Fixing “full path disclosure” issues

Whether you’re running a web service or a blog, you should always keep your software fully patched to prevent attacks and minimize your attack surface. Another smart step is to prevent full path disclosures. For example, if your blog or service throws an error like

“Warning: require(ABSPATHwp-includes/load.php) [function.require]: failed to open stream: No such file or directory in /home/horace/public_html/wp-settings.php on line 21”

then by noting the full pathname from that error, an attacker could reasonably infer that your username is “horace” and use that try to guess your password. It’s not the end of the world if your attacker has that information, but why not make an attack as hard as possible?

For WordPress, here’s a couple ways to prevent full path disclosure vulnerabilities:
– In a php.ini file, you can add a line like “display_errors = off” (without the quotes).
– In an .htaccess file, you can add a line that says “php_flag display_errors off” (without the quotes).

It sounds like the php.ini approach might be slightly better, because some web hosts run PHP in CGI mode which might not allow php_flag or php_value directives in .htaccess files.

After you’ve made this change, php errors shouldn’t be shown to web clients. If you’re developing live code on a PHP installation, that can make debugging slightly less easy. But if you’re running (say) a blog, it’s probably better to turn off display errors for a little extra protection against attacking hackers.

Hack your iPhone: install a toolchain

This “hairball” post is ancient and unfinished. Would anyone care about this now? Probably not. Maybe some future data archaeologist will care.

In my previous post I covered what a toolchain is and why you need one to cross-compile applications for the iPhone.

I’ve seen rumors that there will be a Windows toolchain soon, and in theory you can create an iPhone toolchain on older Apple computer with PowerPC chips, but most of the iPhone development these days seems to favor the newer Intel-based Apple computers.

One of the best resources for all iPhone related info is the iPhone dev wiki at http://iphone.fiveforty.net/wiki/index.php/Main_Page (unlinked because the wiki maintainers aren’t sure that they can handle lots of visitors and request that people not link directly). The toolchain page at http://iphone.fiveforty.net/wiki/index.php?title=Toolchain_Project has a lot of details, and the talk page (look for the link labeled “discussion”) gives even more background. But those pages are really terse.

Here’s a little more background info, and I’ll include some additional links at the end.

Getting gcc

Did you know that recent Apple computers (and even the iPhone) ships with a solid UNIX-based kernel? You might have heard that. Something I didn’t know is that Apple computers don’t ship with a compiler such as gcc pre-installed. It should be on the DVD that came with your computer; Apple calls its developer tools Xcode, and Xcode includes gcc.

You can also download Xcode/gcc from the web. Visit http://connect.apple.com/ and sign up for a (free) developer account. After you sign up, the “Downloads” link will become clickable. Click that, then click the “Developer Tools” link. I downloaded Xcode 2.4.1, although there is a beta of Xcode 2.5 available as of today. The download is a DMG file, which stands for “Disk Image.” Double-clicking on the .dmg file will mount the disk image and open a file folder that includes the file “XcodeTools.mpkg” and if you double-click on that package, you’ll get a window that guides you through the installation of Xcode Tools. When you’re done, you can type “which gcc” in a Terminal window and you’ll see that gcc is installed.

Downloading toolchain code

Are you tired yet? Then you might want to take a break, because things are just getting started. For example, the first thing you’ll read on the wiki toolchain page is:

To use the new toolchain, check out the latest branch (as of this writing, 0.20):

svn checkout svn://svn.berlios.de/iphone-binutils/branches/alpha/0.20/

And you might be thinking “What the heck is svn?” It’s a program called Subversion, and it lets you check out source code across the web. Here’s a page about how to install Subversion on a Mac. The short answer is that there’s a couple ways. First, you can install a program called Fink that in turn helps you install more UNIX-related programs such as Subversion. Or you can download a Disk Image file, click the .dmg file, and install svn directly.

Getting Libstreams

The next thing to do on the iPhone dev wiki page says

Download libstreams from Apple’s web site, compile it, and install it.

And I’m thinking “Could they get any more terse?” Plus the dev wiki is locked down to prevent wiki vandalism, so only a few people can edit that wiki. Thanks a lot, wiki spammers, you jerks. Now everybody has to interpret terse instructions on their own and can’t update the wiki with more detailed instructions.

To get/install Libstreams, it looks like you can fetch the correct source (PowerPC/PPC or Intel/x86) from
http://publicsource.apple.com/darwinsource/10.4.9.x86/Libstreams-24.1/ or
http://publicsource.apple.com/darwinsource/10.4.9.ppc/Libstreams-24.1/

You’ll have to log in with an Apple ID. Once you log in, you see about 20 files. Download each one in turn into a single directory, and make sure that you save the files as raw files, not html. Do that by mousing over a file, doing a control-click on the filename, select “Save Link As…” and make sure to change the “Format:” drop-down selector from “HyperText” to “All Files.”

Once you have all the libstreams files in one directory, open a Terminal window, cd into that directory, and type “make” to make the libstreams.a library. Then type “sudo make install” to install the library into the right location on your Apple computer.

Are you still with me? Because we’re really just getting started. Next the wiki says

Get a copy of the iPhone system software, and set the environment variable HEAVENLY to its location (export HEAVENLY=/path/to/iphone/software).

Unless you’re a real geek, you’re probably thinking “What the @#$% does that even mean?” Well, review my toolchain and cross-compiling post. In order to build a proper toolchain, we need some of the software that is only found on the iPhone (header files? libraries? I’m not 100% sure). Since we’re cross-compiling on (say) an Apple computer, that means that we need iPhone software on our Apple desktop machine. That’s a little bit of a problem. In theory, you could copy your iPhone’s filesystem to your computer. There’s even a program called Toolchain Helper mentioned at http://iphone.fiveforty.net/wiki/index.php/Toolchain_Helper that does that. But Toolchain Helper doesn’t run on a pristine iPhone; you need to “jailbreak” your iPhone first. You can also run AppTapp/Installer.app to let you install the Toolchain Helper.

There is another way to get the iPhone software onto your computer. Apple provides the disk image (DMG) file for iPhone software. Woohoo! Except that it’s encrypted. Bleah. But someone figured out how to decrypt the software! Woohoo! Except that some people worry that decrypting the software might be a violation of the Digital Millennium Copyright Act (DMCA). Bleah. But lots of people believe that reverse-engineering software for the purposes of interoperability is legal! Woohoo! And the DMCA contains an explicit exemption for unlocking cell phones in some circumstances. Woohoo! If you’re at all nervous about decrypting a DMG file, then don’t. Consult with your local lawyer to see what your comfort level is.

The best instructions I’ve seen to extract the iPhone DMG contents are Landon Fuller’s post. He has a link to some modified source code to a program called vfdecrypt, but for some reason when I compiled vfdecrypt it wouldn’t work for me on the DMG file. There’s a precompiled vfdecrypt file to be found at http://ellkro.jot.com/HowToBuildObjCApps inside of the phonedmg12.tar.gz file on that page.

And that, sadly, is as far as I’ve gotten so far. I haven’t managed to compile a working toolchain myself yet. I’m using an older PowerPC Mac, and trying to compile things caused errors for me. I enjoyed playing around with toolchains for a day, but I don’t have much more time to invest in this. It’s clear that building a toolchain is still not for the weak of heart. On the bright side, once you have a working toolchain, it looks like there are a ton of cool applications you could write.

css.php