Category: PHP

  • Passing UTF-8 trough HTTP

    These days we should write every code as if it will be used by international people with a wide variety of personal information (just look at Falsehoods Programmers Believe About Names for some headscratchers). I would like to do add my small contribution to this by showing how UTF-8 encoded strings can be passed into […]

  • Know thy (cryptographic) functions

    More than I year ago I mentioned that VNC uses only the first 8 characters of the password to validate it. Today I found an other situation where this happens: the crypt function (to be fair, the glibc version of it has the option of using all the characters, but still we have the issue […]

  • User input, by any other name

    A friend of mine posed me an interesting question: how is it possible that a CMS software, which displayed the IP addresses for comments made anonymously (instead of the username) showed a private IP (like 172.16.63.15)? Before I get to the actual explanation, here are some specific clarifications which should be made: IP addresses are […]

  • Optimizing regular expressions with PHP

    I was intrigued by the following text in the PHP reference, especially because there is considerable regex use in the wehoneypot project: S When a pattern is going to be used several times, it is worth spending more time analyzing it in order to speed up the time taken for matching. If this modifier is […]

  • Learning is never done

    I’ve been using PHP for a while now and thought that I knew the available functions (at least the generic ones) pretty well, but recently I got surprised: a recent entry on the Me and My Database blog pointed me towards http_build_query and in the same category I found parse_url. This is significant to me, […]

  • Updates for Webhoneypot

    The development of the webhoneypot is back in swing again. We are aiming for the date of May the 15th as the release date for a beta version. A cool new feature which got committed recently is the possibility to “emulate” RFI vulnerabilities. How does it work (idea taken from the glastopf project): When a […]

  • Installing the webhoneypot on OpenWrt

    This is a raw tutorial for installing webhoneypot on a router running OpenWrt. The used version is Kamikaze 8.09 (this can be important because commands change between version). The tutorial is not 100% complete and I will update it in the future when I learn new information. An other assumption I make is that you […]

  • Quick tips for installing PHP + IIS7 under Windows 7

    If you are trying to install PHP under the default configuration of IIS7 with Windows 7 (and presumably Vista & Server 2008, but I observed it under Win7), you might run into problems (for example getting “Service Unavailable” errors). Here is how I managed to fix them: First, make sure that you’ve installed all the […]

  • PHPBB hack

    I saw the news on the Kaspersky blog: phpbb.com was hacked. Fortunately (?) the hack wasn’t done trough PHPBB, rather trough a vulnerable installation of PHPList. BTW, the Kaspersky blog gets it wrong: the hack wasn’t because register_globals was enable, but rather because PHPList contained code to emulate the functionality of register_globals. More info: The […]

  • PHP security is scary!

    I knew that PHP limits the amount of memory that one script can allocate, so life is good, right? Right? Wrong! Reading the documentation it states: Changeable – PHP_INI_ALL, meaning that you can change it using ini_set from the script itself. Even worse, it goes on to say: “Note that to have no memory limit, […]