Discovered CSRF with AJAX, phpBB and Private Messaging…

A few months ago I was asked a question, if it was possible to forge private messages on a webforum. I said yes of course, and explained – to the mortals – how it theoretically could be done with AJAX (or similar). But it’s not guaranteed that it does since AJAX are dependent of the browser security and the code running on the site. In my mind it should not be any problems however, as long as the browser doesn’t leave the domain, or the communication is handled by two trusted sites.

To see if my theory really worked, I decided to test it. I chose an older version of phpBB since this was (and probably still is for a lot of websites out there) actually a bug, and fixed in new releases – and phpBB is a forum that is both easy install and use. It’s also free, and used by many. Continue below…

Läs mer

XSS at IMVU – Still unprotected

In the end of march 2007, the IMVU-team announced a flaw in their system that made it possible hijack other users accounts by simple XSS injections. Of course, the people behind those attacks were stupidly exposed since the hijackers were sending large amounts of credits to themself. The XSS was stopped by simply disabling all javascript/html-coding temporary until this issue was solved.

The issue was solved. Almost. One problem seem to be that the IMVU-team missed the natural way of evading such fixes. With a small change in a script that makes it possible to hijack accounts, the issue is still reachable by whoever that finds out the way to do this. Allowing users to enter their own html-code at any website will always open doors to new hacking threats. The best solution against such things is to really consider disabling this completely (or disable javascripting in the webbrowser). But then, IMVU will probably not be as ”fun” as the users there thinks it is now…

There are also two threads at the IMVU-forum that might be interesting, to refer to, regarding this subject.

The first thread is probably the first signs of where people started to discover that something was wrong.
The second thread is where IMVU disabled scripting, and where they was supposed to fix this issue.

API module structure `php5_module’ in file is garbled

Upgrade Apache 2.0.x to Apache 2.2.x together with PHP 5.2.x 

Step-by-step for complete idiots

There might be other ways to do a proper clean installation of Apache (well, upgrade for me though) but this worked good for me.

I’ve been running Apache 2.0 with PHP 5.2 for a while now and recently I decided to upgrade the server to Apache 2.2 since 2.0 is getting older. The problem was that this compilation didn’t work out properly and every time I’ve tried to upgrade I got those stinkin error messages:

API module structure `php5_module’ in file is garbled

I was of course very frustrated and nothing helped. When I was googling on the problem I saw that more people had the same problems and everybody promised gold if they just did this or that. If there was any instructions or HOWTO’s for this problem, the information wasn’t enough to solve anything. People also said ”Install from a fresh source” which I also did. Didn’t work either – of course.

Here’s the part that I missed because of the lack of documentation!

What I forgot due to my own frustration was that ”from a fresh source” also meant ”Install TO a fresh destination”. I wasn’t thinking that way at all, so when I tried to reinstall the software, I used my old destination. I was thinking that overwriting old libraries should fix the problems anyway. But of course they didn’t. Why?

Well. One of the reasons was because I didn’t understand more than the instructions I was reading no the internet. I never thought about going one step further and THINK!

When I was making a new version of apache, the compiler still used the old apxs2-binary for apache 2.0 and that’s what people means with ”fresh source”, actually. So do NOT compile to your old spot without cleaning that place up – specially the apxs2-part! Of course I could choose to install pre-compiled packades from various distributions or the packages from apache friends, but realizing that I probably get other crap installed to apache too, made me avoid those packages completely without looking. I like personalize my system, I will do that as long as I can. This probably will cause more hair-loss, but my system is at least still mine!

This is how I solved the problem without shutting anything down for my users. The solution might be very unique but my webserver is a bit dependent on where all the files are stored today. No packages or cleaning up would help me out here here. Besides, if something goes wrong, the server may be gone for hours.

The following system is used:

Current apache version: 2.0.59
Going to: 2.2.4
Current PHP version: 5.2.0
Going to: 5.2.2

Before I was using Apache 2.x, I was (of course) using Apache 1.x, so the current path configuration is /usr/local/apache2
Also note that the use of apr may differ a bit depending on where you have it installed.

> tar jxf httpd-2.2.4.tar.bz2
> tar jxf php-5.2.2.tar.bz2
> cd httpd-2.2.4
> configure –prefix=/usr/local/apache2.2 –with-apr=/usr/local/apr –with-apr-util=/usr/local/apr
> make && make install
> cd ../php-5.2.2
> configure –with-apxs2=/usr/local/apache2.2/bin/apxs –with-apr=/usr/local/apr –with-apr-util=/usr/local/apr
> make && make install

(The italic line over here may be the golden key to success!)

Now, so far, so good. Running apache from the new installed directory should work properly. At this point, I have to go back to my apache configuration. Since I have more things to compile for the webserver, I now run my full configuration… When I’m checking the modules directory in the new installation I also see that the is included. This means that it really went good, through the first step.

> cd ../httpd-2.2.4
> # — run full configure here with above settings —
> make && make install

> Now… If everything’s ok, httpd should still start properly… And actually – it does!

root@predator:/usr/local/apache2.2/bin# ./httpd
(98)Address already in use: make_sock: could not bind to address [::]:80
(98)Address already in use: make_sock: could not bind to address
no listening sockets available, shutting down

But since the old webserver still running, nothing more than this happens. But that’s ok with me – as long as the new compilation isn’t garbled!

The next step is to move all configuration to the new place. So I’m just lifting over my conf-dir to the new apache directory. To be sure to not ruining anything I’m not moving anything, just copying… Now, it is very important to change your configuration to the right directory since it now reading from the old one. But instead of doing this, everything I do is renaming the old directory and replacing it with the new one…

shell> mv apache2 apache2.0
shell> mv apache2.2 apache2

Now, there’s a new problem. The new apache-directory was pointed to apache2.2 and that directory doesn’t exist anymore. I’m not please here, so to make everything look like before, I now run configure for apache one more time. This time I’m using the old prefix again (–prefix=/usr/local/apache2) but this time I also doing a cleanup just to make sure that everything changes the way I want.. You should also use the same thing for PHP 5.2.2 – start with PHP (otherwise you might loose something important and nothing would work any good)!

> make clean && make && make install…

And meanwhile my old server runs like nothing has happened…

If everything went ok all the way down here, the only thing you have to do now is to restart your apache server… Weiha!

Thanks to Dan Anderson for the very informative description of this, that made my thinking a little bit further!

This is a repost from this forum

Psykopatens musikaliska värld

Har ni tänkt på hur mycket underliggande psykopati det egentligen skulle kunna ligga i vissa låttexter, hur många dubbla budskap dom innehåller om man läser dom lite noggrannare? Det handlar ofta om olycklig kärlek, eller kärlek som baseras på texterna ”Jag vill ha dig” och i takt med samhällets förändringar så kan man faktiskt göra nya tolkningar av musiktexterna. I synnerhet gäller detta dansband… Se bara..”Vem söker fånga in din blick i kväll, vem söker följa varje steg du tar?
Vem är det du ger din hand och som får följa dig hem? Yada, yada.

Här snackar vi om klassisk svartsjuka. Psykopaten har spanat in en tjej som han börjat förfölja, från krogen. Sångtexten känns aggressiv och skulle han träffa henne så är det precis dom här frågorna han skulle ställa henne. Det förutsätter dock att han först kan binda henne med något, i ett skjul långt ute i skogen, så att han ostört kan ta reda på det han vill. Med tång givetvis.

Jag vill vara din, Margareta
Bara vara din, ska Du veta.
Stå där vid din dörr, kär som aldrig förr
Men vågar inte ringa.
Pulsarna dom bränner så heta,
känner Du som jag, Margareta.
Blickarna Du gav, gav Du dom som svar eller ej?

Här har vi en diskret psykopat som på avstånd, medelst kikare har spanat in Margareta. Han sitter ensam hemma på kvällarna och förklarar vad han känner för henne i denna refräng. Att han inte vågar ringa beror till exempel på att han inte känner henne och därmed skulle det troligtvis orsaka mer problem för honom själv, snarare än nytta. Blickarna han fick var på ICA i förra veckan – tyckte han iallafall. Men i själva verket var det bara för att hon satt i kassan. Frågeformen i refrängen tyder på att något inte stämmer med karln och ibland står han utanför hennes dörr, vilket absolut inte är bra eftersom han inte känner henne….

Patrik Isaksson sjunger så här…

Hos dig är jag stark
Hos dig är jag underbar
Hos dig har jag allt
Där vågar jag stanna kvar
När du inte ser
När du inte rör mig
Kan du ha hittat nån annan
Säg nu hur du ser mig
Jag undrar om du
Har du kraft att ge dig av
Ger det mot att stanna kvar
Våga bygga på nåt nytt
Jag undrar om du
Har kunnat ge och kunnat ta
Kunnat öppna dig som jag
Vågat vara här och nu
För allt jag kräver är ett svar

Den här texten har inte riktigt lika starka psykotiska drag som de ovanstående. Den har ungdomliga inslag och troligtvis är det en 15-åring, som egentligen bara saknar lite sunt förnuft. Allt han kräver är dock ett svar och det är precis så det brukar låta när man är desperat. Tjejen ser honom inte och han undrar om hon har hittat nån annan. Det är nog ganska sannolikt eftersom dom här återigen inte känner varandra. Alternativt, den lite grövre versionen av denna text, baseras på de sista raderna i texten där han börjar sjunga om att våga stanna kvar. Håller han henne fången? Har hon kraft att ge sig krav? Ja, det beror ju så klart på hur hårt repen sitter….

Well well…

Fast jag kanske sett för mycket på skräckfilm bara?