Marcin and Tyler just started a new website, which is kind of fun: sslfail.com (wall of shame of SSL certificates?)

So now, Google & co, fix your certificates :P

A morning, I woke up, and all the websites using a download system didn't work anymore. Yeah this is what I've seen. I guess I don't need to tell you that it was such a pain and that all the downloading systems on the different websites we have were not working anymore.

Such a big stress thinking that everything is broken at first, then after some time, realized that the problem is about the Content-Disposition header field which is dropped.

I wouldn't say that I would like to thank the admin that do no tell people about the modification... Anyway, I guess this is every time like that?

The Content-Disposition HTTP header field is used to explain to the browser how the data are presented. I basically use it in order to force a download system using such php script:

<?php
  // download.php
  // some checks on the $fname, variable to be sure
  // it exists and is in the allowed directories...
  header("Pragma: public");
  header("Expires: 0");
  header("Cache-Control: must-revalidate, pre-check=0");
  header("Content-Type: application/octet-stream");
  header("Content-Length: " . filesize($fname));
  header("Content-Disposition: attachment; filename=".basename($fname));
  header("Content-Description: File Transfer");
  @readfile($fname);
  exit;
?>

Now, if you cannot submit the Content-Disposition field, then the browser will download the file called "download.php". A quite simple solution, is to fool the browser by making the name of the reachable URI the same as the file it should download, using Mod_Rewrite.

RewriteEngine On
RewriteBase /mydir
RewriteRule   ^download/([^/]+)$ /mydir/download.php?file_redir=$1

And just a simple modification in the original script in order to detect the "file" GET variable. But since we don't want to modify all the (generated or not) HTML files, we need to make the redirection automatically.

<?php
// download.php
// some checks on the $fname, variable to be sure
// it exists and is in the allowed directories...
if (isset($_GET['file_redir'])) {
  $fname = $_GET['file_redir'];
  // checks for good files (careful of directory traversal etc.)
  header("Pragma: public");
  header("Expires: 0");
  header("Cache-Control: must-revalidate, pre-check=0");
  header("Content-Type: application/octet-stream");
  header("Content-Length: " . filesize($fname));
  header("Content-Description: File Transfer");
  @readfile($fname);
  exit;
}
else {
  header("Location: /mydir/download/$fname");
  exit;
}
?>

Then you don't have to change all your pages. This is of course a (not so?) temporary solution since the server will do extra work in order to go to the same state, the download of the file, but well, it does the job to fool the browser...

Sometimes I really don't understand developers.

Why the heck a table name such as a<script>foo(42)`cool could ever be allowed? What's the point of that? I know I am almost clueless with SQL but... what's the reason here? If someone has some idea, I would love to hear them!

Since yesterday, I'm working on a data-flow problem. I need to model a function and I should do all the data-flow process. Well, that's kinda long if I have to do that on all functions and especially I will never use much of the information I would generate by analyzing the tree associated to the function (local variables etc.). So what the point of doing that? None.

I was stuck at this point, didn't find a good way to model a function (entry parameters, global calls etc.) so I thought of reasoning as a crystal ball. I can see what it is, but it's kinda blurry :) I am now modeling a function as inputs and outputs, only in terms of functions and global variables interaction. By this, I should be able to see the possible interaction of the given function on the system. Hope it's gonna work well!

FROM THE DESK OF DR AZIZAN COKER BILL AND EXCHANGE MANAGER, BANK OF AFRICA, OUAGADOUGOU BUKINA-FASO.

PLANE CRASH WEB SITE...http://news.bbc.co.uk/1/hi/world/europe/859479.stm

("REMITTANCE OF $25.8 MILLION U.S.A DOLLARS (CONFIDENTIAL IS THE CASE")

Compliment Of The Day,

I am Dr Azizan Coker from burkina faso.I want to seek your assistance after my discovery during auditing in my bank as am the manager of Bill and Exchange at the Foriegn Remittance Department of BANK OF AFRICA,(B.O.A.) In my department we discovered an abandoned sum of USD$25.8million US dollars in an account that belongs to one of our foreign customers who died along with his entire family in plane Crashes 2000,

Since his death, we have been expecting his next of Kin to come over and claim his money because we can not release it unless somebody applies for it as next of Kin or relation to the deceased as indicated in our banking and financial policies but unfortunately all the efforts proved abortive.

IT is therefore upon this discovery that I decided as the head of my department to make this business proposal to you and release the money to you as the next of kin or relation to the deceased for safety and subsequent disbursement since nobody is coming for it and we don't want this money to go into the Bank treasury as unclaimed bills. Do not view this as been illegal but an opportunity for us to help enrich our hope in life instead of the bank converting this much money to the security funds.You should not nurse any atom of fear as all required arrangements have been made for the smooth transfer of this funds and your acceptance is what will crown this effort.

We will conclude this operation within 14 banking days based on the amount of coperation you will contribute.

Thank you for your understanding as i await your urgent response to enable me give you more details don't forget to give me those informations below to enable me know you very well before we can go ahead in this business,

Your International passport or ID card............ Your private telephone number........................ Your profession................................................ Your age........................................................... Your country....................................................

Your’s faithfully Dr Azizan Coker

POST SCRITUM:You have to keep everything secret as to enable the transfer to move very smoothly in to the account you will prove to the bank.

You are not an expert in CSS ? Neither I am, I often get some trouble with IE/Opera/FF compatibility...
Whatever, you can find here some 53 cool techniques to create nice CSS.

For a study I'm looking for some "famous" OpenSource web application in PHP.
The two first I have selected are two CMS:

• Dupral
• Joomla!

I also need to select some well known application, I can think of twatch, phpmyvisites etc. but I really have to make my mind of any restriction on the application I need to "test".

This afternoon I went to wikipedia and saw a SVG file. Then, I was thinking.: SVG... XML... Some minutes later, after a quick look at the spec. and especially the "Scripting" part, I had a SVG file with a XSS attack inside. Then I started to look at websites and advanced webmails for inserting my file.

Damned, I came something like one year too late... Wikipedia still does not allow to upload SVG files, Gmail does not open it hotmail itoo, and actually this thing is well known. Actually I've never seen any attack with some SVG files inside. Okay, before Firefox 2.0 (and the next browsers) there was only external plugins for reading these files, It may change now. I'll keep on trying to do some things with my file!

Okay, all this SVG things are not new, but I'm a nioob in web security, at least it's new for me ;)

• Add the different encodings attack based in Grabber
• Write a tutorial on File Inclusion attacks for the test suite application
• Release version of Grabber that are not "developer version" but really usable