iBlog - Ilia Alshanetsky

A new Apache 1.3.37 is out and I had to upgrade all my servers to it, in the process I've had to compile mod_deflate, a high performance compression module that works MUCH faster then mod_gzip. This is primarily thanks to the fact it does not use temporary files, but instead does everything in memory. Since the official mod_deflate package has been abandoned by its author, even though the code still works with a few minor tweaks. So, I've decided to post a patched version of this module for all interested Apache 1.3.37 users.

You can download it here: http://ilia.ws/uploads/patches/mod_deflate-1.0.21i.tar.bz2
MD5: 4bd8b6773d9cb843494faceae3c9c945

The package also includes a short README files that explains how to install this module on your server. For people too lazy to read the README, the instructions follow at the bottom of this blog entry . Continue reading "mod_deflate for Apache 1.3.37"

The first release candidate of PHP 5.2.0 has just been released. The source packages can be found here:
http://downloads.php.net/ilia/php-5.2.0RC1.tar.bz2 (fa36d378f7f1fd547b881b6323ae2c60)
http://downloads.php.net/ilia/php-5.2.0RC1.tar.gz (e217195c90e123acce0c2f71ac07f88d)

Given that it took a few months to reach this point and addition of new features was allowed the changelog already looks extremely impressive. Some of the key changes include things like 3 new extensions (filter, json and zip), the date extension had the rest of its functionality enabled, much work was done in terms of getting PHP 5.2 to run faster and more efficiently (in terms on memory usage). There have also been nearly 80 bug fixes made to existing functionality, which hopefully translates to a more stable release.

As the RM for this release, I'd like to ask everyone to download and try this PHP version on your software, see if the code still runs properly and hopefully faster then it did before. If you come across any problems please let the developers know by posting to the QA mailing list, internals mailing list or simply reply to this blog entry. All feedback will be appreciated.

A quick note to anyone building PHP with cURL or http extension support as well as one of the MySQL extensions (mysql, mysqli and pdo_mysql). The MySQL binaries found on mysql.com are built against yaSSL as opposed to the more common openssl against which libcurl (usede by cURL and HTTP extensions) is linked. The conflict between the two libraries causes curl initialization of the SSL layer to fail preventing startup of the PHP extensions.

To fix this problem you can either use older mysqlclient binaries (5.0.18 works) or compile MySQL yourself against openssl, either of these two will allow a working build of PHP with MySQL and curl support.

After what seems like forever a new stable version of FUDforum is finally out. The upgrade and the installation scripts can be found here: http://fudforum.org/download.php

This release incorporates a number of significant changes, including the introduction of Ajax for tree views and category collapsing. Improved Help (FAQ renamed) that offers better explanation on the various features FUDforum offers to the forum users. A number of performance improvements across the board and many other improvements and features. This release also includes a security fix relating to the mime handling for image uploads, the fix is retroactive, so it'll address any bogus images uploaded before the upgrade.

Here is a new "plan" by the Canadian Copyright Licensing Agency to stop piracy at the root, the kids! They invented a superhero of their own to fight the evils of piracy... Zooom.... BAM... and all that good stuff.
Their website can be found here http://www.captaincopyright.ca/Default.aspx

Yesterday, I went to Montreal for a quick business trip, and as I was walking out of the terminal building in the airport I recieved a very interesting SMS from Rogers (my cell phone provider), which went like this:

"Welcome to the USA! Access ur voicemail as you do at home. Dial +15147347699 to reach customer care. Enjoy!"

Is there something I missed in the news?

After what seems like forever, I guess the number 13 living up to its name, PHP 5.1.3 is finally out of the door. As always when we have a slow release the number of changes is quite impressive, this time being no different. This release includes over 120 bug fixes, addresses a whole bunch of security issues and even includes a few new features, what more could you ask for .

To download the release go here:
http://www.php.net/downloads.php

and the highlights of the release can be found here:
http://www.php.net/release_5_1_3.php

If you want the full, unfiltered list of change it is also available and can be found here:
http://www.php.net/ChangeLog-5.php#5.1.3

The slides from PHP|Tek are now up. The Security Tutorial slides can be found here and the PDO Introduction slides can be found here, to all attending thank you for listening and hopefully at-least a bit of the content was interesting and useful

It would seem that the Safari browser is not particularly keen on innerHTML property of document.body and on large document will always cause the browser to crash. This is something that I've came across while debugging FUDforum search term highlighting code that was using JavaScript code that would perform the highlighting and then replace the entire body via


While an annoying bug it cannot be blamed entirely on Safari developers, first of all innerHTML is not part of the specification offered by W3C, so technically speaking Safari does not even have to support it. That said it is supported by IE,Firefox and Opera, the latter two had no problem with the search highlight code either. IE, well IE being IE and worked 50% of the time. Furthermore changing the entire document body in one go is not the best of ideas and as Rasmus put it "Replacing the body is just wrong, you deserve what you get if you crash".

All this said it should be noted that in most other situations innerHTML works just fine in Safari and even the document.body.innerHTML can work, but only on simple documents, so be careful if you need to use it.

About a week and a half ago I go my hands on a shiny new Macbook pro and after a week of tinkering and getting used to this beastie I must say that Windows looks like an ever bigger kludge then it did before. I mean WOW, an interface that actually works, certainly a step beyond Windows and even KDE, which I've used in the past. Perhaps the biggest plus is that things just work, without having to spend extra effort on figuring out obscure error messages that tell you nothing or changing a gazillion settings just to do simple task. The application installation is also very neat, where each app. is a folder and installing a program with few exceptions is nothing more then drag & drop. Uninstall is equally simple, just delete the folder. Another very neat feature is the spotlight search that allows you to very quickly through virtually any kind of document and has little if no delay in getting results, very neat. Lots of other neat things as well that would take too long to describe, so just need to try it for yourself.

As always there are a few downsides, for example a lack of good exit browser such as ExifPro on Windows and Photohop is still ran via Rosetta emulation so it is admittedly sluggish even on a 2.16Ghz computer with a gig of ram. Same is true for Microsoft Office, so I try to use OpenOffice as much as possible for which there are Intel binaries available. It’d be also nice to have valgrind giving me access to a complete development environment, but hopefully that is something that will be rectified soon.

Overall however, I am very pleased with the change, certainly eliminated a number annoyances such as a daily virus scan, weekly security patch reboots and a pile of other Windows nonsense. So, I guess that makes me another happy Apple customer.

Finally got a few moments to recap the PHP Quebec 2006 Conference, which as usual, was a great success and a great deal of fun. I’d like to thank the organizers for doing an amazing job and bringing a great group of people together from both the development and user communities. My talks during the conference went quite well, and I am especially happy with the PDO talk, this topic seemed of particular interest to the audience and I hope we’d get a couple of new PDO users out of it The slides from my talks are now available online and can be found here:

PHP Security: PowerPoint || PDF
Introduction to PDO: PowerPoint || PDF

Yesterday, I went to the see “Thank You for Smoking” a satirical look at the whole lobbying process in the US (and I suspect not all that different in other countries) through the eyes of Nick Naylor, a Big Tobacco lobbyist trying to defend disfranchised corporations . Despite the lack of the overwhelming special effects and gazillion dollar budget, the movie is still extremely enjoyable and amazingly funny. I’d definitely recommend going to see it, even if it requires a bit of travel since not all theaters show Indie movies :/

Chris Schifflet has transferred me the reigns of the PHP|Architect's Security Corner; hopefully I will be able to keep up with the tradition of interesting and informative articles on the topic of PHP Security. The first issue was released on March 20ths and takes you on a road of discovery about Cross-Site Request Forgery (CSRF). My approach was to identify the various means of exploitation possible via CSRF and the possible dangers it presents. By taking this approach not only can the uniqueness of the attack's approach can be demonstrated, but the hacking methodologies used by malicious users can seen as well. In my mind, understanding of the problem is half the solution, of course the other half involving prevention techniques design to avert CSRF are covered as well. If you are interested in learning more about CSRF you may want to grab an issue of the magazine.

While talking with PHP developers this morning I thought of another way unverified serialized strings could be abused. This exploit can only affect PHP 5 installs though, but given the growing market share of PHP 5 it is certainly something worth noting.

As you may know classes in PHP are allowed to implement a magic method called __wakeup() that contains operation that are to be performed when a class is deserialized. Some native classes like PDO implement this function with a goal of preventing database serialization and throw an error when it is used. Herein lies the abuse, the attack simply needs to specify a short serialized string that looks like a serialized version of a supposed PDO object.




When PHP tries to unserialize it, it determines that PDO class has a __wakeup() method and promptly calls it. However, since the method is disallowed, it triggers an exception which, if left uncaught terminates the script with a fatal error. Since most people do not expect unserialize() to throw exceptions leave it outside of try {} & catch() {} block, the exception is left uncaught. This, in PHP triggers a fatal error promptly terminating the execution of the script. Furthermore, if error displaying is enabled, which it is by default on most installs, all the exception information will be dumped to screen. This information happens to contain a code flow backtrace, which contains oodles of potentially sensitive information.

So here goes another reason for not passing serialized data via user accessible means and yet another demonstration why leaving “display_errors” in the ON position is a bad idea.

You know you're moving up in the world when Microsoft feels that it’s necessary to make cartoon disparaging your products, in favor of their own wares. Pierre, one of the PHP developers, has found this gem on the French segment of the Microsoft site. I guess it means that PHP is making enough in-roads into the Enterprise market, that big fish like MS feel it necessary to spread some FUD as a stop-gap measure.

Thanks to Sean Coates we now have an English translation available:
http://www.flickr.com/photos/12538148@N00/100864754/