• freemp3friday
• linux
• metacab
• phreak
• projects
• rfa
• tarballs

• bakugan
• my bookshelf
• perlshop
• sloppy 2nds

• bell's mind
• binrev forums
• handscan.net
• hoozdo
• phx2600

My Bookshelf Adventures


I love my local library. You can check out books, movies, music and more at any branch and return them to any branch. You can search for and reserve items online. They have a secure RSS feed for checked in and due date alerts. Plus, they have an online bookshelf, called My Bookshelf, that stores favorited items.

Each account's My Bookshelf comes with the Default bookshelf. You can then create additional, user-named bookshelves. In a bookshelf you can add and delete items, and choose whether or not to make the bookshelf publicly viewable.

To get the quick stuff out of the way, I learned that the bookshelf name is vulnerable to XSS. Here you can see HTML rendering.




What you can't see is the bookshelf named history.go(-1) (shouts, Evil1). There are some other oddities regarding bookshelf names that I won't go into here.

Every user created bookshelf gets its own unique ID, i.e. mybookshelf.jsp?id=XXXXX. Authenticate and put that in the URL bar and you get somebody else's bookshelf. I don't believe you can see other default bookshelves without authenticating as that user, just unique bookshelves given an ID number. Though you can view bookshelves marked private, which is the default. You can also delete items from another's bookshelf. Not good. Here's somebody's bookshelf. Algorithms? I'm terrible at music.




Given this, I poked around with ID ranges and found that 3000 to 22000 seemed to bound accounts. I wrote a perl script that used wget's header capability to send the session ID after I authenticated. It accepts four and five-digit IDs, of which I used the latter for sorting.

mybookshelf_download.pl

I ran it for about 24 hours and got just over 18,000 files. I removed the empty bookshelves and had over 10,000 left. I then looked at source for the strings I needed to get what I wanted, namely, names and titles. These lines seemed to do it.

mybookshelf_namesandtitles.txt

Another perl script and we get a nice readable file with bookshelf names and associated titles.

mybookshelf_process.pl

I left out autovivification for my clarity and the resulting file is over 3.5 MB raw, 1 MB gzipped.

mybookshelf.txt

Some names are authors, a few are patrons, and one or two are library card numbers. I simply find it fascinating to see what other people are consuming, thinking. Yes, I put two and two together and didn't want to go any further. As I said, I love my library. Though it would be a good exercise...

Addendum

My library now has a feature called "My Reading History." Here's what greets you when you enable it.



So, yeah, no.