Kill the session
I was sitting at my desk when one of the teaching directors came in and said, “We have a huge problem!” I asked her what was the problem. Here are the main points:
So, the problem boiled down to the fact that the parent could open the file and be able to see every kids personal information. The information available included SSN, home address and parent contact information. I asked for a copy of the file so she went back to her office and forwarded the email to me.
I opened the file and verified that I could see information for several students. The good news is that it was only for the students at one particular school. Since the site opened on my computer and I had never logged on to the site before, I figured that the web site used sessions to maintain logins. I looked at the source code of the file and couldn’t believe it. The session URL was actually embedded in the code. That means that if they clicked a link to go out to another site, say Google, then the referral URL would have the session information as well.
I told the director to call the teacher and have her log off the site. She did that but the file still opened the site. It turned out that the teacher had closed IE without logging off the site the first time. A new session ID was given to her when she logged back on to the site so logging off did nothing to the original session.
Fifteen minutes had passed since the email went out. The director was panicking because she was afraid the parent may have already opened the file. That could mean a lot of trouble for the school system. I opened the file again and noticed that it flashed a timer in the status bar showing that it would auto-log off after 60 minutes. Sixty minutes was too long to wait for the session to automatically close.
I looked on the page for a logout button to kill the open session. I couldn’t find a logout button on the first couple of pages I checked. How could they not have a logout button on every page? I called the director and asked where the logout button was. She told me how to get to it (four clicks?!) and I clicked it. That worked because now, every time the page was opened, I received an error stating that the page was invalid as my session had expired.
I called the director and had her try it. She said, “It’s still working! It asked for my password.” She had opened the page using a shortcut from the IE favorites menu. I told her to try the page that was emailed. When she did that, she said, “Oh thank you, thank you, thank you! How did you fix it?” I told her that I just clicked the logoff button on the page and that killed the session.
The sad part is that the program is used by several school systems so there’s no telling how many other teachers made the same mistake. I don’t see why they embed the session information in the web page instead of using a cookie to store the session information.
Idealism is what precedes experience; cynicism is what follows. - David T. Wolf
20.Dec.07 
Security 
Comments (2)
Out of this world AV
No matter if it’s a utility or a game, I’m always on the look out for software that is free and reliable. Rollie Hawk pointed me to a new antivirus program that has become a staple on my home PC’s. The program is called Moon Secure AV.
Moon Secure AV, in a nutshell, is ClamAV with a user friendly GUI. The GUI isn’t pretty like more mature AV’s like AVG and Norton. Think along the lines of the nerdy girl in school versus the prom queen. It’s not the prettiest but it gets the job done. Screenshots can be found here.
Here are the things that I like about MSAV:
What didn’t I like?
I recommend MSAV and look forward to seeing it develop, just like the nerdy girl from high school.
Coming together is a beginning. Keeping together is progress. Working together is success. - Henry Ford
21.Nov.07 Security, Software Comments (4)
Any kinks in the system?
I finally updated WordPress to version 2.3. The theme I’m using had some issues after the update but I think I’ve fixed them all. The main problem occurred on the single post pages. No matter how many comments were attached to the post, only the first comment showed up. All comments were visible if viewed on the main page using the AJAX comment link (show/hide comment). I used the comments.php code from a WP 2.3 compatible theme and that fixed the problem.
The only other issue I had during the upgrade was caused by me forgetting to disable all the plugins. A couple of the ones I had aren’t compatible with WP 2.3. When I tried to upgrade the install, all I would get was a white screen. I had a current backup of the files so I deleted all of the plugins. That allowed me to finish the upgrade and test each plugin individually.
Thanks to this article, I was able to do a simple modification to the Magellan theme so it would support tags. There is still some tweaking left to do so let me know if you come across any errors.
The only difference between a rut and a grave is their dimensions. - Ellen Glasgow
11.Oct.07 WordPress Comment (1)
Cisco conference call
I had a conference call at work today with a couple of Cisco sales reps. The point of the conference call was to discuss the Cisco NAC evaluation taking place later this week. The conference call took place using WebEx. It was a little strange using WebEx for a phone conference call. Everyone where I work that was also involved in the call, as well as myself, thought that the Cisco reps were going to do a video demonstration but they didn’t.
The Cisco reps wanted to nail down a few details before the evaluation took place. The main points discussed were what we were looking for, how our network is currently set up and what we hoped to gain using the Cisco NAC. I’m really looking forward to checking out their system.
One big highlight that came out of the meeting was that I’m getting a chance to attend a Cisco CCNA boot camp for free. The CCNA training will be held at a local Cisco office. They are still trying to nail down the exact dates for the week long training. Once they get that, someone from the Cisco office is going to email me. A $2300 training course for free? I’ll take that in a heart beat.
Pain is inevitable. Suffering is optional. - M. Kathleen Casey
10.Sep.07 Certifications, Networking, Security Comments (4)
Trend Micro’s NAC needs some work
For the last week, I’ve been testing out a Network VirusWall Enforcer from Trend Micro. I’ve only found one thing about it that really impresses me. That would be the number of antivirus programs, 63 at this time, it supports. Other than that, I am really disappointed in it.
The main reason I requested the demo is because we use Trend Micro OfficeScan on all of our Windows servers and workstations. We use Trend Micro Control Manager 3.5 and were told it could control the VirusWall NAC. That was the first surprise of the demo. Out of the two units, one 1200 and the other a 2500, only the 2500 could be managed via TMCM. The 1200 had to be managed through the console or by connecting to the admin web page running on the appliance.
The sales guy called his boss and was told that the 1200 was about to be marked EoL so it would not be supported in TMCM 3.5. Nice. I just wish that was the only problem with the whole setup.
Here is a quick rundown of other problems I have with the Trend Micro NAC:
There may also be a problem with the device that I am awaiting a response from Trend about. It involves a hole in how devices may be able to gain network access even after failing policy compliance checks. I emailed the info (issue & steps to reproduce) to my Trend Micro contacts. Hopefully, I’ll hear something soon.
Great minds have purposes, others have wishes. - Washington Irving
29.Aug.07 Networking, Security Comments (0)
