Cloud file-sharing vulnerability

Picture this scenario: A "cloud" filesharing service, backed by some well-known investors and in the business for a few years, provides a service that allows clients to share files and folders with others.

UserA sends a folder to UserB with no password security (default setting). The link arrives in an email as:

https://companyXYZ.unknown-filesharing-company.com/asdf.php?folderName=20130201&fileName=asdfasdf222

UserB visits the link. The parameters for the POST following the GET for that link look like:

POST /publicPage.json HTTP/1.1

…

start=0&limit=1000&sort=f_name&dir=ASC&pubFolderPath=%2FShared%2FDocuments%2FSharedFolderName&userId=43211234&entryId=12ab34cd….&xsrfToken=321cba…

In a proxy, UserB changes the 'pubFolderPath=' value to '%2FPrivate' (or just %2F for a listing of the users' root directory).

UserB can now view and traverse all folders that UserA has access to (Shared and Private) without ever logging in. If UserA is an admin, UserB can now access *every* subdirectory for the given domain and files contained inside, including the data in all other users' private directories.

A simple GoogleDork digs up many similar "companyXYZ" links for other subdomains.

While the company name is fake, the scenario was very real and jeopardized client data that was entrusted to be secure.

Once reported to unknown-filesharing-company, the problem was addressed in a serious manner and a fix was rolled out later that same day. They were sure to mention that they use the services of a "3rd party penetration testing company" to keep their application secure, but as chance would have it, this public-facing piece of the app was not being tested because it was a new feature…a new feature that had been out in the wild for months.

login.secureserver.net (GoDaddy webmail) XSS - fixed

A few weeks back, I notified Godaddy.com support about an XSS vulnerability on their webmail login page, login.secureserver.net. Turns out secureserver.net wasn't as secure as they had hoped it would be. The underlying problem was that they were allowing arbitrary parameters to be passed without sanitizing the input. They've since fixed it to HTML escape the characters in the params.

To give credit where credit is due, I found out not long ago that http://xss.cx found the bug a few days before I did and did a better job at reporting it. They also found more bugs around this time last year.

http://xss.cx/2012/08/08/ghdb/xss-cross-site-scripting-cwe79-capec86-javascript-injection-rest-url-parameter-example-poc-report-godaddycom.html

And before that...

http://xss.cx/2011/09/16/ghdb/dork-xss-reflected-cross-site-scripting-cwe79-capec86-javascript-injection-insecure-configuration-weak-programming-http-cookie-without-secure-flag-set-injection-example-poc-report-01.html#2.12

Screenshots of my POC bugs below. Pity that I couldn't get it to work on a WebKit-based browser ; (

What happened when I deleted standalone/tmp/vfs/

So I was trying to clear up some disk space on one of our Liferay servers and deleted the temporary deployment files under /apps/liferay/jboss-7.0.2/standalone/tmp/vfs/. After I rm -rf'ed the crap out of that directory and started the server back up I saw that it did not want to start. Great, it's the end of the day and I've just downed a box. YAY.

boot.log spits out:

20:14:24,985 ERROR [stderr] Exception in thread "Controller Boot Thread" java.lang.RuntimeException: org.jboss.as.controller.persistence.ConfigurationPersistenceException: Failed to parse configuration

20:14:24,985 ERROR [stderr] at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:89)

20:14:24,986 ERROR [stderr] at java.lang.Thread.run(Thread.java:722)

20:14:24,987 ERROR [stderr] Caused by: org.jboss.as.controller.persistence.ConfigurationPersistenceException: Failed to parse configuration

20:14:24,987 ERROR [stderr] at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:115)

20:14:24,987 ERROR [stderr] at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:104)

20:14:24,988 ERROR [stderr] at org.jboss.as.server.ServerService.boot(ServerService.java:195)

20:14:24,988 ERROR [stderr] at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:83)

20:14:24,989 ERROR [stderr] ... 1 more

20:14:24,990 ERROR [stderr] Caused by: com.ctc.wstx.exc.WstxEOFException: Unexpected EOF in prolog

20:14:24,990 ERROR [stderr]  at [row,col {unknown-source}]: [1,0]

20:14:24,991 ERROR [stderr] at com.ctc.wstx.sr.StreamScanner.throwUnexpectedEOF(StreamScanner.java:677)

20:14:24,991 ERROR [stderr] at com.ctc.wstx.sr.BasicStreamReader.handleEOF(BasicStreamReader.java:2104)

20:14:24,991 ERROR [stderr] at com.ctc.wstx.sr.BasicStreamReader.nextFromProlog(BasicStreamReader.java:2010)

20:14:24,992 ERROR [stderr] at com.ctc.wstx.sr.BasicStreamReader.next(BasicStreamReader.java:1102)

20:14:25,003 ERROR [stderr] at com.ctc.wstx.sr.BasicStreamReader.nextTag(BasicStreamReader.java:1125)

20:14:25,003 ERROR [stderr] at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:57)

20:14:25,004 ERROR [stderr] at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:107)

20:14:25,004 ERROR [stderr] ... 4 more

Since the first line is complaining about the configuration, I figured I'd take a look at standalone.xml. Wait a sec, why is it blank? Mystery solved.

Copied the latest backup config back to it's rightful location and started it up.

cp /apps/liferay/jboss-7.0.2/standalone/configuration/standalone_xml_history/<year-month-date-timestamp>/standalone.last.xml /apps/liferay/jboss-7.0.2/standalone/configuration/standalone.xml 

Success. If I can consistently reproduce this, it may be worthwhile to file a bug report.

MySQL command-line utilities on OSX

I was looking for mysql command-line utilities on my mac and couldn't seem to find them. Admittedly, I wasn't looking all that thoroughly. I had previously installed mysql-workbench from here - http://www.mysql.com/downloads/workbench/. I like the gui and everything, but it's nice to know what commands you're running when you do an export, import, show databases, etc. 

Anyway, if you're looking for the command-line utilities, cd here:

/Applications/MySQLWorkbench.app/Contents/Resources/

To help avoid repetitive stress and be more effecient (lazy), I created a couple aliases.

alias mysql='/Applications/MySQLWorkbench.app/Contents/Resources/mysql'

alias mysqldump='/Applications/MySQLWorkbench.app/Contents/Resources/mysqldump'

Hope this helps.

HTML 5 guitar tuner

I got tired of trying to use the gieson tuner since it's changed sounds over time. Also, wanted to do a little mini project involving HTML5. Check it out.

http://beautaub.com/tuner/