Alex Concha

Programming: You’re Doing it Completely Wrong

alex — Sat, 27 Oct 2007 16:22:08 +0000

Insecure Way to Upgrade to WordPress 2.3

alex — Tue, 25 Sep 2007 14:28:50 +0000

As you may already know, WordPress 2.3 has been released yesterday and many folks around the world are sharing their upgrade experiences. The one that caught my attention was the “5 Step Failsafe upgrade for WordPress” published at BlogSecurity.

Not offense intended but I wonder why a blog dedicated to security recommends an insecure backup plugin that can allow anyone to download database backups or any file from the file system.

If you are planning to upgrade your WordPress blog, just try to do manual steps because many backup plugins are very insecure — if you still want to use some of them, deactivate it when the upgrade process is completed.

Enable tag support on Windows Live Writer and WordPress 2.3

alex — Thu, 20 Sep 2007 12:45:59 +0000

Update: Joseph Scott has made a better manifest file.

As you may already know, Wordpress 2.3 will have built-in tag support and to enable tags on Windows Live Writer you have to upload a manifest file to your blog’s root.

xml:

 xmlns="http://schemas.microsoft.com/wlw/manifest/weblog">

>

>Yes>

>Yes>

>Yes>

>Yes>

>Yes>

>Yes>

>Yes>

>Yes>

>Yes>

>Yes>

>Yes>

>Yes>

>Yes>

>Yes>

>Yes>

>Yes>

>Yes>

>Yes>

>Yes>

>Yes>

>True>

>No>

>

>

>View your blog>

>Administer your blog>

>>>>

>>

YouTube to MP3 Converter

alex — Tue, 18 Sep 2007 02:23:11 +0000

Check out this handy Free YouTube to MP3 Converter

You can download from dvdvideosoft.

Selling exploits

alex — Fri, 24 Aug 2007 14:18:39 +0000

Today I received a mail from a guy who want to buy some exploits for WordPress.

Hi. I have seen exploits for wordpress at milw0rm uploaded by you. If you have this kind of scripts for newer versions of wordpress i can buy them.

I responded:

Actually I only have one remote exploit for WordPress <= 2.2.2, it lets you retrieve user credentials from affected blogs. How much do you offer?

Actually, I’m not interested in selling exploits because they can be used to compromise many vulnerable blogs — two years ago my Spanish blog was defaced in the same fashion, but I wonder how much cost WordPress exploits.

Let’s see what he’ll respond

How to drive your manager crazy in three easy steps…

alex — Tue, 07 Aug 2007 04:08:09 +0000

Original image: CodeComics

SQL Injection in WordPress.com Stats plugin

alex — Mon, 06 Aug 2007 15:09:16 +0000

Overview

WordPress.com Stats is a plugin developed by Automattic, it lets self-hosted WordPress bloggers use the same traffic metrics system they provide to WordPress.com users. It tracks post and page views, referrers, search terms, and clicks on external links.

While testing this plugin I found a critical SQL Injection vulnerability that may allow an attacker to retrieve credentials from any user of a WordPress blog — the attacker only needs to know a valid user ID.

WordPress.com Stats 1.1 and previous versions are affected.

Technical Details

WordPress.com Stats plugin registers two new methods (wpStats.get_posts and wpStats.get_blog) on the WordPress XMLRPC server. The vulnerable method is wpStats.get_posts that interally maps to stats_get_posts.

php:

function stats_get_posts( $args ) {

list( $post_ids ) = $args;

$r = 'include=' . join(',', $post_ids);

$posts = get_posts( $r );

$_posts = array();

foreach ( $post_ids as $post_id )

$_posts[$post_id] = stats_get_post($post_id);

return $_posts;

}

Due to the lack of validation in stats_get_posts, an attacker can prepare a special XMLRPC request to pass arbitrary parameters and values to get_posts method — it’s posible because get_posts can receive a query string as a parameter.

get_posts accepts the following variables (defined in $defaults array).

php:

function get_posts($args) {

global $wpdb;

$defaults = array(

'numberposts' => 5, 'offset' => 0,

'category' => 0, 'orderby' => 'post_date',

'order' => 'DESC', 'include' => '',

'exclude' => '', 'meta_key' => '',

'meta_value' =>'', 'post_type' => 'post',

'post_status' => 'publish', 'post_parent' => 0

);

$r = wp_parse_args( $args, $defaults );

extract( $r, EXTR_SKIP );

...

}

An attacker can prepare a special XMLRPC call to exploit the vulnerability:

code:

&meta_key=%27) SQL INJECTION HERE/*&meta_value=1

Solution

Upgrade to the latest version or apply the following patch to avoid SQL Injection attacks on WordPress.com Stats plugin.

diff:

Index: stats.php

===================================================================

--- stats.php   (revision 15884)

+++ stats.php   (working copy)

@@ -233,6 +233,7 @@

function stats_get_posts( $args ) {

list( $post_ids ) = $args;

+       $post_ids = array_map( 'intval', (array) $post_ids );

$r = 'include=' . join(',', $post_ids);

$posts = get_posts( $r );

$_posts = array();

The Human Brain

alex — Thu, 02 Aug 2007 04:05:29 +0000

The human brain is the most awesome instrument in the world: works 24 hours a day, 365 days a year, since you are born until you fall in love.

I lost quote’s source (it was originally written in Spanish)

Merge PDF files with iTextDotNet and .NET

alex — Thu, 19 Jul 2007 15:09:39 +0000

In the previous post I showed a class to merge PDF files using iText#, but it seems that there’s a better approach using iTextDotNet:

csharp:

using com.lowagie.tools;

class Program

{

    static void Main(string[] args)

    {

        string[] lista = new string[] { "Meijer.pdf", "P330.pdf", "result.pdf" };

        concat_pdf.main(lista);

    }

}

As you can see this is a cleaner and simpler way to merge pdf files. You can download the iTextDotNet .NET Library from this blog or the official Website.

Merge PDF files with iText# and .NET

alex — Thu, 19 Jul 2007 00:32:18 +0000

I’ve made a simple class to merge PDF files using iText#:

csharp:

using System;

using System.Collections.Generic;

using System.IO;

using iTextSharp.text;

using iTextSharp.text.pdf;

public class PdfMerge

{

    private BaseFont baseFont;

    private bool enablePagination = false;

    private readonly List documents;

    private int totalPages;

    public BaseFont BaseFont

    {

        get { return baseFont; }

        set { baseFont = value; }

    }

    public bool EnablePagination

    {

        get { return enablePagination; }

        set

        {

            enablePagination = value;

            if (value && baseFont == null)

                baseFont = BaseFont.CreateFont(BaseFont.HELVETICA, BaseFont.CP1252, BaseFont.NOT_EMBEDDED);

        }

    }

    public List Documents

    {

        get { return documents; }

    }

    public void AddDocument(string filename)

    {

        documents.Add(new PdfReader(filename));

    }

    public void AddDocument(Stream pdfStream)

    {

        documents.Add(new PdfReader(pdfStream));

    }

    public void AddDocument(byte[] pdfContents)

    {

        documents.Add(new PdfReader(pdfContents));

    }

    public void AddDocument(PdfReader pdfDocument)

    {

        documents.Add(pdfDocument);

    }

    public void Merge(string outputFilename)

    {

        Merge(new FileStream(outputFilename, FileMode.Create));

    }

    public void Merge(Stream outputStream)

    {

        if (outputStream == null || !outputStream.CanWrite)

            throw new Exception("OutputStream es nulo o no se puede escribir en éste.");

        Document newDocument = null;

        try

        {

            newDocument = new Document();

            PdfWriter pdfWriter = PdfWriter.GetInstance(newDocument, outputStream);

            newDocument.Open();

            PdfContentByte pdfContentByte = pdfWriter.DirectContent;

            if (EnablePagination)

                documents.ForEach(delegate(PdfReader doc)

                                  {

                                      totalPages += doc.NumberOfPages;

                                  });

            int currentPage = 1;

            foreach (PdfReader pdfReader in documents)

            {

                for (int page = 1; page <= pdfReader.NumberOfPages; page++)

                {

                    newDocument.NewPage();

                    PdfImportedPage importedPage = pdfWriter.GetImportedPage(pdfReader, page);

                    pdfContentByte.AddTemplate(importedPage, 0, 0);

                    if (EnablePagination)

                    {

                        pdfContentByte.BeginText();

                        pdfContentByte.SetFontAndSize(baseFont, 9);

                        pdfContentByte.ShowTextAligned(PdfContentByte.ALIGN_CENTER,

                            string.Format("{0} de {1}", currentPage++, totalPages), 520, 5, 0);

                        pdfContentByte.EndText();

                    }

                }

            }

        }

        finally

        {

            outputStream.Flush();

            if (newDocument != null)

                newDocument.Close();

            outputStream.Close();

        }

    }

    public PdfMerge()

    {

        documents = new List();

    }

}

Usage:

csharp:

string basePath = "c:\\pdf";

PdfMerge demo = new PdfMerge();

demo.AddDocument(Path.Combine(basePath, "static-dynamic-typing-meijer.pdf"));

demo.AddDocument(Path.Combine(basePath, "composable-memory-transactions.pdf"));

demo.Merge("mergedPapers.pdf");

Console.WriteLine("Archivo generado en: {0}", Path.GetFullPath("mergedPapers.pdf"));

If you want the source code, you can download the Visual Studio 2005 solution.