Balupton.com | Upcoming
My rambles, thoughts, and developments, for everything to do with web development
Balupton.com | Upcoming
Categories: Upcoming, Personal, 23 wordsSend feedback •I’ve done up the base of my new site here: http://www.balupton.com/home/
Feel free to leave any feedback you can.
Permalink
WebCT 4.x Javscript Session Stealer Exploits
Categories: Documents, 214 wordsSend feedback •WebCT 4.x Javascript Session Stealer Exploits
Software: WebCT Campus Edition 4.x (http://secunia.com/product/3280/)
Affected Version: 4.1.5.8
Discoverer: Benjamin “balupton” Lupton
Date Discovered: November 2005
Date Reported: 25/06/2007
Software Author Contacted (again) on: 20/07/2007
Date Published: 05/03/2008Published At:
http://www.balupton.com/blogs/dev?title=webct_session_stealer_exploit
http://www.balupton.com/documents/webct_exploits.txt
http://seclists.org/fulldisclosure/2008/Mar/0051.html
http://www.securityfocus.com/bid/28107/info
http://secwatch.org/advisories/1020585/
http://secunia.com/advisories/29227/Attack Type:
Javascript Session Stealer Exploit.Description:
Mail & Discussion Board messages are not properly checked for javascript, allowing javascript to perform a session stealing attack (allowing the attacker to be logged in as the victim).Tested On:
Attacks were tested fully on eCentral TAFE’s WebCT System in November 2005 (with permission of staff),
and again on Curtin University’s WebCT System in June 2006 (but this time only to see if the javascript will run).Action Taken:
Contacted TAFE lecturers and administrators, who didn’t really care.
Contacted WestOne multiple times, but never recieved any response.
Then contacted Secunia, which would not publish as the discoverer did not own their own copy of the software in question.
Published as WebCT is being phased out, with Blackboard being the replacement.Steps:
…Read the full report here: http://www.balupton.com/documents/webct_exploits.txt
Templating System Concepts (the evolution)
Categories: Projects, Ramble, Open, 249 wordsSend feedback •Templating Systems are extremely important in web development. They allow us to manage our designs to make them more usable for the user, and more efficient for developers and designers to work with.
Recent developments such as Jaxer (AJAX Server) will allow us to take this to the next evolutionary step. Refer to my previous post Jaxer, the silver bullet for more information on Jaxer and Templating.
I have published a “report” that I have been working on the past few weeks, that details and provides examples of the evolutionary steps of templating systems.
Here are the levels that are included in the report:
Level 0 - Static
Level 1 - Includes
Level 1 - Conditional
Level 2 - Shortcuts
Level 3 - Population
Level 4.0 - Separation
Level 4.1 - Separation (Defaults)
Level 4.2 - Separation (Mixture)
Level 5 - Dedicated Solutions (Templating Engine)
Level 6 - Client Side Templating (Not Fully Functional)
Level 7 - Dual Side Templating (Separate Installations) (Not Fully Functional)
Level 8 - Dual Side Templating (Single Installation) (Not Fully Functional)Templating Engines Used:
Smarty and JSmarty.To view and download the report visit here:
http://www.balupton.com/sandbox/templates/Thanks.
Note (16/02/2008):
Unfortunately, JSmarty is still not in a position to be usable, hence the “Not Fully Functional” notices. Hopefully this project will gain more attention and reach that stage. But for the purpose of showing a concept, it still works well.Update (17/02/2008):
I decided to make my own javascript smarty template engine, you can check it out it’s progress here:
Balupton’s jQuery Smarty Plugin
Jaxer, the silver bullet
Categories: Ramble, 388 wordsSend feedback •Jaxer, the world’s first AJAX server, is what I believe is the silver bullet to the epic battle of web development technologies.
Jaxer allows you to run javascript server-side, client-side, and both. It provides database interfaces among other things. But the kicker is that because it is javascript, you can modify the DOM server side before sending it to the client.
This means that templating systems can finally move into the web 2.0 scene. A template system is a way to split design up into something more mangeable, the most basic example being html files, then moving to php includes, then a dedicated solution like Smarty.
JSmarty is a project out currently that is trying to bring Smarty client side, so there can be a universal server and client side templating system. Although it has it’s problems (still being in early development), and you still face having different implementations of the same templating system (smarty + jsmarty).
With Jaxer, you have the ability to use just one. So use JSmarty server and client side, instead of using Smarty on the server. The benefits of this are huge, as there is a single templating system, so one thing that needs to be managed, developed, and used.
Now the benefit of bringing templating systems to client side is that it enables true web 2.0 solutions. So instead of AJAX returning populated HTML to be used as output, it will fetch the data in JSON and then populate the HTML template to be used as output.
Now why would we want to do this? Way less overhead. Say for a table with 100 rows per page, you can fetch a JSON object containing all the row data, and a single row template. Then populate the row template 100 times for each piece of row data.
I will be publishing a report soon enough that will detail the evolution of template systems, and show were Jaxer fits into this.
Update (16/02/2008):
Michael Mahemoff has made a post on Dual-Side Templating, so it is great that I am not the only one believing in this silver bullet.Update (16/02/2008):
I have published a “report” that I have been working on the past few weeks, that details and provides examples of the evolutionary steps of templating systems. Read about it here:
http://www.balupton.com/blogs/dev?title=templating_system_concepts
jQuery Lightbox Plugin
Categories: Released, Open, 145 wordsSend feedback •Lightboxes are a way to display a image on the same page elegantly.
Features:
- Lightboxes can be grouped together.
- Titles and descriptions for images.
- Automatic url detection and inclusion of required files, so no configuration is needed.
* So all you need to do is include it’s single .js file and you are good to go.- Greedy elements (flash, object, select) are hidden away and re-shown appropriatly.
- New / Optimized design.
- Proper jQuery Plugin.
- Provides many easy automatic and manual ways of creating and starting lightboxes.
- Only 15KB in size! (Includes all js, css and image files).
Take a look at the demo site http://www.balupton.com/sandbox/jquery_lightbox/ to see it in action, as well as examples of it’s usage.
Based upon Lokesh Dhakar’s Lightbox 2: http://www.huddletogether.com/projects/lightbox2/
Grab it here.
