-
Passing UTF-8 trough HTTP
These days we should write every code as if it will be used by international people with a wide variety of personal information (just look at Falsehoods Programmers Believe About Names for some headscratchers). I would like to do add my small contribution to this by showing how UTF-8 encoded strings can be passed into…
-
Know thy (cryptographic) functions
More than I year ago I mentioned that VNC uses only the first 8 characters of the password to validate it. Today I found an other situation where this happens: the crypt function (to be fair, the glibc version of it has the option of using all the characters, but still we have the issue…
-
User input, by any other name
A friend of mine posed me an interesting question: how is it possible that a CMS software, which displayed the IP addresses for comments made anonymously (instead of the username) showed a private IP (like 172.16.63.15)? Before I get to the actual explanation, here are some specific clarifications which should be made: IP addresses are…
-
Optimizing regular expressions with PHP
I was intrigued by the following text in the PHP reference, especially because there is considerable regex use in the wehoneypot project: S When a pattern is going to be used several times, it is worth spending more time analyzing it in order to speed up the time taken for matching. If this modifier is…
-
Learning is never done
I’ve been using PHP for a while now and thought that I knew the available functions (at least the generic ones) pretty well, but recently I got surprised: a recent entry on the Me and My Database blog pointed me towards http_build_query and in the same category I found parse_url. This is significant to me,…
-
Updates for Webhoneypot
The development of the webhoneypot is back in swing again. We are aiming for the date of May the 15th as the release date for a beta version. A cool new feature which got committed recently is the possibility to “emulate” RFI vulnerabilities. How does it work (idea taken from the glastopf project): When a…
-
Installing the webhoneypot on OpenWrt
This is a raw tutorial for installing webhoneypot on a router running OpenWrt. The used version is Kamikaze 8.09 (this can be important because commands change between version). The tutorial is not 100% complete and I will update it in the future when I learn new information. An other assumption I make is that you…
-
Quick tips for installing PHP + IIS7 under Windows 7
If you are trying to install PHP under the default configuration of IIS7 with Windows 7 (and presumably Vista & Server 2008, but I observed it under Win7), you might run into problems (for example getting “Service Unavailable” errors). Here is how I managed to fix them: First, make sure that you’ve installed all the…
-
PHPBB hack
I saw the news on the Kaspersky blog: phpbb.com was hacked. Fortunately (?) the hack wasn’t done trough PHPBB, rather trough a vulnerable installation of PHPList. BTW, the Kaspersky blog gets it wrong: the hack wasn’t because register_globals was enable, but rather because PHPList contained code to emulate the functionality of register_globals. More info: The…
-
PHP security is scary!
I knew that PHP limits the amount of memory that one script can allocate, so life is good, right? Right? Wrong! Reading the documentation it states: Changeable – PHP_INI_ALL, meaning that you can change it using ini_set from the script itself. Even worse, it goes on to say: “Note that to have no memory limit,…