Web Programming, Linux System Administation, and Entrepreneurship in Athens Georgia
This is about the dumbest thing I’ve ever heard of (well not quite). I can’t believe a big company like AOL would actually do something this dumb:
https://blog.washingtonpost.com/securityfix/2007/05/aols_password_puzzler.html
Basically, for some users, (apparently those who started out as an old-school AOL think-client user) all passwords are truncated to 8 characters, made case insensitive, and had any special characters removed. Thus making ‘password123’ the same as ‘password%a93#$’.
Today I noticed an unusual program listening on one of the web servers that I managed. Upon investigating, I found out that the attacker was able to gain access through a program called cpCommerce that one of our customers had installed.
I was able to pretty quickly identify the security hole and hacked up the PHP code so that it wouldn’t work again. I then downloaded the latest release of this program and took a look at it to see if the bug had been fixed…and it hadn’t.
So, I headed over to their site to submit a bug report. Although, since it’s a security problem, I didn’t want to post all of the detail publicly so that it could be exploited further. After a little big of fighting with their forum software, I was able to send the developer all of the details, and he has since posted a patch for the program.
I’m not familiar with the program, but it doesn’t look like the patch is just a hack-job either. It looks like it was fixed correctly in a way that would possibly prevent other similar scripts in the program from having the same problem.
https://cpcommerce.cpradio.org/forums/index.php/topic,3430.0.html
The mod_proxy_balancer function included with Apache 2.2 is a great way to set up an Apache front end to a rails-based Mongrel cluster. The latest versions of many Linux distributions now include Apache 2.2 but unless you have a new server with the latest distro, it’s likely that your server is running Apache 2.0.
I usually try to avoid upgrading from Apache 2.0 to 2.2 by compiling it from source because of all of the interdependencies. You end up having to recompile so much other stuff, that it just turns out to be a mess.
Fortunately Apache 2.0 can use mod_rewrite which can be used to do some primitive random load balancing. Here is a sample configuration snippet:
<VirtualHost>
ServerName mydomain.com
ServerAlias www.mydomain.com
## The random map file of our clusters
RewriteMap clusters rnd:/etc/httpd/conf/clusters.map
RewriteEngine On
## Don't rewrite for static files
RewriteCond %{REQUEST_FILENAME} !-f
# Use mod_rewrite to randomly select from one of the Mongrel
# cluster servers
RewriteRule ^/(.*) https://${clusters:mongrel_cluster}/\ [P,L]
</VirtualHost>
The cluster.map file should contain something like this:
mongrel_cluster localhost:3000|localhost:3001|localhost:3002
Obviously, you’ll want to substitute your server names where appropriate, and configure the correct ports for your instances in the map file
I’ve been getting tons of spam comments lately and am getting tired of deleting them. Today I had to scroll through over a hundred of them and pick out the one or two legitimate comments before deleting the rest. I already have BadBehavior installed, but its not catching any of these, which makes me think that the spam robots know how to get around it.
So, I went on a hunt to find a good another good spam prevention tool. On wordpress.org, I came across one called JSSpamBlock that had a pretty good idea. Essentially, it creates an extra textbox on the comment page. If you have JavaScript enabled, it uses JavaScript to populate that box with the answer and hide it. If a user doesn’t have JavaScript enabled, then they are instructed to copy a number into the box.
The result is a spam protection scheme that is invisible to the average user. Yet spam robots won’t know how to execute the JavaScript to bypass it.
As an added security, I modified the jsspamblock.php file to change the name of the input field. I figure that it would be easy enough to modify a spam robot to look for this particular plugin. But since I modified the input field, hopefully even attempts to do that will not leave my site vulnerable. To make the same change on your installation, just replace all instances of ‘jsspamblock_input’ with something unique to your site.
I use this quite frequently when trying to monitor network traffic to a host. This will save all of the traffic for a host to a file. The file can then be viewed with Ethereal (or some other tool)
tcpdump -n -i any -w /var/tmp/SOMEFILE -p -C 100 -W 10 -s 1500 host SOMEIP
This will make files up to 100 MB in size and keep up to 10 ‘rotations’ of it. Of course, you can use other parameters besides just the ‘host’ parameter to match whatever traffic it is that you want.
Google announced on Monday that they are contributing some of their internally developed enhancements to MySQL back to the community. They released a patch for MySQL 4 that improves on some high availability features, and a few python scripts that help manage MySQL clusters.
In my mind, this is a great example of how open-source software works.  MySQL of course, is a widely used database application that Google uses for many things. Since it is open-source, they are able to modify some of the functionality to meet some of their needs.  Then, when those new functions or fixes are stable, they release that code back to the community for possible incorporation into the mainline MySQL code.
One common misconception that I see people make about open source software is that they seem to think that it is developed individuals who just do it for the experience or for the fun of it. Â While that is true to some extent, the contributions that companies make is also significant.
I’m still struggling with getting involved in contributing back to some open source projects.  I’ve submitted fixes and documented bugs for the occasional program, but I’m still trying to find the right project where I can make regular, meaningful contributions.  Maybe I’ll find it someday.
After waiting for a couple months, I finally was invited to join the Joost beta program . I was pretty impressed with how easily the signup process went, the program installed, and I was able to start watching TV.
Joost is a company that is attempting to use Peer-to-peer protocols to deliver streaming video. It’s a pretty cool idea and seems to be well implemented. It certainly has a few problem areas still though:
When running the App in a window, it is pretty buggy. Switching between it an other applications is painfully slow sometimes. Also dragging or resizing the window looks weird.
I’m currently unable to exit the program from inside of it. I have to use the tray icon to kill it
I wasn’t interested in hardly any of the content that was available. I watched a couple of music videos and parts of some National Geographic shows, but everything else didn’t interest me much. I suppose the content will grow over time.
While playing a show, I did a quick tcpdump on my connection, and it looked like I was downloading from about 8 sources at any one time.
I just went to upgrade PEAR on a CentOS 4.4 server and had problems. The installed PEAR version (from pear info PEAR) was 1.3.2, but when I ran ‘pear upgrade PEAR’, I was told that I needed PEAR version 1.3.3.  The solution: ‘pear install PEAR-1.3.3’ to upgrade to that particular version. Then I could ‘pear update PEAR’ which brought it up to version 1.5.3.    Then I could run a ‘pear upgrade-all’ to update all of the other packages.
I went through several compiles trying to get a Kernel to compile with support for iptables that supported the -state argument. I eventually came up with the right combination, which included both the ‘state’ match support and IPv4 connection tracking support
Here’s where they are in menuconfig:
Networking Support ->
Networking Options ->
Network Packet Filtering Framework (Netfilter) ->
IP: Netfilter Configuration ->
IPv4 connection tracking support (required for NAT) = M
Core Netfilter Configuration ->
“state” Match support = M
(also most everything else on this page is selected as well)
After exiting menuconfig, you can make sure that those two options are correct in your .config by looking for CONFIG_NETFILTER_XT_MATCH_STATE and CONFIG_NF_CONNTRACK_IPV4.
I’ve been spending quite a bit of time on a program recently, and have taken for granted these two functions that I wrote for it a while ago. The convert back and forth between an IP address and the integer representation of the IP address.
For example, the IP address ‘207.210.219.125’ can also be represented as ‘3486702461’. The magic behind the calculation involves converting each octet of the IP address into binary, and then reading the entire 32 bits as a single unsigned integer.
The PHP code uses some bitwise functions to do this pretty easily (Although it took some experimenting to get it right). I’ve named the functions the same as their MySQL equivelents. inet_ntoa = number to address and int_aton = address to number. That’s right MySQL supports them directly. It’s much better for MySQL to work with the integers rather than the string representations.
function inet_aton($ip_address)
{
if(! preg_match("/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/",$ip_address)) {
return;
}
list($octet1, $octet2, $octet3, $octet4) = split('\.',$ip_address);
$ipaddress_number = (double)
(($octet1 & 255) << 24 ) |
(($octet2 & 255) << 16 ) |
(($octet3 & 255) << 8 ) |
($octet4 & 255 ) ;
## PHP doesn't support unsigned ints, so we "fake" it into returning a double
$return_number = doubleval(sprintf("%u", $ipaddress_number));
return $return_number;
}
function inet_ntoa($ip_number)
{
if(! is_numeric($ip_number)) {
return $ip_number;
}
## PHP doesn't support unsigned int's, so we'll use a double
$ip_number = doubleval($ip_number);
$octet1 = $ip_number >> 24 & 255;
$octet2 = $ip_number >> 16 & 255;
$octet3 = $ip_number >> 8 & 255;
$octet4 = $ip_number & 255;
$ip_address = $octet1 .'.'. $octet2 .'.'. $octet3 .'.'. $octet4 ;
return $ip_address;
}
© 2025 Brandon Checketts
Theme by Anders Noren — Up ↑