Monday, December 22, 2008

Steganabara 1.1.1 - finally!

Hey guys,

I have been making some minor improvements to Steganabara during the years, but due to my laziness a new version has not been released until now. But today, an email from r0d pulled me out of the shadow and Steganabara version 1.1.1 is now ready! No new feature yet, but I am glad to announce that the drag 'n drop feature has been supported for KDE 4.

As always, you can download this new version from my homepage. And of course, you should send me ideas for new features to make Steganabara the best steganalysis tool in the challenger world ;)

Tuesday, December 2, 2008

IBM's XML challenge - joke?

I got an email today about this XML challenge from IBM, which sounded very interesting. But I was quite disappointed.

After registering, I was taken to a MCQ quiz, with the answer to each question almost given out in the introduction text. Oh well.

Next I was provided with 3 contests: Video Mania, Query Challenge, and Programming Contest. I'm no good at making videos, and the programming contest was only available to students, so I started on the Query Challenge.

The query challenge was about pureXML, which could be summarised as some kind of combination between traditional SQL and XML into their database management system.

They launched a website:, which acts as a quick console for those who don't want to download the huge package called DB2 Express-C, but I quickly found it vulnerable to XSS.

After a hard time struggling through their online documents to find reference for some simple queries, I finally managed to reach question 4, in which I needed to find out which country has bordering countries in other continents. Well, have a look at a sample data file:

<?xml version="1.0" encoding="UTF-8" ?><country cid="1"><border_countries>China 76 km, Iran 936 km, Pakistan 2,430 km, Tajikistan 1,206 km, Turkmenistan 744 km, Uzbekistan 137 km</border_countries><population>31056997</population><area unit="sq km"><total>647500</total><land>647500</land><water>0</water></area><boundaries unit="km">5529 </boundaries><coastline unit="km">0</coastline><currency>AFA</currency><fiscal_year>
21 March - 20 March
Kheyrabad, Shir Khan
</ports_and_terminals><elevation_extremes><highest_point>Nowshak 7,485 m</highest_point><lowest_point>Amu Darya 258 m</lowest_point></elevation_extremes></country>

WTF?!!! It's XML, why do they have to store the bordering countries in a stupid string, which isn't even comma-separated? I could still do it anyway, using the power of regular expression in my favourite language. But to do it with a single query, there's no way I'm gonna dig through the poorly documented website just to find some stupid string manipulation functions to get the job done.

Saturday, November 29, 2008

McAfee SiteAdvisor

Lol, have a look at this analysis of my website by McAfee:

I suppose many people downloaded the FreeRice bot I wrote a long time ago and that's why they had my site tested for security :P

Wednesday, October 15, 2008

Yay for 2009.0

Hey guys, I'm back with a brand new operating system :)

After installing I encountered some bug with the display manager that made the keyboard stop working after a while so I needed to use KDM 3.

KDE 4 is awesome! Here's a screenshot:

I'm still a bit unfamiliar with the changes though :( I can't find the new hotkey for "Show desktop", which used to be Ctrl-Alt-D in KDE 3. The PrintScreen key doesn't seem to work, and I need to run the ksnapshot command to take a screnshot. The desktop setting to change the monitor gamma is gone, and I need to use the xgamma command. And more...

Let's try to tame this new penguin :)

Friday, October 10, 2008

Mandriva Linux 2009.0

Mandriva announced the official public release of Mandriva Linux 2009.0 yesterday. It's the first time in many years they've met their scheduled date! I am downloading it now. Wish me good luck!

Monday, October 6, 2008

Winzip password collision

I created this zip file for a word guessing contest at ForumWarz, using a strong password, "5be890c219b0a837600e5fbb7ae8a2505be890c219b0a837600e5fbb7ae8a250" (not insanely strong but I guess that's strong enough for an average user). But it got cracked easily using AZPR with a brute-force attack.

It turned out that you can unzip the file with a much shorter password "tdc4Dl" too.

Surprised? I knew that zip protection was insecure but never thought it was that terrible.

This paper has some more information about zip encryption weaknesses, but I'm too lazy to read something that long. Maybe rhican can enlighten me :)

Wednesday, September 3, 2008

HTTP Error 403.2 - Forbidden: Read access is denied

Today I encountered this stupid error on my server all of a sudden. A virtual website threw the stupid error message, while the others were still working fine.

The only clue I could find from the system admin was that he recently installed the crappy SharePoint stuff from M$.

After hours of searching on the internet, I finally found the solution to my problem here:
Basically what happened was that the SharePoint installer screwed up some hidden metabase property named AccessFlags. On my server it was changed to 30215. I needed to change it back to 519 for it to work again.

What can I say? M$ sucks. As always!

Wednesday, August 20, 2008

Steganabara at Ohloh

I came over Ohloh today while looking at the subversion website for the new update. It looks like a pretty cool social network for open source developers and lovers.

At Ohloh you can promote your software projects and vote on projects you like. So I went on ahead and created a project page for Steganabara:

If you enjoy this great steganalysis tool you should create an account there, add Steganabara to your stack, write reviews, and vote for it :)

There hasn't been any major update to Steganabara for quite a while. So if you have any idea for improvement, feel free to contact me.

Sunday, August 17, 2008 and KVIrc

I have always been able to have my nick auto-identified on the idlemonkeys network simply by using the "Server Details" dialog in KVIrc:

But since the server change a few months ago this method is no longer working for me.

After playing around with the various settings in KVIrc I finally managed to find another way to get the job done using the "General Preferences" dialog:

Doing it this way the password is clearly visible in plain sight but I have no other options. And it kinda sucks as KVIrc seems to be the only client that can't handle the change.

Maybe the KVIrc guys should have a look into it rather than working on the new major version.

Wednesday, July 9, 2008


Hey guys,

Expecting something new from me?

Nothing much here. I've been quite busy at work and horst35 managed to took my first place on rankk for a few days but somehow I managed to get it back by solving skraeling's evil chall.

I have a cool new idea for a crackit chall but found no time to code it... yet.

And finally, never subscribe to the Code Project newsletter. I made that mistake a while ago and unsurprisingly the unsubscribe feature didn't seem to work. I get tons of lame stuffs emailed to me everyday. Maybe I should consider blocking those emails soon.

Saturday, June 14, 2008

Friday the 13th?

Hey guys,

Did anything happen to you yesterday - Friday the 13th?

As the day was considered a day of bad luck, I took extra care of everything in order not to get into any problem. But when I came back home, I was informed that the power supply had burnt away. I could not get anything done last night, other than watching the fantastic victory of the Netherlands against France.

Today I had to spend a few bucks to get the thing replaced. Fortunately enough, the mainboard did not suffer any damage.

Thursday, June 12, 2008

2008.1 finally

Didn't want to reinstall the whole system from scratch, I have been trying to upgrade the old packages manually.

Things went fine until yesterday.

After a massive upgrade of more than 100 packages, I rebooted the system and found myself logging into the text mode. X server failed to start. Looking at the logs I found that a video driver module failed to load. Well, that's the worst situation you could get yourself involved in.

So I decided to take the risk and try updating my system using the installation CDs. The estimated time was more than 3 hours, but actually the packages were all upgraded in just an hour. In the end, I got an error claiming that some media.cfg file could not be found, but after rebooting everything went fine.

Finally I got my system up-to-date (hopefully) with minimal efforts. Now it's time to try out all the new features!

Sunday, May 4, 2008

TBS == dead?

A few months ago, an old friend of mine, Chemi, returned to TBS, and suddenly asked me, "Hey, is TBS dead?". I answered, "Yeah, Inferno was being lazy"...

Actually although seeing the site dying, I was still waiting (or rather hoping) for some changes that would make the site alive again.

But that has yet to happen.

No new challenge has been added for like 8 months.

Many good users have gone into the shadow.

The forum has become a place for rhican to show off his 1337 h4x0r1ng skills.

An old CSRF bug that I found a few years ago has been exploited further that Inferno could do nothing but disabling the img tag and avatar feature.

And sadly most recent updates to the site were done by Erik, who officially declared retired a few years ago.

So I gotta admit TBS is pretty much dead now.

But maybe it's still not too late to revive the site once again?

Saturday, May 3, 2008


[quangntenemy@localhost mandriva]$ md5sum xaa
28cac97e24514e00da387d605d64e9d4 xaa
[quangntenemy@localhost mandriva]$ cp xaa /home/quangntenemy/iso/
[quangntenemy@localhost mandriva]$ md5sum /home/quangntenemy/iso/xaa
30b5260aa446ba28e9aa5cc2d31f3766 /home/quangntenemy/iso/xaa
[quangntenemy@localhost mandriva]$ cp xaa /home/quangntenemy/iso/
cp: overwrite `/home/quangntenemy/iso/xaa'? y
[quangntenemy@localhost mandriva]$ md5sum /home/quangntenemy/iso/xaa
8bf1672d80eef1beefcc528ea8bff1ba /home/quangntenemy/iso/xaa
[quangntenemy@localhost mandriva]$ cp -f xaa /home/quangntenemy/iso/
[quangntenemy@localhost mandriva]$ md5sum /home/quangntenemy/iso/xaa
26c5636cb00f103689f9432e9ff529a8 /home/quangntenemy/iso/xaa
[quangntenemy@localhost mandriva]$ md5sum /home/quangntenemy/iso/xaa
26c5636cb00f103689f9432e9ff529a8 /home/quangntenemy/iso/xaa
[quangntenemy@localhost mandriva]$ f***
bash: f***: command not found
[quangntenemy@localhost mandriva]$ cp xaa /mnt/data/iso/
[quangntenemy@localhost mandriva]$ md5sum /mnt/data/iso/xaa
28cac97e24514e00da387d605d64e9d4 /mnt/data/iso/xaa
Err wtf's happening here?

I was trying to copy a file of about 2GB from my USB to my hard disk, but the checksum failed all the time :(

In the end I managed to get things done by copying the file to a fat32 partition instead.

I guess it's kinda buggy copying files between different types of partition...

Any explanation?

Saturday, April 19, 2008

Mandriva 2008.1 Spring

Finally! The official spring version of Mandriva Linux was released last week. And as a great fan, I downloaded the 3 cd version and tried upgrading my system to see the cool new features.

Unfortunately, after inspecting my system, the installer warned me that it could not do a safe upgrade to 2008.1 and recommended that I do a fresh install instead. I have had enough problems after every system upgrade so I figured it would be best to do as advised. But I have been enjoying my box so much that it will take a lot of time to back up the data, install the new system and customize it...

So I guess I'll have to hold it back for a little longer...

Thursday, April 10, 2008

Noobs happen here

Kevin Turner came to Vietnam yesterday for the "Heroes happen here" events, in which he introduced the "new and innovative" 2008 solutions. But its companion website,, is very much vulnerable to SQL injection.

Unclosed quotation mark before the character string '''.
Line 1: Incorrect syntax near '''.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark before the character string '''.
Line 1: Incorrect syntax near '''.

Source Error:

Line 21: cmd.CommandText="SELECT count(*) FROM Newletters WHERE Email='"+ txtEmail.Text+"'";
Line 22:
Line 23: int Count = (int)cmd.ExecuteScalar();
Line 24:
Line 25: if (Count > 0)

Source File: d:\hosting\heroeshappenhere\footer.ascx Line: 23

Stack Trace:

[SqlException (0x80131904): Unclosed quotation mark before the character string '''.
Line 1: Incorrect syntax near '''.]
System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) +925466
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) +800118
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) +186
System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) +1932
System.Data.SqlClient.SqlDataReader.ConsumeMetaData() +31
System.Data.SqlClient.SqlDataReader.get_MetaData() +62
System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) +297
System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async) +1005
System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result) +132
System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) +32
System.Data.SqlClient.SqlCommand.ExecuteScalar() +137
ASP.footer_ascx.cmdNewletter_Click(Object sender, EventArgs e) in d:\hosting\heroeshappenhere\footer.ascx:23
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +105
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +107
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +11
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +33
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1746

Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433

M$ is still M$, after all...

Sunday, March 30, 2008

Something for March

Just noticed April is coming, and I haven't blogged anything for March so far. So now is the time for some updates.

It sucks to discover that your free webhost, webcounter and blograting are all insecure.

It's April Fool's soon, and I can't wait to see a new Google's hoax.

Saturday, March 1, 2008


Guys, have you ever tried clicking on the green icon on the right sidebar of this page? If you haven't, try it :P By clicking on the icon, you become a fan of this blog on Technorati, which is a good thing.

But unfortunately today I'm not in the mood to say how great Technorati is, as a universal blog rating, or an SEO service. On the contrary, I'm here to whine about it...

The first thing I don't like about Technorati is the rating system itself. It is heavily based on blog reactions, which is never correct - the world wide web isn't just about blogging! And sometimes, the ranking is inconsistent across various pages.

The second problem with Technorati is that the blog information there is very much outdated. I tried pinging a few times a week, but the content is still one hundred days lagged behind. An automated ping script could solve the problem, but there's a better way: just let your visitors ping the blogs for you. Here's the code to include as HTML/Javascript:

<img src="" alt="." style="width: 1px; height: 1px;" />
(If Technorati ever gets overflown with pings, it's not my fault, it's their fault for having such a crappy service)

Final thing I would like to mention today, Technorati has a few XSS vulnerabilities that can be found and fixed easily, but no one bothered to take any action. Maybe they should fire some developers, or send them to a basic web security course... If you are a Technorati user, be careful out there, or your Technorati account will get pwned in no time.

Sunday, February 24, 2008


I believe many of you have heard about the famous 7 wonders of the ancient world. But do you know there is a project that attempts to create a new list of modern wonders: A poll is hosted online there and internet users all over the world can come and cast their votes for their favourite candidates.

The media in Vietnam has been doing a fine job of spreading the words to many Vietnamese patriots, and as a result, the 3 candidates from Vietnam are leading the board at the moment. And out of curiosity, I had a quick look at the website to see if I can find anything interesting.

Firstly I'd like to say, online voting is unfair by any means. People who have never visited the wonders before can still cast their votes, which will surely lead to an incorrect result. And what's even worse is that countries with high population surely have an advantage.

Another problem of new7wonders is that the voting system looks to be in the 90s. In order to cast a vote, a user just has to enter his email address, some personal information, vote, and click a link in the confirmation email. No anti-bot mechanism is applied, so cheating is fairly easy. Just a script to automate the vote, and an email filter on your mail server to grab the link and click on it :P

Maybe my blog will become a new wonder of the world soon? :P

Thursday, February 14, 2008


Hey guys,

Probably you're wondering why there hasn't been a new post for a long time. Well I have been playing DotA like crazy recently. Although Warcraft is surely inferior to Starcraft, DotA is really a great game, especially when you got to play in a great team.

While training hard to become a DotA gosu, I have played various heroes, among which Traxex, Axe and Bloodseeker are my favourites. If you are a DotA fan, we should meet up and discuss about DotA strategies some time :)

Monday, January 14, 2008

My first XSS published

Yeah, finally an XSS bug I found has been published on! Actually, after stumbling upon this site in late 2007, I had been submitting quite a few bugs discovered while wandering the wilderness, but this was the first one published so far. I wonder what happened to the others - were they not important enough to be there, or just the admins were too busy to process all the submissions. But anyway, I'll keep submitting bugs I have found - for a better digital world :)

Believe it or not, since I gained "underground" knowledge about internet security, I have been seeing vulnerabilities everywhere. Like in 10 websites I visited, 5 were vulnerable to XSS or SQL injection, 2 had other bugs that surely made them insecure, and 3 had bugs that had been/would be discovered (and exploited) by someone other than me. And most of the time my emails to the webmaster went to /dev/null. Not to mention the fact that only a few webmasters were capable of fixing them the right way.

Now with xssed, hopefully my bug reporting will become more effective. And I wonder if there are any other sites like that where I can submit SQL injection vulnerabilities and other bugs too.