Yifan Lu

Google Apps User Registration Script

yifanlu — Sat, 20 Feb 2010 04:25:14 +0000

Here’s another one of my famous 3-hour-projects. I finally decided to cleanup my email. It’s too hard to “clean”, so I decided to start from scratch by making a new email account. So, I made a Google Apps account. Google Apps is a great product, but one thing missing is registration for users. (You must make an account manually for your user) So, I decided to make one myself. This PHP script acts as a proxy between you and Google Apps. It allows your users to create their own account with you and your Google Apps. It is composed of a backend and a frontend. The backend does the work of taking your admin credentials and form data from a user and creating an account for the user. The frontend hosts the GUI. I made sure to well-comment the code, so it should be easy to create your own frontend to match the style and code of your site. I’m probity won’t work on this project again, but because it’s released under GNU v3 (as all my projects), you can take it and add on to it.

Google Apps User Registration Script

Rant on Facebook

yifanlu — Fri, 12 Feb 2010 03:45:26 +0000

Ok, I still don’t really know what to do with this blog, so I’ll try, again, something new.

As a member of the iPhone religion, I don’t use the computer to browse the web often anymore. Today I went on Facebook, and WTF, everything changed. It’s like if you went on vacation for a week and came home to find the furniture rearranged. It’s not bad, but it’s pointless and doesn’t feel like your home anymore. Facebook went and fixed something that wa not broken. Why? Their Twitter-envy.

The downfall of Facebook will be similar to Caesar. Too much ambition. Every move Facebook makes to become more like Twitter results in another percentage of people who gets pissed off. Piss on them enough and they’ll leave. Some things they done: vanity URL, privacy fiasco (suddenly all your data is public), now the new design.

I like Twitter. I like Facebook. I don’t like two Twitters. Twitter is for sharing information with strangers while Facebook is for sharing information with friends. I don’t want to mix the two. Most people join Facebook for the privacy and connection-to-friend. Those same people will leave if Facebook continues to force/trick their users into publicizing their information.

tl;dr? Facebook should concentrate on their own core business and not worry about others. Don’t fix what is not broken, because you’ll only make things worse.

Also, while on the topic of Facebook: Please don’t use the link on the sidebar to my Facebook account if you don’t know me personally. As I said, I only accept requests from people I know. Follow me on Twitter if I don’t know you. If you just want to talk to me, there’s a contact form.

Site Updates + iPhone Support

yifanlu — Fri, 29 Jan 2010 00:09:29 +0000

I finally took some time from my busy schedule and made some changes to the site.

I stopped being cheap and finally bought www.yifanlu.com
Thanks to WPTouch, the site can be viewed on the iPhone & Android with ease
Added a contact form
Made tweaks here and there in the designs, fixed some typos & style errors

Also, quick update: I’m still working on that Facebook app, with all the homework and exams, I barely have any free time, however, here’s some screens on Facebook.

ColdFusion Server 8 XSS Exploit

yifanlu — Mon, 18 Jan 2010 04:28:48 +0000

This is a first (as in my first REAL blog post), I will publish an essay on a exploit I just discovered. First of all, I don’t know if it’s been discovered already, or even patched, or if it’s just on this one host, but I’ll write this to show the process of finding an exploit and exploiting it. Second, a disclaimer: I have and will not use this for anything malicious, and you should not either. The information provided is purely educational and should be used for securing your sites better.

So, a friend of mine is taking a Web Mastering class in school. He showed me the site they use to take lessons, http://www.edulaunch.com/. First of all, I have nothing against the owner of the site, or the contents, but I decided to play around and see if everything’s secure (I don’t know why, habit I guess, first thing I do when I find a new site, is do some penetration tests on it), so far so good, login form escapes data correctly, and no other form data could be found anywhere. Directories are properly secured, hidden files cannot be accessed, no anonymous access to the FTP server. Ok, good, last test, how well the server handles errors, I’ll try to induce a simple 404 error: http://www.edulaunch.com/nothere.cfm, uh-oh, what’s this:

File not found: /nothere.cfm

It seems like the file name is being printed in plain-text. I’ll try something else: /nothere.cfm, just as I suspected, the file name is now bold. Ladies and gentlemen, we have an XSS exploit. The most common security flaw on the internet. After playing around with random URLs, I’ve figured out the following: 1) The filename (in plaintext) will only print if the string contains only Windows-valid filenames, so no colon (:), question mark (?), semicolon (;), etc. 2) The filename prints in plaintext on the title, but is escaped in the paragraph below. 3) There is some security, “exploit” tags such as ’)” />.cfm

We’re done, right? The script has been loaded? Not quite yet, remember, the colon (:) breaks it. And while we’re on the subject of pesky characters, some (and by some, I mean all major) browsers automatically change a double slash (//) to a single one (/). Well, don’t give up yet, say hello to the script kiddie’s best friend, Javascript’s String.fromCharCode() function. This function converts the ASCII code of a character to a string. Colon is 58 and the backslash is 47, so instead of http://, we can do ‘http’+String.fromCharCode(58, 47, 47), using only friendly characters. So, we can now include an external Javascript file with the following URL:

http://www. edulaunch.com/

(Remember to write a new tag when including your external JS if you want to modify the body later). So, now the remote server is loading our script, the rest is easy.

What I did was I took the HTML of the original home page, changed some lines, and encoded it into Javascript. I then used innerHTML to replace the body with my new HTML file.

Original: http://www.edulaunch.com/

Bad Page: http://www.edulaunch.com/…cfm

(Link’s too long, you’re going to have to copy & paste. I can easily use a short-url service to mask the large string, and if the site is HTTPS, then the browser will show a huge green verified site logo)

So, first of all, this isn’t the web master’s fault, it’s the fault of CodeFusion’s developers at Adobe (now), and then again, it really isn’t their fault either. It’s just a simple mistake (showing in plain text a user input), but the point is that simple mistakes can have huge consequences. Again, I don’t know if this exploit works elsewhere, if it’s been patched long time ago, etc, but I know the everyone using CodeFusion from the host http://www.enterhost.com/ are vulnerable.

Again, whoever’s reading this should use this knowledge for good. The most common bug in web sites are XSS exploits. The reason they’re so popular is because web masters often neglect them. They don’t seem to be dangerous because XSS exploits won’t touch the server (unlike SQL exploits where you can delete whole databases), and are usually hard to spot. (Like this one, who would have thought you can exploit a freaking ERROR message?) But XSS is, in fact, very dangerous, if a hacker (or more likely, a script kiddie) use XSS to write a fake login page, and send the link to the site’s users, the user will try to log on, and they would have logged all their passwords. They can send a malformed link through a chat service and steal the user’s current session. They can email a fake page to a site admin, and steal their password. Write your web apps safer, filter out user input, make sure your server software is up-to-date and don’t click on links from strangers!

EDIT: It seems like this is known for a while now: http://www.adobe.com/support/security/bulletins/apsb06-14.html

It’s weird because Adobe states that it’s fixed in ColdFusion 7 while the server that was exploitable used CF8. This shows that you need to apply updates to your software!

Making a Facebook app…

yifanlu — Mon, 04 Jan 2010 03:00:49 +0000

Little to report right now, but basically I’ve started working on a Facebook app to improve my CSS and Javascript/AJAX skills. Right now, it’s still in the early stages and I have nothing to show yet, but I just have to say it looks pretty awesome and clean (like part of Facebook). Smooth ajax transactions, clean UI, and extreme ease of use are my goals. More to report later.

More information in Facebook.

First beta of Josh released

yifanlu — Sat, 07 Nov 2009 04:03:10 +0000

Not much to say, refer to my last post: http://www.yifanlu.co.cc/?p=85

Release Info http://www.yifanlu.com/p.htm?id=josh
Download http://github.com/yifanlu/Josh/downloads

Project Josh announced!

yifanlu — Fri, 06 Nov 2009 01:17:49 +0000

My first Java project. In short, my goal is to map EVERY native Windows console function listed here: http://msdn.microsoft.com/en-us/library/ms682073(VS.85).aspx to Java via a C++ DLL, JNI, and Java. So far, what I have done is: text color/highlight and title. I’ll work on this until I find something better to work on. You can follow development progress via Twitter: https://twitter.com/projectjosh and the source & binary will be released as soon as I can get a stable beta with at least half the functions.

Once this project is finished, you can easily make (Windows only) great console apps via Java. You can do advanced things like text color, background color, mouse events, cursor control, etc directly in the console.

Goodbye Habbo!

yifanlu — Sat, 17 Oct 2009 16:55:58 +0000

I love Habbo and I love retros, but again, it was always “legal unless you got caught”. Well, I got caught, and it wasn’t fun. My advice (although I doubt anyone would take it) is to stop also BEFORE you get caught. Don’t think “ah, there’s 1000 other retros, nobody is going to bother about me”. Making retros was a great experience for me and I learned alot from it, but I guess it’s best for myself if I stop. I’ll move to coding more legal stuff. Maybe a hotel from scratch (client,server,site), or maybe I’ll start making iPhone apps. I don’t know. Retros have been sucking my time away anyways, so, although it was sad, it is a load off of me now.

So now, all my projects related to Habbo and retros are retired and will not be updated any farther. PHPRetro is taken over by 0ni of Otaku, so hopefully it won’t die. I hope I can use my time for other projects that are more useful for the general public.

P.S: I’m also retiring two more projects: IPA Manager because it no longer works as Appulo.us was updated to 2.0. Maybe if I have time, I’ll recode IPA Manager from scratch with the new Appulo.us API. I’m also retiring iGradebook as it is blocked & it is useless now because the gradebook can be accessed from the iPhone.

My first iPhone app (kind-of)

yifanlu — Sun, 19 Apr 2009 15:05:14 +0000

Well, it took two days to coding, but I finally did it. I made an web-app for the iPhone. The reason I decided to do this was to familiarize myself with advanced aspects of PHP, such as classes, curl, and different sorts of weird functions. I created the KGD (KISD Gradebook Disassembler) from scratch in PHP. What it does is logs in to http://pic.katyisd.org/ (where you check grades), and gets to the gradebook page. It parshes the HTML and generates an array of infomation. This array can be sent to other pages for easy creation of stuff based on it. Some other features Idid was cacheing, so it would download the HTML every time, for maximum speed. It also requires NO connection to any database, so it’s very portable and expendable. It may also be one of the cleanest code I’ve ever written and the first one at is object-oriented (to train myself before I get to iPhone SDK programming). The first thing I did is iGradebook. It is a cool app with an slick UI that allows you to check your grades on the iPhone. Some other things I’m looking into with the KGD core is maybe writing a desktop alert app or an Facebook plugin. If you would like to try it, check out the projects page. Look forward to the KGD core being released under GNU when I’m done. (Oh yea, this only works for KISD students, as that’s the only place I have access to grades)

What I’m working on

yifanlu — Sat, 04 Apr 2009 03:59:00 +0000

Ok, here’s an update. I’ve been busy recoding HoloCMS. It is so far 90% faster, and has much less redundent code. It’ll take a while until I’m done so, follow http://twitter.com/holocms to see the progress.