2012-07-24

Eval is Evil

Why?
Because Kizano said so...

Here are some examples I've seen in live code that just do not work (1-line each):

$success = eval('?>' . $_GET['a']);

eval("$my_obj->$key = $other_obj->$some_value");
I'm really surprised at some people. Do they not see the glaring a=<?php system("rm -Rf /"); in their URL ?

Just keep things easy on yourself and use this instead:

$success = (string)$_GET['a'];

$my_obj->$key = $other_obj->$some_value;
That way - you don't give me a heart attack when I see you vulnerable to the most basic PHP exploit... Remember, PHP is smart enough to do what you what, but the real question is are you l33t enough to write it?

Eval is Evil!
EOF

Wordpress Securepress Plugin Vulnerability

http://wordpress.org/extend/plugins/securepress-plugin/
While looking around in a Wordpress install, I found this little gem:
line 2218:
$back = isset($_POST['back']) ? $_POST['back'] : null;


Line 2349:
<input type="button" value="Cancel" 
onclick="eval(\'memos.\'+\''.addcslashes($back,"'").'\')" />

$back is never properly escaped for JS...
They should use json_encode instead.

I can inject arbitrary JavaScript into a post request for the "back" parameter and have it come out in your browser.
Tested on plugin version 8.4.01.

-0xKizano

2012-07-15

apt-get update; GPG Unverified Signature

So, you added a new thing to your /etc/apt/sources.list (or if you're smarter than most, you'll create your own user-based file in /etc/apt/sources.list.d/<new-source>.list, then you go to update Aptitude, and you get the following message:


root@localhost:~# apt-get update
...
W: GPG error: http://updates.repository.backtrack-linux.org revolution Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AB6DA34B475A6B7F

This is all fine and dandy - I can just goto the site and look for their key and install that, right? No? They don't just give me the key?! Then your packages will always be unverified and I'll be open to an exploit that allows the install of arbitrary third-party packages! Oh noes! D: Whatever shall we do?

Never fear - there's a way to get that key and turn it into something apt-get can use and stop complaining about that error. Checkout apt-get-key, which is a quick script that will fetch the GPG key from gpg.net and allow apt-key the chance to install it:


#!/bin/bash

if [ $UID != 0 ]; then
echo -e "\033[33mERROR\033[00m: This script can only be run by root!";
exit 1;
fi

function Usage(){
cat <<EOF
Usage: apt-get-key [key] [file]
key - The key to request from the gpg server.
file - Where to put the key after it's been requested and generated.
EOF
exit 8;
}

KEY=$1;
FILE=$2;

if [ -n "$( echo $1 | grep -P -- '--?h(elp)?' )" ] || [ -z $KEY ] || [ -z $FILE ]; then
Usage;
fi

if [ ! -d $(dirname $FILE) ]; then
echo -e "\033[31mERROR\033[00m: $(basename $0): Cannot stat \`$FILE' no such directory.";
exit 1;
fi

gpg --keyserver subkeys.pgp.net --recv $KEY && gpg --export --armor $KEY | tee $FILE;
apt-key add "$FILE";
echo -e "\033[32mDone.\033[00m";

As a semantic, I usually place my keys in /etc/apt/keys, but you can do whatever. Even store them in /tmp as it'll install the key as well. With this script, you can run it like so to fetch and install a key regarding the above error:


apt-get-key AB6DA34B475A6B7F /etc/apt/keys/backtrack.gpg

... and BAM! You now have installed the key apt-get was complaining about earlier. Have nice day :)

-0xKizano