[ABD] Proxy Revealer Olympus 0.3.3

[jasmineaura]

sotis,

Thank you. You've been super helpful... And I apologize about all the trouble... I'll take it from here then.

Let me paste the relevant part of what I have just sent you in PM, so everyone is aware..

This is regarding the warnings you got during running the installer... I'm baffled as to how I missed this during testing. Probably because I always forgot to enable debugging in config.php before running the installer (I think I always enabled it after).
Seems a lot of people have been using similar code in their MOD, and in our case, this was a critical problem.
Why it didn't happen on my test bed? because my primary testing server runs MySQL 4.1.20
And the part that you got undefined warning about in the installer is what compares the board's MySQL server version, particularly:
1. If it's greater than or equals to MySQL 4.1.3, it uses mysql_41 schema file
2. If it's less than MySQL 4.1.3, it uses MySQL 4.0 schema

Darn So all these problems where introduced by this installer problem

I've spent so much time in the past ironing bugs in this installer, and also modified some other parts of the code for backwards compatibility with PHP4 (and notifying co-author (evil<3) of it in other threads), yet I missed this one, which I find so many other MODs using this installer had been affected by.
We don't have many database changes done by this MOD, but the differences between the mysql_40_schema.sql and mysql_41_schema.sql could be drastic when the wrong version is applied (although I liked to think before that >= 4.1.3 is backwards compatible).
I will investigate more now, and will test on both my MySQL4.1.2 server and a server with MySQL5 just to make sure we get this issue solved ASAP..

Thanks again

[jasmineaura]

After I made changes in functions_install.php on clean phpBB3 board.
When I run installer on step: "4. Continue with the MOD installation as described before"

Code: Select all

Fatal error: Call to undefined function sql_server_info() in C:\xampp\htdocs\phpBB3\install\functions_install.php on line 207

Oops, my mistake... I wrote my reply last night in a haste cuz I was tired. The replacement I offered was missing something.
if (version_compare($db->sql_server_info(true), '4.1.3', '>='))

So, it should've read:

Open: /install/functions_install.php
Find:

Code: Select all

             if (version_compare($db->mysql_version, '4.1.3', '>='))

Replace with:

Code: Select all

             if (version_compare($db->sql_server_info(true), '4.1.3', '>='))

I've double checked this from includes/db/mysql.php from phpBB 3.0.5, so this should work for sure

[sotis]

I did all five steps. Installation went without any error message. After that I logged out and unfortunately the problem still exist, I was not able to stay logged in and enter admin panel. Debugging is on but I didn't receive any message.
I am sorry.

[jasmineaura]

Dear Sotis,

I just noticed from your previous post:

After I made changes in functions_install.php on clean phpBB3 board.
When I run installer on step: "4. Continue with the MOD installation as described before"

Code: Select all

Fatal error: Call to undefined function sql_server_info() in C:\xampp\htdocs\phpBB3\install\functions_install.php on line 207

I know we've corrected this "correction", but I was just wondering when I was reviewing posts and noticed "c:\xampp" in your post.

1. Are you running this on local system or on another machine in your private LAN?
2. Does that machine have internet access to the outside world? (Meaning can it lookup hosts in DNS, connect to remote hosts, etc..) ?
3. If you answered yes to number 3: Is there a firewall on it (or on the router) restricting outgoing connections, or does it use a proxy server to reach the outside world?
4. What Windows OS is that running on, and are there any clues in Apache's access_log or error_log or any php log?

[sotis]

I sent you a PM

[jasmineaura]

Testing on another server, PHP 5.2.1 & MySQL 5.0

I was able to confirm the issue you're having.. Debugging now, hope I can find it quickly..

(strange that I didn't have this issue on PHP 4.3.2 & MySQL 4.1.1)

[mrshs]

Do you need more people who test it out? I am very interested in this mod, and if I can help, I am most willing to do so.

I have PHP version 5.2.9 and MySQL version 5.0.81-community-log.

[jasmineaura]

Do you need more people who test it out? I am very interested in this mod, and if I can help, I am most willing to do so.

I have PHP version 5.2.9 and MySQL version 5.0.81-community-log.

No! But thanks

I already found the bug, and it is caused by a bug in phpBB3's DBAL (again), which doesn't work as it's supposed to..

Here's why this bug happens:

The MOD's installer is supposed to make life easier for you, by using phpBB3's native DBAL (Database Access Layer) to add database tables for you, and make the necessary changes to SESSIONS_TABLE (as well as adding the MOD sections for you automatically in .MODS tab of the ACP)

Here's the relevant section from our install/index.php

Code: Select all

			'schema_changes'	=> array(
				'add_columns'		=> array(
					SESSIONS_TABLE		=> array(
						'session_speculative_test'	=> array('TINT:1', -1),
						'session_speculative_key'	=> array('CHAR:10', NULL),
					),
				),
			),

Basically, the installer wants to add two columns to phpbb_sessions table
1. session_speculative_test , with type "tinyint(1)" and default value of "-1"
2. session_speculative_key , with type "char(10)" and default of NULL

The "schema_changes" array is passed by our function "process_install" (from install/functions_install.php) to function "perform_schema_changes" from phpbb_db_tools (which is defined from phpBB3's includes/db/db_tools.db)

So far Fine AND DANDY

Now phpBB3's DBAL takes over

perform_schema_changes gets passed an array with key of "add_columns", so it parses the database update array (see comment above function perform_schema_changes in includes/db/db_tools.php):

It then passes the parsed info to function sql_column_add

Which in turn calls function sql_prepare_column_data
And this is where the bug lies


The problem is that function sql_prepare_column_data , in the case of mysql40 and mysql41 (and also firebird, mssql, and sqllite), does not at all account for "NULL" property in $column_data , always tagging "NOT NULL" without even checking if the default property is set to NULL
The only two cases where function sql_prepare_column_data does check if the default property is set to NULL, is for oracle and postgres databases

So what happens on mysql40/41 (and possibly firebird, mssql and sqllite), is that the two columns we wanted added to SESSIONS_TABLE get created, but...
session_speculative_key column is created and set to NOT NULL, when it doesn't have a default value set... there is the bummer


In my testing, on php 4.3.2 and MySQL < 4.1.3, this is not an issue

But in php 5.2.x and MySQL 5.x, this is a BIG PROBLEM... The session keeps getting recreated, never actually being saved in the SESSIONS_TABLE, because 'session_speculative_key' column is set to be NOT NULL, yet it doesn't contain any default value, and doesn't get created by itself (and the code that sets it is never reached because that code only kicks in when a session is created and session data becomes available)
That's why people who tested it were never able to login, and getting the "page loading" popup everytime they click on something (because the MOD tries to load everytime a new session is created)

Temporary Solution:
Manually changing the column 'session_speculative_key' in phpbb_sessions table to "NULL" (via phpmyadmin for instance), fixes that problem..

So I have to make a bug report about this downfall in phpBB DBAL
Then will think of a temporary workaround in the installer, so people don't have to go in their database messing around manually and possibly breaking more things..

[jasmineaura]

Reported to phpBB Bug tracker:

Ticket ID: 53395

Impossible to create (or modify) column as NULL with DBAL for mysql40/41 (and possibly firebird, mssql, and sqllite)

Will try to come up with a workaround in the installer meanwhile..

[asinshesq]

Reported to phpBB Bug tracker:

Ticket ID: 53395

Impossible to create (or modify) column as NULL with DBAL for mysql40/41 (and possibly firebird, mssql, and sqllite)

Will try to come up with a workaround in the installer meanwhile..

Take a look at this: http://www.phpbb.com/bugs/phpbb3/ticket ... t_id=52285
The punchline: db_tools intentionally does not allow null in order to avoid some cross db issues.

[jasmineaura]

Take a look at this: http://www.phpbb.com/bugs/phpbb3/ticket ... t_id=52285
The punchline: db_tools intentionally does not allow null in order to avoid some cross db issues.

Yes, I was notified on your reply on the ticket, and just replied

Thanks for the explanation asinshesq

So I guess instead of using perform_schema_changes from db_tools, I will have to add dbms specific queries in each schema file of my installer just to add a column that I need to be set to NULL..
Will have a closer look at function add_field_ident from includes/acp/acp_profile.php just to be sure, and maybe develop/create_schema_files.php from SVN can help generate those queries for me?

[jasmineaura]

Alright, well...

Much simpler workaround, since we don't really /need/ session_speculative_key to be NULL by default, is to set its default to 0 (rather than NULL) when adding the columns in the installer. This way when the column gets added with "NOT NULL", it has a default value, and sessions can continue to work properly..

This will be fixed in the upcoming version, very soon..

[jzn21]

Hello,

We are very glad with this mod, there's only one problem: some of our moderators use Safari as default browser and are unable to login. Every page they visit requires a new IP scan for 4 secs with is at least very annoying...

[jasmineaura]

Hello,

We are very glad with this mod, there's only one problem: some of our moderators use Safari as default browser and are unable to login. Every page they visit requires a new IP scan for 4 secs with is at least very annoying...

First of all, I'm surprised you didn't heed to all the warnings in big red as to not use this MOD on a live forum..

Secondly, there was a major bug in this release (and possibly past releases that have been using the auto-installer), see previous posts on this same page, that prevented all users from logging in on the forum. Did you do the manual fix described above on a live forum?

I'm currently committing a LOT of fixes / improvements to the code, see r64, r65, and most notably r66 revision at:
http://code.google.com/p/proxy-revealer/source/list
One of the changes described in r66 (if you click on it you will see it):

- Skip scanning if user logs in to forum (or ACP) as an admin or global moderator (before, we only skipped scanning when admin logs in to ACP).

But that gets me wondering why only the moderators using Safari have this problem (Hopefully someone with safari browser can do some testing in the upcoming release)

I plan on releasing a more stable version (with many new features/improvements) soon.. Just be patient please...

There's one thing I'm working on right now which is delaying progress.. Kind of a mess...
The Java applet we use in this MOD, I had signed it with Thawte Freemail Certification last year (which has always been in Java's Root Signing CA's) so the applet can run as trusted and therefore without restrictions, provided the end-user accepts a (luring) prompt that this applet is trusted, due to a bug in Java Plugin that doesn't allow the applet to connect back to originating host when an HTTP proxy is set in browser.
If it wasn't for this bug in java plugin since JRE 6u2 (which is not a feature but a regression introduced by security fix a long while back), I wouldn't have even needed to sign the applet, and the end user wouldn't even see that security prompt (or any visual indications for that matter) from java plugin..
I reported this java bug last year to Sun Microsystems OVER A YEAR AGO, and still have not been fixed
See: http://bugs.sun.com/bugdatabase/view_bu ... id=6756165
(And for anyone reading this: PLEASE vote for the bug so hopefully it can be fixed sooner, if you can)

Even more unfortunate, the certificate from Thawte that I had signed the applet with last year has expired on 29.9.2009, and Thawte has now discontinued the "Freemail" (including java codesigning) service.
They kindly sent me a token in their EOL (End Of Life) email to take advantage of an exclusive offer from Verisign; 1-year "Digital ID" certificate free of charge ($19.99 value). I signed up for it, went on to sign my applet using my new verisign digital ID cert, and was bummed out when jarsigner (from JDK) told me:
"The signer certificate's ExtendedKeyUsage extension doesn't allow code signing"

More on this here:
http://wiki.cacert.org/JavaCodeSigningTest

So I scoured through the list of "Signer CA"s that are installed by default with the latest JRE (from control panel -> Java -> security tab -> certificates -> system tab -> "Signer CA" from the "Certificate type" drop down list). Tried to find any other Signer CA that offers free "Class 1" certificates which allow code signing.
I tried one from comodo (http://www.instantssl.com), but sadly, it doesn't allow code signing either.
Signed up with trustcenter.de for a email certificate (their only free service), got a notification email yesterday that I will receive instructions there and never got it. I doubt it'll allow code signing either once I do get it..

So now I'm rethinking the whole Java applet technique and the code that we currently use...
One option is to go back to the earliest version we used (before the whole certificate signing thing). At least it works for unmasking some CGI-Proxies (ones that don't filter out or rewrite the applet tag in the html) and doesn't give any alarming popups/prompts to the end user (as with self-signed certs), and it'll still unmask browser-set HTTP Proxies, for forums whose host.domain.tld resolves to and IP that reverse-resolves to the same host.domain.tld, or ones that can use the workaround of putting the server's IP instead of hostname in the codebase to fetch the applet. But this is just too darn hackish, and required a long explanation in the install.xml so people understand why Java applet doesn't work on their virtual host, and why such workaround is needed, and how to do it. And people start complaining to me that they can't run xmlsockd.pl script (for Flash detection to work) because their virtual hosting provider won't allow it (Adobe Flash security policy requires it to authorize connect backs) and complain that they cannot use Java workaround if their setup is affected. What can you do

Well, at least realplayer/realalternative plugin detection and unmasking technique that I developed, as well as XSS techniques that were originally developed by TerraFrost, work (usually) flawlessly..

In the meantime, I need some time to add some newer techniques (particularly itunes detection and itms:// link bypass, quicktime detection and browser proxy settings bypass, and perhaps the MS-word file with image loading from external link trick as well)

By the way, I looked at the decloak.net demo (from metasploit), and it doesn't seem like their idea of a java applet for a decloak engine is any more successful either, heh..

[JBeastly]

I get this error when I try to install it:





Should I still install it, or is it very important?