Tuesday, November 11, 2003

Hacking the ACL

We've all been in the situation where we've locked ourselves out of the ACL and know how infuriating it can be. Well, you might like to know that you can completely remove the ACL from an NSF file using a free HEX editor.
Before you try what I am about to describe, I encourage you to make a copy of a local database so you don't do anything you regret. Change the ACL of this copy so you have no access and make sure the ACL is consistent on local replicas. Check you have no access by trying to open it in the the client. Now:
  1. Download, install and launch a copy of frhed.
  2. From frhed's file menu open the database copy you made.
  3. Find the range of bits between offset 0x16c and 0x1a7, as highlighted below. This is the ACL.
  4. Set any that aren't 00 to be 00. Two cases in the example below.
  5. Save changes to the file from frhed's file menu.
NSF file open in HEX mode
Switch back to your Notes client and try and launch the copy you had no access to. All being well, you will get in. Notice the ACL is completely blank!
This trick/hack is something I've been sat on for a while now while I plucked up the courage to make it public. It was sent to me be a regular reader who I will leave with the option of whether or not he wants to own up to the hacking side of things.
I publish this tip in the hope that you will not use it for anything other than to undo your own mistakes. Any damage you may cause while using this method is your own fault and in no way my responsibility. Blah, blah, blah.

Saturday, November 1, 2003

Hacking Web Forms

By Dear Jake Howlett
When I made the PHP version of Personal Journal public yesterday I knew what was going to happen. The wannabe hackers amongst us are going to see if they can't break it. As you can see, it wasn't hard at all. In its immature state I had added no validation whatsoever. It's good to see people thinking logically like this though.
Unwittingly or not you've given me the chance to laud the abilities of PHP some more. Most of you have taken advantage of the fact that you can add HTML tags to all of the fields. What if I wanted to put an end to this? Well, I could choose to simplyremove all tags (with the option of allowing a predefined list) or I could make all HTML appear as plain text.
Both of these functions are standard features of PHP. Yes, out of the box. No extra programming required. This is what I love about PHP. From its beginning it's always been about the web, and nothing else.
Go ahead, try hacking it now. All tags in the body field will be replaced except for bold and italic text and markup in the subject will display as text. I know you can still leave all the fields blank. Come on, give me chance....