Wednesday, April 23, 2008

Proxy through Google, the best HTTP Proxy

A few days ago I mentioned how to create a bookmark that will translate any webpage to English using Google Translator. Probably not so evident, is that the google translator is the best HTTP proxy available on the web. So just as you would translate a page with google, you can use it as your HTTP proxy.

Create a bookmark by right clicking on the bookmarks toolbar in Firefox

  • Choose New Bookmark
  • For the Name field fill in what you want, like translator or proxy
  • For the Location field fill in:
    javascript:location='http://google.com/translate_c?u='+location
    

Now when ever you want to proxy a website or page through google just click on your bookmark.

If the website is already in English, then for the Location you will want something like:

javascript:location='http://google.com/translate_c?langpair=fr|en&u='+location
Which tells google to translate from French to English as it will not want to translate from English to English.

Thursday, April 17, 2008

Secure Joomla file permissions - Linux with Apache

Joomla allows web based installation of extensions, because of this, on most Joomla setups I've looked at, the method of allowing PHP to install the Joomla extensions is to allow global write access (chmod 777) to the Joomla installation directories. This is not a secure way of managing a Joomla site.

A secure website should not have any folders or files with global write access, especially on shared servers, yet on 90% of Joomla websites I've looked at, this is the case.

An example is when you install community builder, probably the most used Joomla 3rd party extension. If Community Builder tries to write to the /images folder but fails to do so during installation, it will spit out, "You must chmod 777 your images folder", I forget the exact sentence.

So why do you open up global write access? The reason is that your ftp or shell account user is different from the PHP user. When PHP executes, it executes under a certain user, by default the Apache user which can be "apache" or "www-data" or something else depending on the Apache settings. So if a you have a folder that has permissions 0755, and is owned by "joe", apache cannot write to this folder because it has insufficient permissions.

Ways of enabling PHP to write to Joomla installation folders

  1. Change folder permission to 0777
  2. 0755 permissions, change owner to www-data and group to users
  3. 0755 permissions, change file group to apache group

In which cases would you use each permission setting?

Change folder permission to 0777

chmod 0777 path/to/folder
If you are on a shared server, then your only choice is (1) to chmod the folders to 0777. Only the root user can chown folders and files. Since most hosting accounts are on shared servers, the majority of Joomla sites (and other CMSs) will have installation folders with 0777 perms.

0755 permissions, change owner to www-data and group to users

chown www-data:users path/to/folder
This is probably the most recommended setting. This allows Apache to read and write from the folder since it is the owner of the folder, yet also allows users in the group "users" to write to the folder. Thefore, if your FTP users are under the group "users" they will be able to update files, while the Joomla installer will be able to install and update components.

0755 permissions, change file group to apache group

chown joe:www-data path/to/folder
This isn't the normally recommended way, but it is what I normally do. This permission setting allows only the user "joe" to write to the folder and not every other user. It also allows apache to write to the folder. So only joe can ftp into this folder and write as opposed to method (1) where any user in the group "user" can write to the folder via ftp. (this doesn't prevent anyone from using apache to write to that folder however).

How to install Joomla extensions on a shared server without giving global write access

  1. Install Extensions Manually via FTP and MySQL Queries
  2. Chmod 0777 only for the installation period, then chmod back to 0755

Install Extensions Manually via FTP and MySQL Queries

This allows you to install the extension, but if the extension wants to write to a folder later, you still have the permission problem since the folder is owned by your FTP user. However, it is good to know how to do this, since it can be a method if combined with other methods. If you have shell access this is easier. See my post on remotely installing Joomla, and use this for extensions. For the mysql portion, you need to retrieve the mysql queries from extensions XML install file and run those queries against your Joomla database. Then you also have to manually add the entry in the extension table, whether the components, modules or mambot table for that extension.

Chmod 0777 only for the installation period, then chmod back to 0755

I've written a PHP Shell script for this that you can run in the command line if you have Shell access to your server.

#!/usr/bin/php
<?php

// joomla extension folders, add more folders here if you need.
$folders = array(
 'media',
 'components',
 'modules',
 'templates',
 'mambots',
 'administrator/templates', 
 'administrator/components',
 'administrator/modules',
 'images',
 'images/stories'
);

// get Joomla directory
fputs(STDOUT, "Please enter the path to the Joomla directory: ");
$jpath = trim(fgets(STDIN));
// check for ending slash
if ($jpath[strlen($jpath)-1] != '/') {
 $jpath .= '/';
}
// make sure path exists
if (!is_dir($jpath)) {
 fputs(STDOUT, "$jpath is not a valid joomla directory");
 return 1;
} else {
 // check for each folder
 foreach($folders as $folder) {
  if (!is_dir($jpath.$folder)) {
   fputs(STDOUT, "Error: A required Joomla folder $jpath$folder was not found. \n");
   return 1;
  }
 }
}

fputs(STDOUT, "Joomla directory set to: $jpath \n");

// allow global write access on joomla extensions folders
foreach($folders as $folder) {
 fputs(STDOUT, "Unsecuring: $jpath$folder \n");
 if (!chmod($jpath.$folder, 0777)) {
  fputs(STDOUT, "Error: Could not change permissions on $jpath$folder. Please chmod 0777 $jpath$folder manually. \n");
 }
}

fputs(STDOUT, "Joomla directories are ready for writing. You can install your extension \n");
fputs(STDOUT, "Press any key when you complete your installation to secure Joomla again... \n");
$enter = trim(fgets(STDIN));

// remove global write access on joomla extensions folders
foreach($folders as $folder) {
 fputs(STDOUT, "Securing: $jpath$folder \n");
 if (!chmod($jpath.$folder, 0755)) {
  fputs(STDOUT, "Error: Could not change permissions on $jpath$folder. Please chmod 0755 $jpath$folder manually to secure.\n");
 }
}
fputs(STDOUT, "Joomla install directories secured. \n");

return 0;

?>
To run it, save it to a location on your joomla server, name it something like joomla_exts.php and invoke it in the shell with:
./joomla_exts.php
The script will prompt you for the Joomla folder, then it will chmod each installation directory to 0777, and tell you to make the component install. So you just install the component in the Joomla web based installer. After installation, just hit enter in the shell script to secure the Joomla installation directory again. This works better then that above method, since all folders will be 0755 after installing the component, but the folders created by the component will be owned by the apache user, allowing the component to write to them. Make sure you don't leave this script in the web root. Keep it under the web root, or delete it after use.

If you're totally lost, here is a bit on file permissions in Linux. Here is a very good article on setting up Apache including file permissions and virtual hosts.

Tuesday, April 15, 2008

Create a Google Translator Bookmark in Firefox

I wanted a way to quickly translate any web page in any language to English with a single click of a button. I use Firefox as my main browser, but I'd assume you can do this in IE and other browsers also.

  1. Right-click on the Firefox Bookmarks Pane and choose "New bookmark".
  2. In the Name field, fill in: Translate.
  3. In the Location field fill in:
    javascript:window.location='http://www.google.com/translate_c?u='+window.location
    

Now when ever you're on a page that isn't in English, just click on the "Translate" bookmark and the page will be translated for you.

How it works is that in the Location field you can place JavaScript using the URL pseudo JavaScript protocol. A URL has about 5 main parts:

http://www.example.com/path/?query=abc&query2=xyz#bookmark
  1. http:// - This is the Protocol
  2. www.example.com - The domain
  3. /path/ - The path to the page on the domain
  4. ?query=abc&query2=xyz - The query (an associative list of parameters and values)
  5. #bookmark - The bookmark (a link to a part of a page)
If you were to replace the Protocol portion of the URL with javascript: then the browser will interpret everything after the protocol portion as JavaScript code to execute.

The JavaScript we execute is:

window.location='http://www.google.com/translate_c?u='+window.location
The JavaScript executes in the scope of the current document, so window.location will refer to the current URL. (or window.location.href if you want to be specific, window.location probably has a toString() method that returns this.href).

So when clicked the bookmark executes the JavaScript code that instructs the window to go to the Google Translate page and appends teh current URL as the parameter value for u, which is the URL to translate.

I did a search and found this Extension for Firefox also: https://addons.mozilla.org/en-US/firefox/addon/918. It allows you to translate the selected text inside a web page with Google Translator. We could also do the same with our bookmark method, but since there is an extension for it, lets just leave it at that. Enjoy.

Friday, April 11, 2008

Google could be keeping track of the time you spend online through Firefox

Firefox seems to be giving Google some pretty revealing information in regular updates, even when you're not visiting Google.

Opening up Wireshark (formely Ethereal) and examining network traffic going through my machine I've noticed time and time again, HTTP requests to Google even when Firefox is sitting idle. I attributed this to having Gmail open, thinking it must be one of those Javascript Remoting calls or XMLHttpRequests going on in the background.

Today I noticed it again, and realized that I only had a page on my local web server open. It definitely could not be sending HTTP requests to Google.

Filtering out just the single TCP request revealed this:

GET /safebrowsing/update?client=navclient-auto-ffox&appver=2.0.0.13&version=goog-white-domain:1:30,goog-white-url:1:371,goog-black-url:1:20001,goog-black-enchash:1:48465 HTTP/1.1
Host: sb.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: SID=<snip>; MPRF=<snip>; NID=9=<snip>; PREF=ID=<snip>:TM=<snip>:LM=<snip>:DV=<snip>:GM=<snip>:IG=<snip>:S=<snip>; rememberme=<snip>
Cache-Control: max-age=0

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Cache-Control: public,max-age=600
Content-Encoding: gzip
Server: TrustRank Frontend
Content-Length: 2766
Date: Thu, 10 Apr 2008 15:19:52 GMT

..........MW...H.]....G.B...R-.$..1.
.Z%&.........%u.X.....q...>...+.....5I.
..........4...}S.
0...Y"sPV..e..."...x...9.n..Xq..v..<.. G..^..)..i.?.=.o. <snip>

What happens is every now and then, Firefox Polls Google with a HTTP Request for updates on phishing sites, which is really nice. Google probably has the largest database on phishing sites, and it is nice that they are "helping" us out by keeping our Firefox browser updated on the latest phishing sites being found in its extensive indexes.

Now if we look at the HTTP request, nothing fancy, just the HTTP request headers, HTTP Response with Gzip encoded body. (If you decode the Gzip encoded body it is easier to see its data on the latest Phishing sites - the GET URI suggest that too.

The fun part is in the Cookies:

Cookie: SID=<snip>; MPRF=<snip>; NID=9=<snip>; PREF=ID=<snip>:TM=<snip>:LM=<snip>:DV=<snip>:GM=<snip>:IG=<snip>:S=<snip>; rememberme=<snip>
I've snipped the actual values of course. The SID we can safely assume is the google Application level session id due to its characteristics including its name, size of the hash etc. among others. What bugs me is that this SID ties this HTTP request to my Information in their database, my name, address, bank account etc. etc. The ID Cookie most likely holds non-authenticated session ID (one of those will). You can think of it as everything you have done on *.google.com, and now even when you're not on google, until you delete the cookies.

Note: the cookies aren't valid only on the host: sb.google.com, they are valid on google.com also as they are sent to .google.com. Which means any of the domains *.google.com will trigger Firefox to send the cookies. The cookies are set similar to below:

PREF=ID=<snip>:TM=<snip>:LM=<snip>:S=<snip>; expires=Sat, 10-Apr-2010 17:22:38 GMT; path=/; domain=.google.com
Notice when the cookies expire, in 2 years from now. So if you never delete your cookies, your activity is tracked for the next 2 years directly with these cookies.

With all of that said, let me stress that I'm not trying to sound any conspiracy theories here. It may very well be some technical limitation or a simple oversight. After all, Google already knows what you search for, what and who you e-mail, who you chat with and what you chat about, who you socialize with, what your social life looks like, what files are stored on your computer, what documents and spreadsheets you work on, what you blog about, what pictures you share, what you shop for, what newsgroups you read, what current events you keep up with, how you run your website, what stocks you monitor, what books you like to read, and, of course, what newsfeeds you read.
A similar find, Is Firefox/Google Spying on Your News Feeds? (Update), notes that at the time of the writing of that article, 2006, the cookies were being kept till 2038, nice...

Now why would google need to know all this just to update Firefox with phishing site information? I tried to think of a possible reasoning for this, but just couldn't. The closest I could think of is if Google could tell in advance using your SID what phishing sites you would most likely visit, only send the needed ones to Firefox. Whooowee.... if they could do that, then they definitely know too much.

There is no valid reason to send your SID, PREF, ID, and other information to Google just to update Firefox with phishing information. The HTTP request is initiated by Firefox, not the user. The update does not have anything to do with the users Google account or the Google Session.

Now in addition to everything else they know about you and me, they have Firefox updating them even when you're not on Google. Letting Google know when you're online. Now I'm a bit of a night owl, I don't want Google to know that... opps too late.

Lets hope this bug gets fixed soon...