<div dir="ltr"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">RFI can't work in MVC </blockquote><div>
Yeah, routing rules should block it, I forgot to mention that. I don't think <a href="http://ASP.NET">ASP.NET</a> MVC allows "\" in its route parameters.</div><div><br></div><div style>But if you have the default route (/ControllerName/ActionName) enabled, your app could still be vulnerable. A user could pass the parameter as a GET or POST parameter (ie. go to /Gallery/<span style="font-family:arial,sans-serif;font-size:13px">FullImage</span>?id=../../../../../../../etc/passwd) and the default model binder will accept this parameter. It's usually safer to always do validation of your parameters instead of relying on the routing engine to do it :)</div>
<div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">What I mean is file path validation in <br>
Response.TransmitFile <br>Response.WriteFile <br>Server.MapPath <br>System.IO.Path.GetFiles <br>etc.<br>To check whether the requested file is not below the root directory of the web application </blockquote><div>But in some cases you might want to read files below the root directory (eg. some apps use c:\Windows\Temp or /tmp)</div>
<div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">WriteFile.ashx?myfile=../../../../../../../root/.ssh/id_rsa would be really really bad.</blockquote>
<div>This should never work as id_rsa should have its mode set to 0700 and Mono shouldn't be running as root. The user Mono runs as should be relatively locked down. I use www-data (the default web server / PHP-FPM user in Debian) for mine.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Feb 4, 2013 at 12:03 AM, quandary <span dir="ltr"><<a href="mailto:quandary82@hailmail.net" target="_blank">quandary82@hailmail.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    <div>Remote file inclusion fixed, ashx
      handlers removed, FullImage removed, website back up.<br>
      <br>
      Filed but 10'001<br>
      <a href="https://bugzilla.xamarin.com/show_bug.cgi?id=10001" target="_blank">https://bugzilla.xamarin.com/show_bug.cgi?id=10001</a><br>
      <br>
      <br>
      <br>
      No, I don't mean parameter validation, and RFI can't work in MVC
      when you request from a browser on Windows, because <br>
      parameters are separated by / and windows translates backslash to
      forwardslash.<br>
      (at least not until one uses a catchall parameter), I checked.<br>
      <br>
      If you'd use a browser on Linux, I don't know if it would change
      backslashes into slashes, <br>
      which would be a potentially dangerous thing for a windows server.<br>
      But I have a Linux server, so who cares about that.<br>
      <br>
      It can only work for parameters passed via QueryString/HttpPost,
      such as in the two ashx handlers I added.<br>
      (or if a confidential file is in the same directory, but that
      would be really stupid).<br>
      <br>
      <br>
      What I mean is file path validation in <br>
      Response.TransmitFile <br>
      Response.WriteFile <br>
      Server.MapPath <br>
      System.IO.Path.GetFiles <br>
      etc.<br>
      To check whether the requested file is not below the root
      directory of the web application <br>
      (so that it would throw an AccessDeniedException on TransmitFile).<br>
      <br>
      Or in other words, <br>
      if( !strFileName.StartsWith(AppDomain.CurrentDomain.BaseDirectory,
      StringComparer.OrdinalIgnoreCase)<br>
           throw new AccessDeniedException("no access to files below
      application root directory");<br>
      <br>
      of course, the above is not sufficient, because relative paths in
      absolute paths are possible and supported by .NET/Windows/Linux.<br>
      <br>
      Because if that path validation isn't done, one can request (for
      example in my previous handler) <br>
      wget
<a href="http://www.daniel-steiger.ch/WriteFile.ashx?myfile=../../../../../../../etc/passwd" target="_blank">http://www.daniel-steiger.ch/WriteFile.ashx?myfile=../../../../../../../etc/passwd</a><br>
      which makes RFI interesting in the first place.<br>
      I checked an it worked, I got /etc/passwd back...<br>
      Now /etc/passwd wouldn't be that bad, <br>
      since it only contains MD5 hashes (though MD5 is rainbow-table
      vulnerable) and because I configured ssh to not allow password
      logins, <br>
      but WriteFile.ashx?myfile=../../../../../../../root/.ssh/id_rsa
      would be really really bad.<br>
      <br>
      I think I remember stumbling over such an exception somehow in IIS
      (perhaps SecurityException and not AccessDenied), <br>
      but not on the <a href="http://ASP.NET" target="_blank">ASP.NET</a> development server.<div><div class="h5"><br>
      <br>
      <br>
      <br>
      <br>
      <br>
      On 02/03/2013 12:41 PM, Daniel Lo Nigro wrote:<br>
    </div></div></div><div><div class="h5">
    <blockquote type="cite">
      <div dir="ltr">Better I mention it than risking someone more
        malicious noticing it, since the link was already in a public
        mailing list. :)
        <div><br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span style="font-family:arial,sans-serif;font-size:13px">Isn't
            this a mono-bug, too ?</span></blockquote>
        <div><font face="arial, sans-serif">As far as I'm aware, the
            .NET Framework only validates for HTML tags in parameters.
            It doesn't validate file paths since it doesn't even know
            the parameter will be used for a file path (things like
            "..\" could be valid GET parameters for your page). I don't
            think there's any built in mechanism to prevent directory
            traversal.</font></div>
        <div><font face="arial, sans-serif"><br>
          </font></div>
        <div><font face="arial, sans-serif">.NET request
            validation: <a href="http://msdn.microsoft.com/en-us/library/hh882339.aspx" target="_blank">http://msdn.microsoft.com/en-us/library/hh882339.aspx</a></font></div>
      </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Sun, Feb 3, 2013 at 10:34 PM,
          quandary <span dir="ltr"><<a href="mailto:quandary82@hailmail.net" target="_blank">quandary82@hailmail.net</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF">
              <div>Oh wonderful, it's called remote file inclusion.<br>
                I suspected that much, but I didn't bother to address
                it, <br>
                because I didn't publish the sources and internal config
                files - up until today.<br>
                <br>
                So with you having mentioned it for all script kiddies
                to see - site taken down until validation is added.<br>
                Before that, I quickly checked - one can access files
                below the root directory of the web application.<br>
                <br>
                Isn't this a mono-bug, too ?<br>
                Because I think I remember me having done this once on a
                test or production server, and it gave a wonderful YSOD
                on IIS.
                <div>
                  <div><br>
                    <br>
                    <br>
                    <br>
                    <br>
                    <br>
                    On 02/03/2013 11:45 AM, Daniel Lo Nigro wrote:<br>
                  </div>
                </div>
              </div>
              <div>
                <div>
                  <blockquote type="cite">
                    <div dir="ltr">That does look like a bug with how
                      Mono handles TransmitFile - I suggest reporting it
                      as a bug in Xamarin Bugzilla (report it under the
                      System.Web component).
                      <div><br>
                      </div>
                      <div>Also FYI it's probably best if you pull down
                        those pages for now; you're not validating the
                        "myfile" parameter so it's open to a <a href="http://en.wikipedia.org/wiki/Remote_file_inclusion" target="_blank">Remote File Inclusion</a>
                        vulnerability.</div>
                    </div>
                    <div class="gmail_extra"><br>
                      <br>
                      <div class="gmail_quote">On Sun, Feb 3, 2013 at
                        9:38 PM, quandary <span dir="ltr"><<a href="mailto:quandary82@hailmail.net" target="_blank">quandary82@hailmail.net</a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div text="#000000" bgcolor="#FFFFFF">
                            <div>Yep, indeed that sounds like that.<br>
                              And I just tested.<br>
                              Added WriteFile.ashx and Transmit.ashx<br>
                              <br>
                              and testet with<br>
                              <a href="http://www.daniel-steiger.ch/WriteFile.ashx" target="_blank">http://www.daniel-steiger.ch/WriteFile.ashx</a><br>
                              <a href="http://www.daniel-steiger.ch/Transmit.ashx" target="_blank">http://www.daniel-steiger.ch/Transmit.ashx</a><br>
                              and<br>
                              <a href="http://www.daniel-steiger.ch/WriteFile.ashx?myfile=avatar100.png" target="_blank">http://www.daniel-steiger.ch/WriteFile.ashx?myfile=avatar100.png</a><br>
                              <a href="http://www.daniel-steiger.ch/Transmit.ashx?myfile=avatar100.png" target="_blank">http://www.daniel-steiger.ch/Transmit.ashx?myfile=avatar100.png</a><br>
                              <br>
                              <br>
                              It seems the bug is in
                              Response.TransmitFile for files of any
                              size <br>
                              (also for avatar100.png, which is only 4.3
                              kb)<br>
                              <br>
                              so to summarize, there is a rather
                              bad-natured bug in <br>
                              Class: System.Web.HttpResponse<br>
                              Method: TransmitFile(string filename)<br>
                              <br>
                              <br>
                              This is the transmit-handler code:<br>
                               <br>
                              using System; <br>
                              using System.Collections.Generic; <br>
                              using System.Linq; <br>
                              using System.Web; <br>
                               <br>
                              namespace Homepage <br>
                              { <br>
                                  /// <summary> <br>
                                  /// Zusammenfassungsbeschreibung für
                              Transmit <br>
                                  /// </summary> <br>
                                  public class Transmit : IHttpHandler <br>
                                  { <br>
                               <br>
                                      public void
                              ProcessRequest(HttpContext context) <br>
                                      { <br>
                                          string strFile =
                              context.Request.Params["myfile"]; <br>
                               <br>
                                          if
                              (string.IsNullOrEmpty(strFile)) <br>
                                              strFile = "001.jpg"; <br>
                               <br>
                                          string strNetPath =
                              string.Format("~/Content/images/gallery/{0}",
                              strFile); <br>
                                          string strFileNameAndPath =
                              context.Server.MapPath(strNetPath); <br>
                               <br>
                                          context.Response.Clear(); <br>
                                          context.Response.ContentType =
                              "image/jpeg"; <br>
                                         
                              context.Response.TransmitFile(strFileNameAndPath);
                              <br>
                                      } <br>
                               <br>
                                      public bool IsReusable <br>
                                      { <br>
                                          get <br>
                                          { <br>
                                              return false; <br>
                                          } <br>
                                      } <br>
                                  } <br>
                               <br>
                              }<br>
                              <br>
                              <br>
                              <br>
                              Regards<br>
                              <br>
                              Stefan
                              <div>
                                <div><br>
                                  <br>
                                  <br>
                                  <br>
                                  <br>
                                  On 02/03/2013 06:14 AM, Daniel Lo
                                  Nigro wrote:<br>
                                </div>
                              </div>
                            </div>
                            <div>
                              <div>
                                <blockquote type="cite">
                                  <div dir="ltr">That sounds like
                                    chunked encoding, Wikipedia says (<a href="http://en.wikipedia.org/wiki/Chunked_transfer_encoding" target="_blank">http://en.wikipedia.org/wiki/Chunked_transfer_encoding</a>):<br>
                                    <i>Each chunk starts with the<b>
                                        number of octets of the data it
                                        embeds expressed in hexadecimal</b>
                                      followed by optional parameters
                                      (chunk extension) and a <b>terminating
                                        CRLF sequence</b>, followed by
                                      the chunk data. The chunk is
                                      terminated by CRLF. If chunk
                                      extensions are provided, the chunk
                                      size is terminated by a semicolon
                                      followed with the extension name
                                      and an optional equal sign and
                                      value.</i>
                                    <div> <br>
                                    </div>
                                    <div>Which is exactly what you're
                                      saying. I wonder if something is
                                      not being done correctly with
                                      files as large as the ones you're
                                      using. Since you said it works for
                                      thumbnails, I assume it's working
                                      for smaller files.</div>
                                    <div><br>
                                    </div>
                                    <div>Try Response.WriteFile or
                                      Response.TransmitFile in a
                                      standard <a href="http://ASP.NET" target="_blank">ASP.NET</a>
                                      handler (.ashx) and see if they
                                      also don't work.</div>
                                    <div><br>
                                    </div>
                                    <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span style="font-family:arial,sans-serif;font-size:13px">All traffic to that
                                        URL [</span><a href="http://www.daniel-steiger.ch/" style="font-family:arial,sans-serif;font-size:13px" target="_blank">www.daniel-steiger.ch</a><span style="font-family:arial,sans-serif;font-size:13px">] (except for the
                                        folders /doc and /images), but
                                        including images in /Content, is
                                        directly forwarded to fastcgi by
                                        nginx, as per fastcgi config
                                        file for domain.</span></blockquote>
                                    <div><span style="font-family:arial,sans-serif;font-size:13px">I'd


                                        still suggest letting Nginx
                                        serve your static files. Just
                                        because the site is low-traffic
                                        doesn't mean that little
                                        performance tweaks aren't good
                                        :). I do something like this:</span></div>
                                    <div>
                                      <div><font face="courier new,
                                          monospace">location / {</font></div>
                                      <div><span> </span><font face="courier new, monospace">#
                                          Pass requests for unknown
                                          files to Mono<br>
                                        </font></div>
                                      <div><font face="courier new,
                                          monospace"><span style="white-space:pre-wrap">
                                          </span>try_files $uri @mono;</font></div>
                                      <div><font face="courier new,
                                          monospace">}</font></div>
                                      <div><font face="courier new,
                                          monospace"><br>
                                        </font></div>
                                      <div><font face="courier new,
                                          monospace">location @mono {</font></div>
                                      <div><font face="courier new,
                                          monospace"><span style="white-space:pre-wrap">
                                          </span># Put all your Mono
                                          config here</font></div>
                                      <div><font face="courier new,
                                          monospace">}</font></div>
                                      <div><font face="arial,
                                          sans-serif">My full site
                                          config is at </font><a href="https://github.com/Daniel15/Website/blob/master/nginx.conf" target="_blank">https://github.com/Daniel15/Website/blob/master/nginx.conf</a></div>
                                      <div><font face="arial,
                                          sans-serif"><br>
                                        </font></div>
                                    </div>
                                  </div>
                                  <div class="gmail_extra"><br>
                                    <br>
                                    <div class="gmail_quote">On Sun, Feb
                                      3, 2013 at 4:00 PM, SirNoSkill <span dir="ltr"><<a href="mailto:quandary82@hailmail.net" target="_blank">quandary82@hailmail.net</a>></span>
                                      wrote:<br>
                                      <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                        <div>
                                          <div>I have more details on
                                            the bug.<br>
                                          </div>
                                          <div>The extra bytes that are
                                            at the beginning <br>
                                          </div>
                                          <pre><code><span>31 </span><span></span><span>39 </span><span></span><span>36 </span><span></span><span>62 </span><span></span><span>36 </span><span></span><span>38 </span><span></span><span>0D </span><span></span><span>0A</span></code>

</pre>
                                          <div><code><span></span><span></span></code>which

                                            reads <span><span><span>196b68/r/n
                                                  in ASCII</span></span></span><br>
                                          </div>
                                          <div><span>196b68 </span>is
                                            the filesize of the original
                                            image in hex...<br>
                                          </div>
                                          <div> </div>
                                          <div>All details + hexdump
                                            links added here:<br>
                                          </div>
                                          <div><a href="http://stackoverflow.com/questions/14662795/why-do-i-have-unwanted-extra-bytes-at-the-beginning-of-image" target="_blank">http://stackoverflow.com/questions/14662795/why-do-i-have-unwanted-extra-bytes-at-the-beginning-of-image</a><br>

                                          </div>
                                          <div> </div>
                                          <div> </div>
                                          <div> </div>
                                          <div>All traffic to that URL [<a href="http://www.daniel-steiger.ch" target="_blank">www.daniel-steiger.ch</a>]
                                            (except for the folders /doc
                                            and /images), but including
                                            images in /Content, is
                                            directly forwarded to
                                            fastcgi by nginx, as per
                                            fastcgi config file for
                                            domain.<br>
                                          </div>
                                          <div> </div>
                                          <div> </div>
                                          <div> server {<br>
                                          </div>
                                          <div>         listen   80;<br>
                                          </div>
                                          <div>         server_name <a href="http://www.daniel-steiger.ch" target="_blank">www.daniel-steiger.ch</a>
                                            <a href="http://daniel-steiger.ch" target="_blank">daniel-steiger.ch</a>;<br>
                                          </div>
                                          <div>         access_log  
                                            /var/log/nginx/daniel-steiger.ch.access.log;<br>
                                          </div>
                                          <div> </div>
                                          <div>         location / {<br>
                                          </div>
                                          <div>                 root
                                            /home/danillo/www/HomePage;<br>
                                          </div>
                                          <div>                 #index
                                            index.html index.htm
                                            default.aspx Default.aspx;<br>
                                          </div>
                                          <div>               
                                             #fastcgi_index
                                            Default.aspx;<br>
                                          </div>
                                          <div>               
                                             fastcgi_pass <a href="http://127.0.0.1:9000" target="_blank">127.0.0.1:9000</a>;<br>
                                          </div>
                                          <div>                 include
                                            /etc/nginx/fastcgi_params;<br>
                                          </div>
                                          <div>         }<br>
                                          </div>
                                          <div> </div>
                                          <div> </div>
                                          <div><span></span>location
                                            /doc {<br>
                                          </div>
                                          <div><span></span>root
                                            /usr/share;<br>
                                          </div>
                                          <div><span></span>autoindex
                                            on;<br>
                                          </div>
                                          <div><span></span>allow
                                            127.0.0.1;<br>
                                          </div>
                                          <div><span></span>deny all;<br>
                                          </div>
                                          <div><span></span>}<br>
                                          </div>
                                          <div> </div>
                                          <div><span></span>location
                                            /images {<br>
                                          </div>
                                          <div><span></span>root
                                            /usr/share;<br>
                                          </div>
                                          <div><span></span>autoindex
                                            off;<br>
                                          </div>
                                          <div><span></span>}<br>
                                          </div>
                                          <div> </div>
                                          <div><span></span>#error_page
                                            404 /404.html;<br>
                                          </div>
                                          <div> </div>
                                          <div><span></span># redirect
                                            server error pages to the
                                            static page /50x.html<br>
                                          </div>
                                          <div><span></span>#<br>
                                          </div>
                                          <div><span></span>error_page
                                            500 501 503 504 /50x.html;<br>
                                          </div>
                                          <div><span></span>location =
                                            /50x.html {<br>
                                          </div>
                                          <div><span></span>root
                                            /home/danillo/www/HomePage;<br>
                                          </div>
                                          <div><span></span>}<br>
                                          </div>
                                          <div> </div>
                                          <div> </div>
                                          <div><span></span>error_page
                                            502 /502.html;<br>
                                          </div>
                                          <div><span></span>location =
                                            /502.html {<br>
                                          </div>
                                          <div><span></span>root
                                            /home/danillo/www/HomePage;<br>
                                          </div>
                                          <div><span></span>}<br>
                                          </div>
                                          <div> </div>
                                          <div>}<br>
                                          </div>
                                          <div> </div>
                                          <div> </div>
                                          <div>It's sufficient to have
                                            the file served without
                                            FileResult.</div>
                                          <div>Of course it's more
                                            efficient if nginx serves it
                                            directly, but this is a very
                                            low traffic website, so
                                            performance is really not my
                                            problem ;)<br>
                                          </div>
                                          <div> </div>
                                          <div>And by the way, the
                                            problem is not finding a
                                            workaround.<br>
                                          </div>
                                          <div> I have already fixed it
                                            with a workaround about a
                                            week ago.<br>
                                          </div>
                                          <div>I really just want to
                                            know where the bug is,
                                            because if FileResult
                                            malfunctions, there's
                                            probably more to it, and I
                                            don't want to walk into a
                                            subtle not at the first
                                            sight spottable bug later,
                                            like a botched binary
                                            upload/download file.</div>
                                          <div>
                                            <div>
                                              <div> </div>
                                              <div> </div>
                                              <div> </div>
                                              <div> </div>
                                              <div> </div>
                                              <div>On Sat, Feb 2, 2013,
                                                at 06:51 AM, Daniel Lo
                                                Nigro wrote:<br>
                                              </div>
                                              <blockquote type="cite">
                                                <div dir="ltr">Hmm...
                                                  Maybe try an
                                                  X-Accel-Redirect
                                                  header instead. This
                                                  lets Nginx serve the
                                                  file instead of Mono
                                                  having to serve it,
                                                  which makes it more
                                                  efficient. See if that
                                                  makes a difference, or
                                                  if it has the same
                                                  issue.
                                                  <div>  </div>
                                                  <div>Why not just link
                                                    directly to the
                                                    file, instead of
                                                    serving it through
                                                    your C# code?<br>
                                                  </div>
                                                </div>
                                                <div class="gmail_extra">
                                                  <div> </div>
                                                  <div> </div>
                                                  <div class="gmail_quote">
                                                    <div>On Sun, Feb 3,
                                                      2013 at 1:43 AM,
                                                      quandary82 <span dir="ltr"><<a href="mailto:quandary82@hailmail.net" target="_blank">quandary82@hailmail.net</a>></span>
                                                      wrote:<br>
                                                    </div>
                                                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                      <div>Corrected the
                                                        mime, but seems
                                                        to be a mono-bug
                                                        (or fastcgi)
                                                        anyway.<br>
                                                      </div>
                                                      <div> </div>
                                                      <div> More here:<br>
                                                      </div>
                                                      <div><a href="http://stackoverflow.com/questions/14662795/why-do-i-have-unwanted-extra-bytes-at-the-beginning-of-image" target="_blank">http://stackoverflow.com/questions/14662795/why-do-i-have-unwanted-extra-bytes-at-the-beginning-of-image</a><br>

                                                      </div>
                                                      <div> </div>
                                                      <div> </div>
                                                      <div> </div>
                                                      <div> --<br>
                                                      </div>
                                                      <div> View this
                                                        message in
                                                        context: <a href="http://mono.1490590.n4.nabble.com/Bug-in-mono-3-0-1-MVC3-File-FileResult-tp4658382p4658422.html" target="_blank">http://mono.1490590.n4.nabble.com/Bug-in-mono-3-0-1-MVC3-File-FileResult-tp4658382p4658422.html</a><br>

                                                      </div>
                                                      <div> Sent from
                                                        the Mono - Dev
                                                        mailing list
                                                        archive at
                                                        Nabble.com.<br>
                                                      </div>
                                                      <div>
                                                        <div>_______________________________________________<br>
                                                        </div>
                                                        <div>
                                                          Mono-devel-list
                                                          mailing list<br>
                                                        </div>
                                                        <div><a href="mailto:Mono-devel-list@lists.ximian.com" target="_blank">Mono-devel-list@lists.ximian.com</a><br>
                                                        </div>
                                                        <div><a href="http://lists.ximian.com/mailman/listinfo/mono-devel-list" target="_blank">http://lists.ximian.com/mailman/listinfo/mono-devel-list</a><br>
                                                        </div>
                                                      </div>
                                                    </blockquote>
                                                  </div>
                                                </div>
                                              </blockquote>
                                              <div> </div>
                                            </div>
                                          </div>
                                          <span><font color="#888888">
                                              <div>-- <br>
                                              </div>
                                              <div> SirNoSkill<br>
                                              </div>
                                              <div> <a href="mailto:quandary82@hailmail.net" target="_blank">quandary82@hailmail.net</a><br>
                                              </div>
                                              <pre>-- 
<a href="http://www.fastmail.fm" target="_blank">http://www.fastmail.fm</a> - mmm... Fastmail...
</pre>
                                            </font></span></div>
                                      </blockquote>
                                    </div>
                                    <br>
                                  </div>
                                </blockquote>
                                <br>
                              </div>
                            </div>
                          </div>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br></div>