Redirection Attack in ScrewTurnWiki Administration

I installed the latest verion of ScrewTurnWiki 5, first to obtain a valid database schema, and second to click through the Administration menu to figure out what can be configured in what I considered the last “official” edition of STW.

Unfortunately, I can only find the binary release, as opposed to all other versions of ScrewTurnWiki that come also with source code (or only with source code).

So I entered the Administration menu and clicked through the menu items, when suddenly a click on Global Admin Home redirected me to an ad site, and away from STW.

After a bit of research the code, it turned out that the version update check tries to retrieve information on whether a newer software version exists, but handles the result of the HTTP request incorrectly: The resulting HTML is simply copied into the admin back-end. Technically speaking, the HTML is passed through in an <asp:Literal>.

For version 5, the update check calls the URL http://www.sunhorizon.info/Version1/Wiki/1.htm, which was once a domain hosting STW, but now abandoned.

The request returns

<html><head><title>Loading…</title></head><body><script type=’text/javascript’>window.location.replace(‘http://www.sunhorizon.info/Version1/Wiki/1.htm?js=…&sid=…guid…&#8217;);</script></body></html>

and it is obvious that embedding this content as literal HTML immediately performs a Javascript redirect with tracking parameters js= and sid=, and off it goes to whatever ad netware is being lucky.

The easiest workaround to solve this redirection attack is to locate the AdminGlobalHome.aspx file, and modify the <asp:Literal ID=”lblSystemStatusContent”> element to include a property Mode=”Encode” to disable harmful HTML:

<asp:Literal ID="lblSystemStatusContent" runat="server" 
  meta:resourcekey="lblSystemStatusContentResource1" 
  Mode="Encode" />

or to set Visible=”false”.

Versions 3 and 4 seem to query http://www.screwturn.eu/Version/Wiki/3.htm and http://www.screwturn.eu/Version4.0/Wiki/4.htm, also an abandoned STW domain, but without Javascript redirection.

 

Tracking down ScrewTurn Wiki

Back in 2012, the world was shocked by news that ScrewTurn Wiki would not be developed any further.

The universe of .Net-based open-source wikis was small then, and it is even smaller today.

Time to find out what happened to the original STW source code. I tracked down a couple of versions of the original STW3, as well as successors:

• Version 3.0.5.610 by shahab32mohsen (GitHub, 2014)
• Version 3.0.5.629 by ScrewTurn Wiki (Bitbucket, 2012)
• Version 3.0.5.630 by ScrewTurn Wiki (GitHub, 2014)
• Version 3.1.0.0 by MarkZither (GitHub, 2019)
• Version 4.0.5.145 by shahab32mohsen (GitHub, 2013)
• Version 4.0.5.145 by ScrewTurn Wiki (Bitbucket, 2015)
• Version 4.0.5.145 by ScrewTurn Wiki (CodePlex Archive, 2015)
• Version 5.2.0.7 on screwturn.net (binary only, 2016)
• Version 6.0.0.0 by Mikezar (GitHub, 2017)
• Version 6.0.0.0 by Askanio (GitHub, 2018)

Compilation and initial startup showed the following results:

 

Version	.Net Version	VS Version	License	compiled	run test
3.0.5.610	3.5	12 (2013)	GPL V2	VS 2013	ok
3.0.5.629	3.5	11 (2010)	GPL V2	VS 2013	ok
3.0.6.630	4.5	12 (2013)	GPL V2	VS 2013	fails to load sql page provider
3.1.0.0	4.7.2	15 (2017)	GPL V2	VS 2017	fails to load sql provider
4.0.5.145	4.0	11 (2010)	GPL V2	VS 2017 with Azure SDK	ok
6.0.0.0	4.6	14 (2015)	GPL V3	VS 2017 with Azure SDK	ok (run as site)

Comments:

• VS Version is the version of Visual Studio the original code was developed with, while compiled shows the Visual Studio version I used to compile the code.
• Versions 3.0.6.630 and 3.1.0.0 compiled and ran, but did not load the SQL Providers.
• Versions 4 and above reference Azure libraries. Since the Azure SDK from Visual Studio 2010 is not available anymore, I used Visual Studio 2017 with its Azure SDK.
• Version 6 is an ASP.Net MVC application. All previous versions are ASP.Net.
• Version 6 requires ScrewTurn Wiki to run as an IIS site due to lack of application-relative paths in code and markup. All previous versions also run as IIS applications inside an IIS site.

Goodbye, ScrewTurn Wiki

Earlier this month, Dario announced the end of ScrewTurn wiki. Despite a huge number of downloads (>300.000), the project was not a financial success (read: commercial licenses did not sell well enough).

My interest in ScrewTurn Wiki started when I enabled my database versioning and documentation application dbscript to generate database documentation both into ScrewTurn 2.0 and ScrewTurn 3.0. I even experimented with a Page Storage Provider for STW 2, but dropped it later because static generation performs better than dynamic generation (read: my page provider needed a lot of CPU).

The source code will be kept on Bitbucket, but everything else will be thrown into the memory hole. What a pity.

The comments mention another .Net-based OS wiki, Road Kill, but from a first look, the download numbers are low, and there seems to be a problem storing or displaying Unicode characters in articles. I’m not convinced.

Any other .Net wikis out there?

More Documentation Generators for dbscript

The number of documentation generators included in dbscript is growing steadily.

Version 1.00 already implemented

• Single HTML file documentation generator
• MediaWiki documentation generator
• ScrewTurn V2 Wiki documentation generator

and fixed the

• ScrewTurn V2 Page Provider

All links show documentation on the MS AdventureWorks (2005) database.

Version 1.01 further includes

• ScrewTurn V3 Wiki documentation generator
• Word HTML documentation generator

The XSLT style sheets shipping with dbscript need a bit of revising too, for example, to include separate sections for table indexes and constraints which are currently not output.

dbscript 1.00 released

The major new feature of version 1.00 of dbscript is the new SQL parser with the following improvements:

• support for SQL Server 2005 and 2008 features
• detailed log of parser results (successfully parsed statements as well as skipped clauses and text ranges)
• parser continues after unrecognized or faulty statements
• interpretation of sp_addextendedproperty to extract object and column descriptions (MS_Description)
• dependency analysis of views, stored procedures, etc.

The descriptions and dependencies extracted by parsing or importing from a live database are included in SQL scripts and generated XML files, and thus available in all generated documentation. XSL style sheets have been adapted to display object and column descriptions.

Output samples of generated documentation:

Single HTML file documentation

MediaWiki documentation

ScrewTurn Wiki documentation

The new features lay the groundwork for future versions of dbscript the implement parsers for other SQL dialects (schema import from database is already supported for Oracle and PostgreSql), dependency diagrams, and more.

dbscript is available for download here.

Please send your feedback 😉

New SQL Parser in dbscript

I wrote about my plans to add a new SQL parser engine into dbscript a couple of months ago. Now the time has come to actually implement it for T-SQL (MS SQL Server; Oracle and PostgreSQL will follow in future versions), and I found that I did not foresee all the consequences of my initial intent. The overall architecture remained the same though.

The grammar definition allows to define attributes on non-terminals. Using the SQL Server versions as attributes (2005, 2008), I can mark commands or clauses as their support or feature has been introduced in a specific version, and store the database version as property of the uploaded Project Version.

The parser skips the parts of the uploaded file that it cannot parse, and writes these parts to the upload log. Up to now, the parser would simply fail if it considered the SQL file somehow invalid.

The (C#) object representation of a parsed SQL command has a boolean flag IsHandled for each non-terminal. The code processing the object representation needs to mark every non-terminal object as being handled (i.e. translated into schema information stored in the database). Objects that have not been flagged will also be listed in the upload log.

Next, the new parser allowed me to rewrite the dependency analysis. Until now, dbscript only analyzed view dependencies to order the CREATE VIEW statements. Dependency analysis has now been extended to all database objects.

One more major issue that has been solved is parsing and interpreting EXECUTE statements. Thus an EXEC sp_addextendedproperty is interpreted as adding a description to a database object.

This obviously led to changes in the XML generation of database schemas. Each object now lists its descriptions and the dependencies on and references from other database objects.

The XSL stylesheets which translate a project version XML into markup or HTML have been revised to reflect the additional information in the generated XML.

All taken together, the new parser adds:

• better feedback on which parts of the uploaded SQL file have been processed
• dependency analysis
• object and column descriptions

See the following links documenting AdventureWorks OLTP 2008 (version 2005) for the effects of the new functionality:

Single HTML file documentation

MediaWiki documentation

ScrewTurn Wiki documentation

In both wikis, compare the (old-style) “wikibot” section with the new section “automatically generated” to see the changes.

The next version of dbscript with the mythical version number “1.0” will be released soon 😉

Generating Database Documentation for ScrewTurn wikis

Updated XSL style sheets for dbscript documentation generators creating ScrewTurn content.

See here for sample output:

MS SQL AdventureWorks

Oracle Demo Schema

PostgreSQL OpenNMS

ScrewTurn also allows external Page Providers (instead of stored static pages)

MS SQL AdventureWorks (by Page Provider)

New Features in dbscript 0.95

The latest version 0.95 of dbscript adds new functionality:

Data Diagram generation

dbscript 0.95 adds the capability to generate Data Diagrams from imported and uploaded SQL Server database schemas.

This allows you to get a quick overview of a database schema. It is also useful if you plan to manually create a data diagram in Management Studio, and need some visual help of how to layout the diagram.

ScrewTurn Wiki Page Provider

In addition to the ScrewTurn documentation generator introduced in dbscript 0.94, the latest version includes a Page Provider which you add in the Administration panel of your ScrewTurnWiki installation.

Configure the Documentation Generator plugin with the same ConnectionString you use in your dbscript web application.

Next, create a Documentation Generator of type ScrewTurn Page Provider, and define its contents. After you generate, ScrewTurn Wiki displays the selected Project Version information. (You may need to restart the ScrewTurn web application)

Summary of Output generated by dbscript

This is a list of output samples generated by dbscript based on MS AdventureWorks sample database:

Value Scripts

C# const int declarations of a dbscript Table

VB.Net Const Integer declarations of a dbscript Table

Project Version / Database Schema

Data Diagram of MS AdventureWorks database

Documentation Generators

MediaWiki Documentation of MS AdventureWorks database

Single Object documentation in MediaWiki format

Single HTML File documentation of MS AdventureWorks

ScrewTurn Wiki Documentation of MS AdventureWorks database

ScrewTurn Wiki Page Provider Documentation of MS AdventureWorks database

The latest version of dbscript is available for download here.

Generate ScrewTurn Documentation of MS SQL Database and Values

In addition to creating MediaWiki content, dbscript 0.94 now also supports ScrewTurn wikis to generate database documentation.

The steps to setup the documentation generator are essentially the same as described here and here for MediaWiki wikis, except that the respective ScrewTurn alternatives (generator type, XSLs) have to be selected.

To allow the built-in bot to post content to the ScrewTurn wiki, the wiki’s web.config has to be modified to disable viewstate validation:

<pages enableViewState="true" enableEventValidation="false" />

Follow this link to browse the ScrewTurn documentation of AdventureWorks as generated by dbscript.

The latest version of dbscript is available for download here.

New Features in dbscript 0.94

The latest version 0.94 of dbscript adds new functionality:

Multi-user capability

A user/role model has been implemented which allows the following definitions:

• System administrator roles
• Project-specific roles (project administrator, project user)
• User/Role assignments

Each user can be assigned to several roles. A role is either a sysadmin role, or assigned to one or more projects. Within a project, a role is defined as project administrator or project user role. Users inherit sysadmin, project admin, and project user capability from their assigned roles.

Documentation Generators

New documentation generators create documentation as

• Single HTML file
• ScrewTurn wiki

Value Scripts

Adding to existing functionality creating C# const declarations:

• C# public static const classes are now declared partial
• new C# public static class with string ToString(int) to convert an int identifier into its string representation
• VB.Net public const declarations
• define optional WHERE condition on generated values

Database Schema Checks

Added the following checks on database tables:

• Tables without Primary Key
• Tables without Unique Constraint
• Tables without Foreign Key Constraints
• Unreferences Tables
• Isolated Tables

The latest version of dbscript is available for download here.