Slashdot Mirror

← Back to Stories (view on slashdot.org)

TinyDisk, A File System on Someone Else's Web App

Posted by ScuttleMonkey on from the all-your-byte-are-belong-to-us dept.

Psy writes "I attended Phreaknic this weekend where Acidus released TinyDisk, a shared file system that runs on top of TinyURL or his own implementation NanoURL. TinyDisk compresses a file, encrypts it, and dices it into clusters. Each cluster is submitted to TinyURL as if it were a url. This clusters can be read back out of the database, making TinyDisk a global file system anyone can use. There are safeguards in the default config to prevent people from dumping gigs of MP3s into TinyURL. While file-system-on-web-applications are nothing new (GMail file system anyone?) this hack shows how easy it is to accidentally design a web application insecurely despite the default PHP protections. See his presentation for more info"

3 of 188 comments (clear)

  1. From what I understand by FST · · Score: 4, Informative

    I saw this a few hours ago, and from what I understand the process goes as follows:

    1- Open a meta file
    2- Retrieve and concatenate all the clusters from TinyURL in the order
    specified in the meta file.
    2- Base64 decode the file
    3- Decrypt the file with the algorithm and key in the meta file
    4- Decompress the file with the algorithm in the meta file.
    5 - Verify the file size given in the meta file is correct for the
    decoded/decrypted/decompressed file
    6- Verify the checksum with the algorithm and value in the meta file matches
    for the decoded/decrypted/decompressed file
    7- Set the filename of the decoded/decrypted/decompressed file to the
    filename specified in the meta file.

    Hope that helps somebody :)

    --
    46487 466780 252994 376409 96920 39622 205366 244315 622115 512361 668040 63608 259203 955314 811176 652718 166330 23922
  2. What does PHP have to do with it? by miknight · · Score: 5, Informative

    Sure, well all know PHP is far from synonymous with security, but this seems to be a case of exploiting a web app using only the mechanics intentionally made available, just in a novel way. Seems like some unfounded (though not necessarily undeserved) PHP bashing.

  3. Video/Overview of Acidus's presentation by Anonymous Coward · · Score: 4, Informative

    Here is a video of Acidus's presentation. If you haven't seen him present before (At Hope, O'Reilly's E-Tech, Toorcon, Phreaknic, Interz0ne, etc, etc) he puts on a good show.

    The presentation was called: Layer 7 Fun: Extending web applications in interesting ways. He discusses how traditional web applications work -vs- "new" web ppas that use AJAX. He talks about writing extensions to web apps using an API supplied (ala Housingmaps.com, or chicagocrime.org). Finally he talks about writing an extension to a web app where you don't have access to an API. TinyDisk was a case study for writes these so-called "non-sanctioned" extensions. He has a funny little slide he goes back to about how to properly implement a web app (which TinyRUL fails to do). Things like "don't wallow users to uploaded arbitrary amounts of data directly into your database."

    Funny Stuff. His upcoming talk at Shmoocon seems pretty cool too.