Saturday, August 10, 2013

Updated Echo360 download script.

UWA seems to have modified its Echo360 configuration again.  Here are some updated scripts to allow downloading the lectures easily:

Firefox extension
Chrome Extension

Installation instructions are still as per this post.

Some notes:
1. I have received a lot of requests from various people to try to make this extension work at universities other than UWA.  While I'm happy to try and help with this, please understand that the chances of getting things working are pretty slim, and I'm unlikely to be able to help you; different universities configure their servers differently.

2. This is my last semester at UWA, and I'll keep the extension working until the end of the year (subject to how much time I have). However, if UWA makes further changes next year, I will not be able to update things (since I'll no longer have access to echo).  At some point in the future, I'll put the extension code on github or something, and post a tutorial on how to modify it when UWA's changes break things (it's not hard at all).

Sunday, June 23, 2013

fofork 1.5.0 complete!

Version 1.5.0 of fofork is finally complete!  Major changes compared to 1.0 include:

Database
  • Database layer rewritten to use PDO, instead of deprecated mysql extension.
  • Can now be run unmodified on either mysql or postgresql (instead of just mysql)
  • Database performance significantly improved

Security
  • Password hashing now uses bcrypt (with adjustable effort) instead of md5, to prevent brute-forcing hashes in the event of disclosure.
  • Improved random number generation to create cryptographically secure salts
  • Improved session handling
  • Logs are no longer encrypted using the database password

Useability and Features
  • New log viewer filters log entries on client side, making it substantially faster
  • Various tweaks to navigation, flagging of long items, etc
  • Improved installer, allows the user to back out of installation
Plus many more minor tweaks, bug fixes, and performance improvements.

The code is available on Github:
https://github.com/robisacommonusername/fofork.git
Or as an archive:
https://github.com/robisacommonusername/fofork/tarball/master

It is possible to upgrade a fofork 1.0.x or 1.1.y installation to version 1.5.z using the included upgrade script.  However, due to the changed password hashing algorithm, you will lose any created user accounts other than the admin account.  If this is a problem, then you can upgrade your installation to version 1.1.1 (the newest in the 1.1 branch).  This release corrects several minor security issues in the 1.1 branch, but is fully backwards compatible with versions 1.0.  It is available at https://github.com/robisacommonusername/fofork/archive/v1.1.1.tar.gz

Future features to be included in version 1.6 include
  • Allowing new users to register
  • An API
  • Upgrading Simplepie 
Happy newsreading!

Tuesday, March 26, 2013

fofork is now available on github

I've finally got around to creating a github account, and am starting to move some of my projects there.

The development version of fofork is now available, at https://github.com/robisacommonusername/fofork.git

Wednesday, December 5, 2012

Symbolic Jury Table Calculator

A small python program for performing the Jury stability test.  It is analogous to the Routh-Hurwitz program presented here, but for discrete rather than continuous time systems.  As for the Routh-Hurwitz program, this script can accept algebraic expressions for the coefficients of the characteristic polynomial.

https://dl.dropbox.com/u/1614464/routhHurwitz/jury.py

Tuesday, December 4, 2012

A server side RSS aggregator, forked from Stephen Minutillo's "Feed on Feeds"

I started this project because I was looking for a simple alternative to google reader, that I could run on a cheap shared php host.  Strangely enough, there wasn't a lot of choice; I initially considered TinyTinyRSS, but didn't really like it.  I also came across Feed on Feeds (fof), by Steven Minutillo, which seemed to be exactly what I wanted - a lightweight and simple php feed aggregator.

Unfortunately, development on fof appears to have stalled (there have only been 5 or so code commits since 2009).  Since the code base for the project was so small, I decided to fork it and add a few features/bugfixes.  However, once I started looking at the code, it soon became apparent that the security of the software was severely lacking.

There were all sorts of nasties lurking in this code, which I've now fixed, including
  • An arbitrary code execution vulnerability (user data passed directly to create_function)
  • Numerous privilege checking problems (for example, any user could change another users password, or uninstall the software)
  • A vulnerability allowing an attacker to read and write arbitrary data to the database
  • a poorly designed and insecure login system (used the hash of the users password as a token)
  • password hashes were stored unsalted
  • logging system leaked data - logs were publicly viewable, and contained sensitive information (session ids, etc)
  • no CSRF prevention
  • two open redirect vulnerabilities
  • about 30 XSS vulnerabilities
Though interestingly, not a single SQL injection (that I could see, although there was one very close call).  These vulnerabilities have all been fixed.  I have checked the code by hand (extensively, over 6 months), and also with a static code analyser (rips) and a black-box scanner (w3af).  I can no longer find any glaring problems, however there are still likely to be security issues - use this code at your own risk!

This project was an excellent lesson in how difficult it can be to add security features to insecurely designed software.  The only reason doing so was feasible in this case is that the code-base was so small!  It was also a good excuse to learn about all sorts of different attacks and how to prevent them.  Although it was pretty tedious hardening the code, it ended up being a pretty valuable experience.

For the future, I plan to add the following features
  • rewrite the database layer to use PDO (and hence support databases other than mysql), or else use some kind of ORM
  • allow new users to register accounts
  • add a RESTful api, and possibly also create a new user interface
  • perform a lot of code clean up and refactoring.  Optimise the javascript parts of the code.
I should probably also remark that some of the XSS problems are actually from the SimplePie library's poor escaping procedures (eg uses a blacklist rather than a whitelist approach to decide which tags to strip, doesn't remove scripts of the form <img src="whatever" onload="javascript: etc">).  So this is something to be aware of if you're using SimplePie.  I haven't really had time to study the SimplePie code in detail and track down any errors/submit bug reports, so I've just solved the problem (temporarily) by creating my own escaping routines to use in addition to SimplePie's.

The forked code can be downloaded here:
https://dl.dropbox.com/u/1614464/fof/fof-1.0.1.tar.gz

In the absence of a proper change log, here's the subversion commit log (so you can see what has been changed):
https://dl.dropbox.com/u/1614464/fof/svn_log_1.0.1.txt

I really should move this project (as in the code hosting and bug tracking) onto some kind of hosted service (right now I'm doing all the bug-tracking etc on my local machine).  Maybe I'll do that sometime in the future too.

Monday, June 25, 2012

Poll mod 0.1.3

Minor bug fix for punBB poll mod.

Fixes issue with "double escaping".  Poll options containing characters <, >, &, ' or " will now display correctly.

Mod is still secure against XSS to the best of my knowledge.

https://dl.dropbox.com/u/1614464/robs_poll_mod/robs_poll_mod_0.1.3.tar.gz

Sunday, April 22, 2012

wget and echoproxy work again!

follow up from http://98percentidle.blogspot.com.au/2012/03/uwa-changes-its-echo360-configuration.html

UWA have removed the authentication screen when viewing lectures on echo360.  Wget and echoproxy will work again (without me having to make any modifications, yay!)