DOM level JavaScript: How to get Date fields in MOSS 2007 to appear as Age

We were looking for a way to display the age of an entry in SharePoint list for which creation date was specified. Since now using [today] in formula in SharePoint is not allowed, and we did not want to create redundant fields, we decided to weave a DOM level JavaScript to change the date value to Age, based on the today's date. Here's the code to use to replace date with age:

<script> $("#tableID nobr").each(function(){ var c = new Date($(this).text()); var b = nehttp://www.blogger.com/img/blank.gif7; Date(); var diff = (b.getTime() - c.getTime())/(24*3600*1000); $(this).html(Math.ceil(diff) + " days");}) </script>

Here's another use of DOM level javascript, used to unlock levels in angry birds chrome.

Notes on flashing nokia 5230 with nokia c6 firmware

First of all, my thanks to Rohit for his great work on porting the c6 firmware on nokia 5230. You can read about his work here.

Now, I have a nokia 5230 which comes with a good firmware, but unlike the more expensive c6 or c7 does not come with the nokia widget screen. So here are the steps used.

BACKUP YOUR PHONE BEFORE YOU DO THIS.

1. Download the latest port and core FW for your phone. Make sure you download the FW for your existing firmware version (use *#0000# on you device to know your FW version).

2. Copy all the files downloaded to this location (Here RM-588 is product version info from the same screen, make sure you have ovi suite installed)
C:\Program Files (x86)\Nokia\Phoenix\Products\RM-588

3. So here's what I have in my nokia location:

Directory of C:\Program Files (x86)\Nokia\Phoenix\Products\RM-588

RM-588_40.0.003_prd.core.C00
RM-588_40.6.003_prd.rofs2.V21
RM588_0585690_40.0.003_001.dcp
RM588_0585690_40.0.003_001.vpl
RM588_0585690_40.0.003_001_signature.bin
RM588_40.0.003_001_001_U001.uda.fpsx

3. Now you must install JAF, and downlaod JAF pkey Emulator.

4. Then use this tutorial to flash the phone.

5. In case you have an old copy of JAF, the ini file will not show you device. Use the below device string for nokia 5230:

[RM-588]
Description=Nokia 5230 CABLE
_prd.rofs2.v01=English,Finnish,Swedish,Norway,Islandic,Danish
_prd.rofs2.v02=English,French,Turkish,German,Dutch
_prd.rofs2.v03=English,French,German,Italian,Spanish,Portuguese
_prd.rofs2.v04=English,German,Estonian,Russian,Lativian,Lithuanian
_prd.rofs2.v05=English,German,Hungarian,Ukrainian,Russian,Romanian,Bulgarian
_prd.rofs2.v06=English,Czech,Slovakian,German,Polish,Hungarian
_prd.rofs2.v07=English,German,Croatian,Serbian,Greek
_prd.rofs2.v08=English,Hebrew,Arabic,Russian,Spanish
_prd.rofs2.v09=English,Romanian,Russian,Spanish
_prd.rofs2.v11=English,Arabic,French
_prd.rofs2.v12=English,Arabic,Farsi
_prd.rofs2.v13=English,Arabic,Farsi,Urdu
_prd.rofs2.v14=English,Arabic,French
_prd.rofs2.v18=English,Thailand,Chinese Simpl,Chinese Trad
_prd.rofs2.v19=English,Philipines,Bangladesh,Australia,Indonesia,India,Vietnam,New Zealand
_prd.rofs2.v20=English,Vietnamese,Tagalog,Chinese Simpl,Chinese Trad
_prd.rofs2.v22=English,Singapore,Indonisia,Malasia
_prd.rofs2.v23=English,Chinese Simpl,Chinese Trad (Hong Kong)
_prd.rofs2.v24=English,Simpl Chinese,Trad Chinese

How to workaround the Same origin policy using crossdomain.xml and Java in <script> tags

I was just messing around with calling java classes in JavaScript (ff4) when it registered, that one can use a lenient crossdomain.xml policy for java.net to make request and response to a completely different server in applet container, therefore working around the cross domain policy.

So I started with Flickr (since there are many flicker applet apps from which feed connection code can be borrowed), below is the cross domain policy on api.flickr.com.

http://api.flickr.com/crossdomain.xml

Then I borrowed the applet code (a hello world example on how to use java.net), and modified the same to execute in JavaScript tags and fetch the Flickr atom feed. The result is the request response from blogger to flickr (you can also call alert() if you prefer, as with below example) textbox with the response to the Flickr feeds request.

Currently works only on firefox. Compare with original feed

var urlStr = new java.net.URL("http://api.flickr.com/services/feeds/photos_public.gne?id=31706743@N00&lang=en-us&format=atom");
var urlCn = urlStr.openConnection();
var a = new java.io.BufferedReader(new java.io.InputStreamReader(urlCn.getInputStream()));
var b = urlCn.getHeaderField(0);
b = b+"\n"+urlCn.getHeaderFieldKey(1)+": "+urlCn.getHeaderField(1);
b = b+"\n"+urlCn.getHeaderFieldKey(2)+": "+urlCn.getHeaderField(2);
b = b+"\n"+urlCn.getHeaderFieldKey(3)+": "+urlCn.getHeaderField(3);
b = b+"\n"+urlCn.getHeaderFieldKey(4)+": "+urlCn.getHeaderField(4);
b = b+"\n"+urlCn.getHeaderFieldKey(5)+": "+urlCn.getHeaderField(5);
b = b+"\n"+urlCn.getHeaderFieldKey(6)+": "+urlCn.getHeaderField(6);
b = b+"\n"+urlCn.getHeaderFieldKey(7)+": "+urlCn.getHeaderField(7);
b = b+"\n\n"
var inputLine = "";
while ((inputLine = a.readLine()) != null)
b = b+"\n"+inputLine;
//c=document.getElementById("page_content")
//c.innerHTML = b;
var f = new java.awt.Frame("TEST");
var ta = new java.awt.TextArea(b, 45, 600);
f.add("Center", ta);
f.pack( );
f.show( );

BTW, the cookies set for flickr.com does go with this api call. This means, if cross domain policy allows, one can call applications actions on flickr.com and use the response (read, export contacts of the logged-in user or change settings).

#	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom
113	200	HTTP	api.flickr.com	/crossdomain.xml	265	private	text/xml	java:6600

GET /crossdomain.xml HTTP/1.1
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_20
Host: api.flickr.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection: keep-alive
Cookie: BX=2ue9vrd6rhvda&b=3&s=s7; localization=en-us%3Bau%3Bau; search_z=t


HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 05:42:03 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Vary: Accept-Encoding
X-Served-By: www151.flickr.mud.yahoo.com
Cache-Control: private
Content-Type: text/xml
Content-length: 265
Connection: Keep-Alive

<!--?xml version="1.0"?--> <cross-domain-policy> <allow-access-from domain="*"> <site-control policies="master-only"> </site-control></allow-access-from></cross-domain-policy>

#	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom
114	301	HTTP	www.macromedia.com	/xml/dtds/cross-domain-policy.dtd	261	max-age=900 Expires: Thu, 28 Apr 2011 05:53:41 GMT	text/html; charset=iso-8859-1	java:6600

GET /xml/dtds/cross-domain-policy.dtd HTTP/1.1
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_20
Host: www.macromedia.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection: keep-alive
Cookie: BCSI-CS9B232E0E=2


HTTP/1.1 301 Moved Permanently
Date: Thu, 28 Apr 2011 05:38:41 GMT
Server: Apache
Location: http://www.adobe.com/xml/dtds/cross-domain-policy.dtd
Cache-Control: max-age=900
Expires: Thu, 28 Apr 2011 05:53:41 GMT
Content-Type: text/html; charset=iso-8859-1
Content-length: 261
Connection: Keep-Alive
Age: 201

<title>301 Moved Permanently</title> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">here</a>.</p>

#	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom
116	200	HTTP	api.flickr.com	/services/feeds/photos_public.gne?id=31706743@N00&lang=en-us&format=atom	27,652	no-store, no-cache, must-revalidate, private Expires: Mon, 26 Jul 1997 05:00:00 GMT	application/atom+xml; charset=utf-8	java:6600

GET /services/feeds/photos_public.gne?id=31706743@N00&lang=en-us&format=atom HTTP/1.1
accept-encoding: gzip
Host: api.flickr.com
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_20
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection: keep-alive
If-Modified-Since: Mon, 25 Apr 2011 04:16:01 GMT
Cookie: BX=2ue9vrd6rhvda&b=3&s=s7; localization=en-us%3Bau%3Bau; search_z=t



HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 05:42:04 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 04:16:01 GMT
Cache-Control: no-store, no-cache, must-revalidate, private
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
X-Served-By: www78.flickr.mud.yahoo.com
Content-Type: application/atom+xml; charset=utf-8
Connection: Keep-Alive
Content-Length: 27652

<!--?xml version="1.0" encoding="utf-8" standalone="yes"?--> <feed xmlns="http://www.w3.org/2005/Atom" dc="http://purl.org/dc/elements/1.1/" flickr="urn:flickr:" media="http://search.yahoo.com/mrss/"> <title>Uploads from Joshua Marinacci</title> <link rel="self" href="http://api.flickr.com/services/feeds/photos_public.gne?id=31706743@N00&amp;lang=en-us&amp;format=atom"> <link rel="alternate" type="text/html" href="http://www.flickr.com/photos/joshyx/"> <id>tag:flickr.com,2005:/photos/public/1850619</id> <icon>http://farm1.static.flickr.com/60/buddyicons/31706743@N00.jpg?1184425730#31706743@N00</icon> <subtitle></subtitle> <updated>2011-04-25T04:16:01Z</updated> </feed>

Static code analysis, gone horribly wrong

It's after long time I am posting anything here. Was busy with family stuff and changing jobs. Anyways.

Recently I was asked (as part of my job) to complete the penetration testing for a legacy application. This was a direct result of reported issues from appsec scanners and fair amount of static code analysis (tools and products will stay un-named here), which issued huge number of critical alerts.

Multiple instances of XSS, SQL injection, Command injection, Buffer overflow etc were reported by both Static code analysis and appsec scanner. So what did we have in the soup. Classic CGI with apache's mod_cgi with log4j logging.

My first thoughts, cocky as always. I start digging; and after two days, I have one high vulnerability. YES, 1, ONE, ένα, एक, JUST ONE.

All scanners threw was false positives. And this one vulnerability is not reported by any scanners. so what's the secret? Well there are quite a few,

1. The application in question went from a command line interface to a web based cloud solution in last 20 years of development.

2. Developers used minimum 3rd part components, and updated these on time.

3. Inherently scanners are designed for generating issues based on pattern matching which at best is complete guess work.

4. Security people running these scans had limited understanding of development technology used or chose to report incorrect over the possibility of incomplete.

Moral of the story,

1. ALL WEBAPP SCANNERS ARE DUMB. Static code analysis is ill equipped for legacy applications.

2. Don't be cocky when you see CGI.

3. Time can't be telescoped. Therefore something that was developed over 20 years by dozens of developers can't be broken in minutes.

4. Inconsistency of development causes flaws in legacy applications.

5. Put in the time to find these development inconsistencies, and you shall be rewarded with few vulnerabilities.

6. Helping fix these bring a lot of satisfaction.

realtime caps lock and num lock notification in ubuntu

My response for thread at ubuntu forum. Python notification-osd examples helped a lot.

Finally the notification is real tnotification-osd examplesime. I used the update method call from notify-osd using python. I needed a service to run in the background, which can independently create and modify notifications, and two trigger scripts to call the service by dbus.

The dbus service, and two calling scripts were called by python. I used the same xset code in the first reply to get the status of locks.

The archive contains the following files:

1. lock_keys - Service python script, must be running for real-time notification toggle. This require caps shell script for usage.

2. lockNum - trigger python script, used as keyboard binding for num lock.

3. lockCap - trigger python script, used as keyboard binding for caps lock.

4. caps - shell script to identify the status of locks.
USAGE:
$> caps caps
$> caps num

The way to install this is to navigate to download directory and run the following commands:
Quote:
$> tar -xvzf lock_Notify.tar.gz
$> cd lock_Notify/
$> chmod a+x *
$> sudo mv * /bin
[sudo] password for user:

Now open System -> Preferences -> Startup Applications
Add /bin/lock_keys to startup.

Open System -> Preferences -> CCSM,
Add command 1 = lockNum
Add command 2 = lockCap
And add num lock and caps lock shortcuts to these commands from CCSM.

DD-WRT router setup with NAS to download torrents without a computer

Firstly, Above is NOT my screenshot. Its just there to give you an Idea,

Finally I got around to installing optware on my wrt160N v3 router, and using the router to download torrents to my buffalo NAS (1TB).

I bought the router and the NAS drive at around 150$ (router was a refurbished unit). The router was flashed with DD-WRT (DD-WRT v24-sp2 (04/23/10) std-nokaid-small) firmware which had CIFS support to mount the NAS. Then used the optware installation guide (Option C: Partition-in-a-file on CIFS for /opt)

Some notes and screenshots:

mount.cifs //hd-celu2-2966/share /tmp/smbshare -o sec=none

insmod /tmp/smbshare/loop.ko

insmod /tmp/smbshare/ext2.ko

nvram set sys_enable_jffs2=1

mkdir /tmp/swap

mount --bind /tmp/smbshare/jffs /jffs

mount -o loop /tmp/smbshare/opt.ext2 /opt

mount -o loop /tmp/smbshare/swap.ext2 /tmp/swap

/opt/sbin/swapon /tmp/swap/swapfile

/usr/sbin/iptables -I INPUT 1 -p tcp --dport 25000 -j logaccept

transmission-daemon -g /tmp/smbshare/torrents/.config/transmission-daemon

Then I used chrome to create application shortcut to the transmission web interface. The interface is very functional. I Have been using this interface from psp and my e63 browser (over wifi).

Final Switch to Chrome

I have finally moved to chrome. The new chrome extensions are awesome (still beta). I still use the firefox for pentest, however chrome with adThwart/adblock and IE-tabs (for Outlook Web Exchange) rocks.

It is a sad indication that Mozilla may again loose the browser war to google, I know that firefox 3.6 is improved, and I love it, but Chrome with extensions is far more powerful and lightweight.

I have been a firefox convert from the time it was launched, and have been addicted to firefox for five years now. I still remember the joy, when I first saw extensions on firefox.

I am saddened. Firefox, you will be missed.