Origin is not allowed by Access-Control-Allow-Origin

Remote Origin Errors with JSONP and jQueryAre you self-harming because your browser is complaining about cross-domain, remote-origin XML requests? As annoying as it can be, the web would be a much nastier place without this restriction that limits what can be pulled from where. You’re probably seeing this exact message in the console/error log of your browser’s development tools:

Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin

Once you understand why you’re getting issues with this, it’s tiresome to always be re-writing this integral function so, like my other free web development resources on here, I’ve saved an example as a gist on GitHub with jQuery and PHP code which you are free to copy, clone or download then use without limitation!

Continue reading

Tor Exit Node Trials and Triumphs

Tor Exit Node SetupI recently worked on a project that required rotating IP addresses without the need for speed, just viewing specific pages from different addresses. I first started with open HTTP proxies but their reliability varies hugely and I found that parsing any (free) proxy list was so unreliable and most of the time was spent determining that a proxy was not online so I came up with the idea of leveraging the Tor network due to the ease of path-finding and pruning of dead peers. As the results have shown, the number of peers is always sufficient for the requirements.

As a way of contributing back to the community and the Tor Project, I set up a dedicated Tor Exit Node. It was quite interesting and took a little while of going through disparate documentation sources and the outdated version in the repositories for Ubuntu Server but it was thrilling to learn exactly how this service function, that I’ve admired for many years, functions.
Continue reading

Ausgrid Mobile Apps and Wireless Security

Closed for Business - No Public Ausgrid Mobile Apps I received a letter ifnorming me that I’d be inclued in a trial of Ausgrid’s new wirelessly and fibre-optic smart grid as part of their Smart Grid, Smart City initiative. I’m truly honoured because, as I’m told, I “will help shape the future of energy use in Australia”! I was quite interested in what sort of access they’d be allowing external entities – such as developers wanting to write Ausgrid mobile apps – considering that one of the most-cited feature is remote monitoring of household electricity usage and remote control of appliances via an online tool or ausgrid mobile app.

I contacted their media department and was kindly re-directed and received this response:

“The SGSC trial solution is a ‘closed system’, and as such is not designed to incorporate external-to-Ausgrid application development.”

- Senior Project Manager

Continue reading

Safe E-Mail Attachment File Extensions

http://www.webdesignerdepot.com/I am adding an e-mail attachment feature  toan internal “Web App” for a business which will only send images and documents (mostly of a proprietary format) so I came up with a quick and simple PHP function to confirm that the extension’s safe.

$attachment_extensions = array('csv','doc','docx','gif','html','jpeg','jpg','ods','odt','pdf','png','ppt','pptx','rtf','svg','txt','xls','xlsx','xml');
if(in_array(end(explode(".", $attachment)), $attachment_extensions)){
    //Extension is Safe
}

Note the inclusion of Microsoft’s file extensions with an “x”-suffix: This mystification was introduced in Office 12 to stimulate upgrades. I don’t agree with their reasoning that has caused extra work for everyone else perhaps because they thought it’d be easier to identify their own files by relying on the extension instead of headers.

How to Add Base64 Padding

I was having a dreadful time working on an a corporate “web app” with the inline viewing of e-mail attachments. After MIME-decoding, only a third of PDF attachments were displaying! Based on that success ratio, some of you reading this with more experience probably already know what was wrong but it took me quite a while to realise. Continue reading

Grey Hat Gray Line

As a follow-up to my post about the Drupal module that is indexed by search engines and allows the sending of e-mails from those hundred-odd webmasters’ domains, I found a similar security hole while developing something for a client. I needed to collate the contact details of all of their product suppliers and one of the larger (if not the largest of) Australia’s national tour operators, Gray Line, was very secretive with their contact details including phone numbers rendered as images instead of text and using a subject-restrictive contact form instead of a mailto: anchor – which would have been a lot easier to implement, have no bugs but it wouldn’t have provided an open SMTP relay for anyone to send e-mails by assuming (and perhaps abusing) the identity and the hard-earned reputation this company holds.

Continue reading

How to Crack Windows 7 Passwords

Before I get started; it ins’t cracking at all but that’s the word that people wanting tools like this are looking for. As long as I care to remember, Windows OSs have stored passwords in files that the OS read-protects upon booting. Before a Windows has booted, the files are there for the taking/modifying.

The Linux-based ophcrack was great in its day for quickly retrieving Windows XP passwords and purportedly Windows Vista passwords, which I never attempted and some are now claiming Windows 7 is vulnerable but the way that Windows NT 6s hash the passwords doesn’t make for speedy collision. ophcrack sell rainbow tables costing up to $999 and weighing ~135GiB but I don’t see the value in trying to retrieve the password at such a cost considering for 20% of that cost, there are wireless key-loggers with 2GiB of storage that can independently connect to a network and send logs via e-mail. Of course that’s not going to help anyone that forgot their password, I just think that it’s impressive technology!
Continue reading

Brute Force TrueCrypt Volumes

Brute Force TrueCryptSomeone at work uses TrueCrypt and forgot their password for an encrypted volume which had some important, business-related files that were needed. This person relies on muscle memory for their passwords which has them employing alternating combinations of strings to create secure but forgettable password. To exemplify this method, the three strings “123″, “abc” and “!@#” could yield them a password of “abc!@#123″ or 26 other variations.

This person had no luck in trying everything that they could think of so I made a PHP and Bash script to automate the slow, brute force TrueCrypt volume with 100.000 password combinations to attempt. To save the web browser from a slow demise, I installed php5-cli and had Bash write the results – extremely quickly!
Continue reading

Slow SSH Connection Fix for Ubuntu Linux

How to Fix a Slow SSH ConnectionIf you’re ever experiencing a VPS with a slow SSH connection, it’s highly likely that it’s to do with GSSAPI (Generic Security Services API) which you probably didn’t even set up in the first place! To check if it’s the culprit, try connecting with the verbose flag.

How to Fix a Slow SSH Connection

ssh client@server -v

If you see the lines from the screenshot, try connecting by temporarily disabling GSSAPI:

ssh client@server -o GSSAPIAuthentication=no

If that’s quicker, GSSAPIAuthentication can be disabled for subsequent connections so that you don’t have to add the options flag every time you connect. Add or edit the following line in /etc/ssh/ssh_config on the server:

GSSAPIAuthentication no

On the client, add the same line to /home/$(whoami)/.ssh/config which might not exist yet. Sometimes the delay isn’t so much that people go out of their way to fix it but it’s quite a difference once you go do.

Drupal Spam Servers

After a failed search for a suitable newsletter module for Drupal 7, I installed an API example module to use as a base for my own module. Unfortunately for others out there using the same API example module; it’s quite easy to find with a Google search.

inurl:"example/email_example"
intext:"Use this form to send a message to an e-mail address.No spamming!"
intitle:"E-mail Example: contact form | " 

A search requiring all criteria yields ~30 results while a more relaxed search using the OR operator yields over 130 results except not all of them are open outboxes with many people code-example sites. Most are abandoned test servers but interestingly, there is a .edu and .edu.pl among the results.

This was by chance that I happened to think of searching for installations of this particular API example and there certainly aren’t a huge number of sites affected but I’m sure there are thousands of forgotten mail() example scripts with unique strings sitting on servers and being able to send an e-mail from someone else’s domain without authorisation, regardless of the ability to get a response, is quite a concern!