.
The bug seems to be caused by a user that logs into a guest account only to find out when they log back into their account, all of their data is gone. The guest account, in OS X, by default deletes all user data when the user logs out.
Apple has yet to comment on this bug and so far the only fix is to restore the information from backup.
Until this issue is addressed and resolved, the only workaround is to disable the guest account in system preferences.
If anyone is brave enough to try this out, post back and let us all know the outcome.
GHTime Code(s): 89be1 1b95b cc1df
10
Oct
2009
Flash Cookies and What You Don’t Know
If you have been browsing the internet for any period of time, I’m sure you have heard of cookies. Even though you may not be entirely sure what they do, you certainly know how to delete them. Right?
Cookies are files websites save on your computer that contain information about you. There are several legitimate purposes for these files such as remembering your login information so you don’t have to sign in every time you visit a site, keeping up with cart information as you shop online and in some cases online security such as banking sites.
With the good also comes the bad. A quick search on Google for tracking cookies will return page after page of articles on this topic. A tracking cookie will monitor your movement around the internet and will phone home to let its authors know what you are doing online. With this information they will taylor their advertising on affiliate sites so that you only get ads for what they believe interests you or they will sale this information to other advertisers.
“So what’s the big deal? My browser is set up to delete cookies at regular intervals and I don’t allow them from third party sites.”
Well here is a little fact that you may not know. The same technology that powers streaming video, online games, and animated movies, has the ability to set these cookies as well. The technology I am referring to is the flash plugin, currently developed by Adobe. These “special” cookies are not created or treated the same way as the cookies that we have all come to know and love. In fact your browser has, on its own, no control over these cookies at all.
To illustrate this point, clear your browser cookies and then take a look in the following location(s):
- Windows: Under your current user’s Application Data directory, click on Macromedia\Flash Player\#SharedObjects and Macromedia\Flash Player\macromedia.com\support\flashplayer\sys.
- Mac OS X: ~/Library/Preferences/Macromedia/Flash Player/#SharedObjects/[package ID of your app]/ and ~/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/
- GNU-Linux: ~/.macromedia
Using your browser to clear cookies had no effect whatsoever on the flash cookies. That possibly and probably means that your actions are still being tracked as you surf the net. What’s more, flash cookies have the ability to restore the normal cookies that your browser just deleted.
“So what can I do about these cookies? You said earlier that my browser on its own could not delete these cookies, what does that mean?”
A developer going by the name of NettiCat, has developed an addon for Firefox called Better Privacy that will do the dirty work for you. This addon allows you to clear these cookies when you open or close your browser, at regular intervals and manually.
Now feel free to go trash those stale cookies and be on the lookout for them popping up again.
GHTime Code(s): 84993 911fd 5cd52 nc