The Importance of Sanitizing Input Strings

As a young programmer, it’s easy for me to forget that, unlike in the academic programming environment, it is vital that I protect my programs against any and all potential attacks. Recently I realized just how easy it is to leave a gaping hole in a program’s security. I am posting this today as both a reminder to myself and a warning to any who might run across it: sanitize your program input!

Recently I was working on a personal project: a little web app that displays the machines in the Computer Science department lab based on active OS (since they are dual-booted with Ubuntu and Windows XP, the OS will regularly change on any given machine). You can see a snapshot of an older version of the map that was released a few months ago here.

The map worked fine, but it had a lot of overhead and required root privileges to run, so I decided to rewrite the backend using netcat instead of my previous solution which utilized nmap‘s OS detection. With netcat’s z flag, determining whether a machine is listening on a given port is trivial and since the labs are all extremely homogeneous it only requires a test of port 22 to determine if the machines are booted into Ubuntu (which will accept SSH connections) or into Windows (which will deny port 22 connections) or offline (in which case the connection will be dropped).

In any event, I wrote a PHP script which accepts three parameters based on the names of the lab machines, “prefix,” “start,” and “end.” If I were to call the script with the following query string: ?prefix=dog&start=1&end=62 then the script would scan the machines between dog01.cs.utsa.edu and dog62.cs.utsa.edu.

In order to make this magic happen, the program must make a shell call to netcat for each machine to be scanned. This can be completely safe, but only if you sanitize your data. Since the prefix will be used in each shell call and, unlike the numeric values for “start” and “end,” will remain static, it is perfect for inserting malicious code by the user. Before I released the script, I did one final sanity check and realized that I had not sanitized this value. Before closing the hole, I decided to play with the exploit a bit and the following is what I did:

First, I considered how the input strings were used in my program. The following string was passed to the shell for each iteration through the machines: /bin/nc -zv -w 1 $mac 22 2>&1| /bin/cat -. The value for $mac was defined as the user-entered $prefix and the sanitized integer value somewhere between $start and $end. As a proof of concept, I decided to do an ls of the /home directory to see who was currently mounted on the web server. Obviously, a user who wanted to do more damage could conceive of much worse things, but I was not inclined to foo-bar the server for the sake of this test.

It turns out, all that was required was to insert the URL-encoded value of “;ls -l /home;” as the value for $prefix. It breaks the netcat call, but that’s OK. The output returned was the following:

total 28
drwx-----x 45 bwright students 4096 Apr 22 12:17 bwright
drwx--x--x 86 drossite students 4096 Apr 28 19:59 drossite
drwxr-xr-x 137 lmaddox students 20480 Apr 25 20:03 lmaddox
sh: 01: command not found

(That last bit about command not found is the shell trying to figure out what to do with the integer that was given after our second semicolon.)

To resolve this security hole, all that is required is a regex replacement of all special characters. In this particular instance, anything other than letters is not going to represent a valid prefix, so, after pulling the prefix from the user, I simply apply the following: $prefix = preg_replace( '/[^a-zA-Z]/s', '', $prefix ). For my specific implementation, I am also able to limit the length of the value passed in (not shown). And that’s it. The program is now secure against malicious users compromising the server, through user input, at any rate.

If you have a similar almost uh-oh, feel free to share in the comments below!

Jetpack Sharing Links Revisited

Jetpack for WordPressA few months ago I posted about how to shorten WordPress Jetpack sharing links. Today, I would like to revisit this topic and provide a cleaner solution that I recently uncovered.

Unlike the previous solution I described, this does not require editing the source of the Jetpack plugin, and thus will persist through plugin updates.

In order to implement this quick fix, you will first need to create a functions.php file in your active theme. If you do not have a custom theme, I would strongly suggest using a child theme, as not doing so will mean losing your modifications if a newer version of your theme is released at a later date.

In short, all that you need to do is hook into the built-in filter provided within the Jetpack source. A filter is a little piece of code that plugin authors (and WordPress core authors) can include to allow users control over some inner functionality. In this case, the filter allows us to tweak what the sharing URL displayed to the end user will look like. If you would like a deeper explanation of content filters and their close cousins, action hooks, the WordPress Codex provides an excellent description of both.

In any event, the fix, shown below, simply returns the wp.me shortened URL for use in all the sharing links. Give it a try and be sure to comment if you found this useful!

NOTE: If you would like additional control over which social networks receive shortlinks and which receive the full permalink, you can use the $social_network value, which contains a string with the name of the network.

Taking On Art History For My Second Major

Happy April Fools’ Day, all! As some may have guessed, I am not in fact adding a second major just a month before my graduation. As much I do appreciate the beauty of art, I am not nearly dedicated enough to the discipline to make that kind of commitment to it 🙂

Monet's Water Lily Pond
Monet’s Water Lilly Pond is one of the beautiful paintings that inspired this decision.

I love computers. They make life interesting and I could never give up working with them, but I’ve always felt that something was missing. That something is art.

After thinking long and hard about this, I have decided to pick up a second major in Art History. I feel that this additional major, in combination with the minor in Anthropology that I already picked up and my soon-to-be-complete major in Computer Science, will give me a broader appreciation of the world, both computationally and artistically.

Unfortunately I do not have as much time as I would like to discuss all my reasons for this decision, but stay tuned in the coming weeks for more information.

Shorten WordPress’ Jetpack Sharing Links (http://wp.me)

EDIT: I have since developed a more robust solution for using shortlinks in Jetpack. See this updated information in Jetpack Sharing Links Revisited.

When I first decided to use WordPress for my personal as well as professional CMS needs, one of the driving factors behind that decision was the Jetpack plugin, developed by WordPress, which allows off-site (non-blogname.wordpress.com) installations to use many of the fancy features that used to only be available on wordpress.com blogs.

The Jetpack plugin allows you to quickly and easily share to multiple social networks, get site statistics, enhances your site for smartphone viewers, and many other convenient things. The one thing I do not like about the system is how difficult it is to retrieve the shortlinks, which are another fancy feature that Jetpack offers. Unfortunately, the links are only obtainable through the admin side, and not used in Jetpack’s own social sharing buttons (see below). If you try clicking any one of the share buttons at the bottom of this post, you’ll notice the link is to the URL of this page, not the shorter wp.me version which is preferred for sites like Twitter, where every character is a commodity. At least, that used to be the case.

WordPress Jetpack - Sharedaddy
Example of what the Sharedaddy share links look like.

After reporting this for revision a few months ago and getting the run-around, I finally took the time today to make the necessary changes myself. I also submitted a ticket to the WordPress team which *fingers crossed* will result in the change being pushed to all Jetpack users some time in the future. EDIT: This ticket was recently rejected, but that doesn’t stop you from implementing the fix yourself!

In the meantime, anyone interested in implementing the fix themselves…

Continue reading “Shorten WordPress’ Jetpack Sharing Links (http://wp.me)”

With a New Year, A New Website… Again!

Exactly a year ago, I made a post with this same title (minus the “Again”). I have learned a lot since that post. For starters, I have learned to be careful with local database backups when reinstalling my OS (this is why the first 20ish posts that were on this site no longer exist). Lesson learned.

Since that post from one year ago, I have moved from my position as Web Specialist Intern for the UTSA Honors College to Web Specialist for Startech Foundation. I have presented at two national conferences, one in Indianapolis and one in Boston. But more importantly, I have learned to take myself less seriously. I’ve learned to have fun, roll with the punches, and never be afraid to fail. And boy, have I failed!

Looking past the failure to properly back up my database, which I mentioned above, I’ve failed in numerous other things. I have loved and lost (multiple times). I have thought that I could do it all, and eventually had to concede that I needed help. I have also written enough typos to fill several volumes (thank God for browser inline spell checking). There is no doubt that I have failed plenty in this past year.

As I look forward, I have so many exciting new experiences ahead. I plan to graduate in May, after which I’ll be looking for full-time employment for the first time. Ever. I’ll also be applying to MBA programs around the country. As the end of my undergraduate career approaches, for the first time I feel like I am making decisions that will determine the rest of my life. It’s definitely a scary thought.

As I greet 2013, I have no desire to make no mistakes; that would just mean that I have not challenged myself enough. As Ms. Frizzle from The Magic School Bus says, “Take chances, make mistakes, get messy!” (Yes, I just quoted a kid’s show. Live with it.)

What I do hope to do is always look at life through an open mind, consider every opportunity that comes before me, and, most importantly, have fun! I only get this one life so why waste it being so damn serious all the time?

WordPress: Now With a Touch of America’s Favorite Yellow Family

The following witty comment was brought to you by my latest WordPress plugin, Hello Simpsons Chalkboard Gag: I was not told to do this.

Everything following the colon above was dynamically pulled from a listing of all past chalkboard gags by Bart Simpson. And no, I did not have to sit through the hundreds of episodes, painstakingly writing down each one. Thanks to The Simpsons Archive, I was able to just write a tiny Perl script that parsed their listing of gags from each episode.

Hello Simpson Chalkboard Gag
Created using the Bart Simpson Chalkboard Generator.

This plugin was inspired by two sources. The first was my love of the over-two-decade-old television show and the second was a desire to show something a little more interesting than lines from Hello Dolly in my WordPress admin area. Let me explain: by default, WordPress comes with a plugin that shows a line from Hello Dolly at the top right corner of every page on the administration side of the site (not visible to general viewers of the site).

As fantastic a musician as Louis Armstrong is, he’s just not my cup of tea. Call me uncultured or say that I’m missing out, but I much prefer Bart’s witty, moderately-crude humor. Also, there are only 28 lines in Hello Dolly, meaning only 28 possible headers in my WordPress admin area. Hello Simpsons Chalkboard Gag has 296 possible results as of publishing this, and that number will continue to grow with each new episode.

In addition to changing up the little bit of text displayed on the admin side of the site, I also added the option to include a simpsons shortcode, which is what was used at the top of this post to load one of the chalkboard gags dynamically within this post. This was really an afterthought and the only reason I decided to include it was because the necessary work was already done in handling the primary project, so adding the shortcode was trivial.

Continue reading “WordPress: Now With a Touch of America’s Favorite Yellow Family”

Second WordPress Plugin Goes Live

Prezi Logo
Logo © Prezi Inc. Used with permission.

It is now almost exactly 4 months since I released my first contribution to the WordPress community, the Document Gallery plugin. This new addition to my work, Prezi Embedder, was designed in order to support simple embedding of presentations designed on prezi.com in WordPress installations.

This plugin was designed out of frustration at the lack of support from the Prezi team for WordPress users. Their only official response to the issues with their embed code in WordPress installs is a link to this forum post, where users present some ways to hack together something that used to work. Recently, even the hacks mentioned in the post were disabled, making it impossible to natively embed Prezis.

After reaching this dead end, I also looked briefly for other plugins developed for this purpose. The one plugin I found only had partial support for the Prezi embed options and, in my testing of the plugin, did not handle any size other than the (tiny!) default embed size.

At this point, I gave up on any pre-existing solution and wrote the embed code into a very simple plugin and linked it to the Error: The id attribute provided does not look right. You entered id=. Error: You must, at minimum include an id attribute: [prezi id='<Prezi ID>'] shortcode. Though I initially wrote the plugin for my own use, I ended up submitting it for listing in the public WordPress Plugin Directory.

This release has had a slower pickup in downloads when compared to my first plugin (which hit 300 downloads in under two days), but that is to be expected given its more specific market. Even given this lower interest, it has still been downloaded 70 times in two days, which I am more than pleased with, especially given that it began as just a tool for my personal use.

(Legally) Hacking Online Defensive Driving Course

Given the tendency for society to interpret hacking as an inherently illegal activity, I must first clarify what the meaning is in this context. While thefreedictionary.com has a definition that would suggest illegality:

To use one’s skill in computer programming to gain illegal or unauthorized access to a file or network.

This is only the second definition. The first (and relevant) definition listed is far less nefarious:

To write or refine computer programs skillfully.

In any event, I’ve said all of that as a very long preamble for the true topic of this post. I recently signed up to take an online defensive driving course on GetDefensive.com. In taking the course, I found it immediately frustrating that each page required the student to remain on that page for a set amount of time before proceeding to the next page of the course. This would not have been so bad, except that the time required for each page was significantly longer than the time I needed to absorb the information.

Once I had completed reading the content on a page, I would go off to another tab in my browser to work on something else, but then I ran into the issue of not knowing when the timer had completed, since it was only visible within the course tab. After making it about half way through the six-hour course, I had had enough. I decided to append the time remaining to the tab title so I could see how much time was remaining without needing to re-open the tab before it had finished.

GetDefensive.com Title HackRemembering my GreaseMonkey from when I had used Firefox, I went to see if something similar existed for Google Chrome. Apparently, Tampermonkey is the go-to for user script management in Chrome.

After playing with the new tool for a few minutes, I threw together a script that pulled the content from the existing count-down timer in the tab and had it duplicate that value in the title. You can see below for the solution I ended up with.

UPDATE (11/28/2013): I got another speeding ticket, which means I had a chance to revisit this solution and one small thing changed — the ID of the object we’re grabbing the time from. The code below is now up-to-date with this new ID.

Presenting “#OccupyFacebook” at NCHC 2012

NCHC #OccupyFacebook Presentation

This week, I had the honor of being taken to Boston, MA for in order to give a presentation on social networking best practices, specifically as they relate to Honors Colleges and Honors Programs.

Through the presentation attempted the address social networking globally, without focus on any particular site, as the title suggests it was a little skewed toward Facebook, with which I am most familiar.

I submitted my abstract for the presentation after observing how poorly social networking resources tend to be utilized by various organizations around campus. Having worked for the UTSA Honors College, in part to facilitate social networking; managed social networking for various student organizations on campus; and spearheading a social-media-heavy, campus-wide Presidential and Vice Presidential campaign for Student Government, I felt I was qualified to make some suggestions on how best to use these powerful tools.

Given the topic of conversation in this presentation, I wanted to do something unique that showed the power and versatility of social networks. I ran the session’s question and answer segment by taking questions from a live Twitter feed. Anyone with questions tweeted them with the #OccupyFacebook hashtag and at the end of the session questions were answered in the order they were tweeted.

Below is a copy of the presentation, as shown at the conference: