|
Monday, December 20. 2004phpBB & unserialize bug
As most of you hopefully know, a few days ago PHP 4.3.10 and 5.0.3 were released in response to several vulnerabilities that were discovered. Two of those involved bugs in unserialize function that is used to re-create PHP variables based on an encoded string normally generated by serialize() function. This functionality allows storage & retrieval of PHP variables from outside PHP.
While these two problems are quite serious, they can normally only be exploited locally, meaning that you'd need an account with access to PHP on the server. However, several applications such as phpBB store serialized data inside cookies meaning that anyone accessing those applications will be able to supply their own serialized string. By tinkering with this string it is possible to make an exploit capable of doing things like theft of passwords. In response to this development phpBB developers decided to put the following statement out "This is not a phpBB exploit or problem, it's a PHP issue and thus can affect any PHP script which uses the noted functions". First of all this is not a correct analysis of the situation, the only applications vulnerable are the ones that expose serialized data to the user allowing them to modify it, like phpBB does. Even if the bug in serialized code did not exist, there are still issues with exposing serialized data to the user without validation. There is nothing to prevent someone from generating a very complex data structure that would take long time to parse and use it as a means of launching a resource depletion attack. It also means that by modifying the serialized string it is possible to inject all manner of data into the script which may lead to exploits due to uninitialized variables, etc... Ultimately it comes down to blindly trusting the user with your data and expecting not to get penalized for it. While unserialize is certainly a bug in PHP, the fact it is remotely exploitable is the fault of script writers who do not take the time to properly validate user input. Friday, December 17. 2004Americans on Canada
A rather educational article came to my attention today reflecting the thoughts of some US citizens about Canada on public television in what one may consider to be major news outlets.
While I can only hope this is the opinion of a small minority, even that is a little alarming. Tuesday, December 14. 2004FUDforum 2.6.9 Released
After what seems like months of development a new stable release of FUDforum, 2.6.9 is finally out. This release fixes a fair number of bugs as well as introducing a number of functionality changes. These include series of speed imporvenments for many parts of the forum as well as some optimizations aimed at MySQL 4.1 users specifically. As of 2.6.9 all installation are now capable of generating PDFs based on forum messages thanks to the customized FPFD library bundled with FUDforum. The layout of the PDFs was also improved. All FUDforum users are encouraged to upgrade to this release.
The upgrade and installation scripts can be found here. Tuesday, December 7. 2004Monday, November 22. 2004Monday, November 15. 2004Toys, Toys, Toys!
It would seem that good things come in two, this was proven yet again by the Postman who had delivered my two latest toys. These are the IDE to USB 2.0 adapter
 and my USB 2.0 laptop hard-drive case  These Hong-Kong arrivals allow me to safely transport my 80 gig laptop drive, which has been "creatively" dubbed as the "Movie Drive". I am especially happy about this case as it does not require any external power, instead leeching off the needed power from my USB port which makes that much practical to use when I am on the road. The IDE to USB is a welcome arrival as well, as it will finally let me make use (I don't know what for yet, but that does not matter  ) the various IDE drives I got lying around the house/office.
Monday, November 15. 2004FUDforum 2.6.8 Released
I am happy to announce the immediate availability of FUDforum 2.6.8 on which I have been hard at work for the past month or so. This release introduces several improvements that range from nested categories, IF/ELSE logic support in the templating system and a variety of speed enchantments. All users of FUDforum are encouraged to upgrade to this release.
The new release can be downloaded from here: FUDforum Download Monday, November 8. 2004Winter is here!
It seems like the winter in Canada is going for an early start, this morning while enjoying my mandatory cup of coffee
 I've was a witness to the 1st Canadian snow fall of the year (in the Toronto area). It lasted only for a few minutes and within a few moments all evidence of this event melted, but non the less it was yet another reminder that the days of good weather are numbered  .
Monday, November 8. 2004FUDforum 2.6.8RC3 Released
While a RC, this non the less is a noteworthy release as it finally introduces the concept of conditional expressions via the IF ELSE END syntax inside the templating language. This means that designers gain greater control over the output logic rather then they did before. It also allowed me to remove many temporary variables that had to store intermediate values of various conditional expression inside the "code" component of the page.
Further details of this release can be found here. Friday, November 5. 2004Atheros Wireless
Yesterday I've upgraded the wireless card in my laptop from the basic Intel Centrino Wireless capable for B/G to an Atheros 5004 based card. While I had seen this card work on a friend's laptop I was non the less seriously impressed by it's performance. First of all Atheros implements something called Super A/G, which allows the card to reach 108mbit speeds on A or G protocols. This allows the card to use more then one channel when communicating with the routers, effectively doubling the “pipe” capacity. Additionally the card also pumps more power then Centrino Wireless, for B/G it's maximum transmit power is 100mw (that's milli not mega
), which you can reduce via the driver when battery life needs to be preserved. The card also has something called eXtended Range (XR) technology that supposedly makes the card more sensitive. Normally I would skeptical towards techno-bable of this nature, but I can now pickup and use my neighbors open MSN wireless access point, which is at least 60 meters away. With Centrino I couldn't even see it other then an occasional blip on Network Stumbler.As far as the transfer speed, which what I was seeking to improve with this upgrade, I went from 1.7-2.0megs/sec on Centrino to 4.2-5 megs/sec on Atheros. As you can imagine I am quite happy with this $60 (USD) upgrade and would recommend this card to anyone looking to improve performance of their wireless. Even on a regular G networks where the router does not support super G, this card averages 500-700 kb/sec faster transfer rates then a regular Centrino. As far as drivers go they are bit hard to find but they are available and the card is supported on both Linux and FreeBSD and unlike the centrino driver which is a wrapper around an Intel binary actually contains source code .You can get the drivers here: http://www.phoenixnetworks.net/atheros.php Wednesday, November 3. 2004I'm Back!
After a long break from this blog due to an overwhelming number of projects and "real life stuff" I've been neglecting this little corner of the net
. I my long absence spammers have discovered this site and on a daily basis have been spamming the comment system with ads.This is hopefully now a thing of the past thanks to the upgrade of Serendipity, which now uses Turing tests to prevent automated tools from posting messages. And the older spam has been manually removed. Now that my schedule is more or less back to normal, I expect to be able to rant more often, something I am sure those of you who read this blog can wait for hehehe. Tuesday, July 13. 2004Fear Mongering 101
It appears that exploitation of the public's paranoia is not unique to us, North Americans, it's something our Trans-Atlantic friends in the UK have adopted as well. According to a recent article I've read on BBC Federation Against Copyright Theft (Fact) in UK is launching a new anti piracy campaign under the slogan that Movie piracy supports terrorists. They claim that illegal movie copies are being distributed by IRA and Afghans Sikhs to sponsor their insurgency activities. They even made a nice poster.
 It would appear they hope that capitalizing on the public's somewhat irrational fear of bad man hiding behind every corner they will accomplish what all other methods have failed so far. Good luck to them... Friday, July 2. 2004Using IE Supports Terrorism!
It would seems that some good does afterall come from the rampant paranoia in the United States. The recently created Department of Homeland Security, through it's mouth piece, CERT has recently made a recommendation that people consider alternate browsers to IE. It seems someone in the US government has finaly realized that the whole IE infrastructure is flawed and frequently rushed fixes from Microsoft are nothing more then bandaid solution for a dam that's about to burst (some may argue it has already burst).
This the first time a US government agency went out and publically recommended an alternative to a Microsoft product (to the best of my knowledge), could it be that MS slush funds are not getting to the right hands and perhaps not enough of them? Ultimately, this is a good thing from just about all respects, first of all it'll hopefully convince people to switch to Mozilla, Opera, etc... which offer greater standards compliance, security and other neat features like tabs and popup blockers. There is also a slim chance that this move will force Microsoft to restart IE development (preferably from scratch) which will not only resolve security issues but also bring up IE's standards compliance up to par. However, given past Microsoft history that seems unlikely, the likely recourse is more band-aid solutions, FUD and silly suggestions such as "don't click hyperlinks". However, that's fine too since that'll lead to further user frustration eventually forcing them to switch to a different browsers. Perhaps once they come with Microsoft's unwillingness to properly address the problem face to face, they'll realize that this is a company with whom they'd rather not deal and that may spill into decisions affecting usage of other MS products. Thursday, July 1. 2004Monday, June 21. 2004Stupid Corporate Descisions
Today I have discovered that Gmail (Google's E-mail service, to those living under a rock) had decided to increase their user base by allowing secondary (referred by existing members) to invite up to 3 of their friends to Gmail. The popularity of the service still seems high despite the privacy issues some people choose to be panicky about as my 3 invites were gone in a matter of minutes. Although Google was clearly not ready for the influx of the new users, since all of the people whom I sent the invites reported seeing an error message saying that the service is temporarily unavailable. This was further confirmed by few other people who got invites from other people.
This however is not really the the most interesting thing. What is quite interesting is that 2 premier free e-mail (and pay?) providers, Yahoo and Hotmail (MS) have blocked Gmail invites. At first I was a little sceptical of this, despite the long thread on this topic on Slashdot, however when I sent one of my friends a Gmail invite to a Hotmail account even after a few hours he didn't have anything, while a regular e-mail arrived almost instantly. It seems like a pretty stupid decision on behalf of Y! and Hotmail since not only does it generate bad publicity for them but it also gives Gmail free publicity and credibility (since apparently the big guys are afraid of it). You really gotta wonder what's going through the minds of marketing drones at Y! and Hotmail who made this decision. |
|
||||||||||||||||||||||||||||||||||||||||||
