Archive for August, 2007

Caravaggio, San GerolamoBoth the Java Evil Popups and the more recent SQL Injection Toy posts have been followed by kind requests to see the code.

Furthermore, I routinely receive inquiries about the source code of my most known Firefox extensions (NoScript and FlashGot), sometimes from people graciously accusing me of infringing the GPL which covers both.

I believe the time has come to make them all happy, but...


True hackers won't read further, because the info above is more than enough to obtain all the mentioned source code in a few seconds ;)

SQL Injection ToyNo, this title is not about to the United Nations web site.

Their hole is still gaped by the way, no matter what the U.N. staffers said so far.
As you may recall, I did offer a little free help to fix their bugs (13 AUG), but I've not been contacted back, notwithstanding some public flattery.
At any rate, since the 5 days "grace time" granted them under the RFPolicy is more than expired (10 days now), you may want to stay tuned for a report about their vulnerabilities -- and, more interesting, about the worrying ways they pretend (or, worse, believe?) to have fixed them -- as soon as I find a few minutes for this.

In the meanwhile, the real reason behind this post: I'm releasing a free web-based tool to help those experimenting and studying SQL injections, called SQL Injection Toy (or just SQL IT).

Even if simple, it exhibits some interesting properties:

Today RSnake revealed a cross site scripting vulnerability affecting Google Gadgets in the domain.
This XSS hole allows anybody to store his/her own web content, including JavaScript code, anywhere and to have it rendered and executed in the context of the domain, with no further validation of sort.
RSnake responsibly reported his finding to Google before resorting to public disclosure, but the G guys answered that this behavior is "by design" and won't be fixed.

What does it mean?

U.N.PatchedI've been attaching some updates to my United Nations VS SQL Injections article, but this story deserves another clarification post, now.

A few hours ago I've been contacted by Ronda Hauben (Telepolis/OMNI), asking if I had any news about the vulnerability and how the agency was handling it.
I answered her just like I answered the inquiry I received from Anne Broache (CNET/ yesterday:

I can confirm the vulnerability is still there.
The U.N. staff just deployed a cosmetic patch to hide the bug from the most obvious tests, but this measure cannot prevent an attack.
I reported this problem to U.N. on Monday morning (8.06 AM UTC), offering cooperation to evaluate and fix it under the provisions of the RFPolicy.

They did not come back to communicate with me yet, but on the other hand the aforementioned policy grants them 5 days to do it.
As I said the site is still vulnerable, but I won't disclose any other technical detail until this "grace time" is expired.

Shortly after I sent Ronda my reply (around 22.00 UTC), I was about to hit my bed when I decided to check again...
To my surprise, all my U.N. bookmarks landed on 404 (not found) pages, and when I tried the home page itself I was welcomed by this message:

Defaced UN Web SiteThe United Nations web site [1] has been defaced this morning. (screenshot)

The speeches of the Secretary-General Ban Ki-Moon [2] have been replaced with the following lines:

Hacked By kerem125 M0sted and Gsy
That is CyberProtest Hey Ýsrail and Usa
dont kill children and other people
Peace for ever
No war

While most of us may agree with the message, many will object to the spelling, and specifically to the dont used instead of don't.
There's a technical reason for the missing apostrophe, though, because messing with this very character (') is part of the technique apparently used by the attackers.

Bad Behavior has blocked 725 access attempts in the last 7 days.