Alla inlägg av Tornevall

Personligt brev till HOODEN!

Tjära rökare!

För varje gång ni tänder en cigarett på er balkong eller i närheten av ett fönster riskerar er cigarettrök att nå andra lägenheters fönster, vars hyresgäster mycket väl kan ha astma.

Detta är förstås inte alls bra, eftersom det medför att vi som också vill bo här, måste stänga våra fönster. Ju fler cigaretter ni tänder, desto mer sällan kan vi andra därmed ha våra fönster öppna.

Därför vore det oerhört uppskattat om ni INTE tänder era cigaretter en gång varje halvtimme, då vissa av oss försöker åtnjuta en skön sommar utan att behöva oroa oss för en framtida vistelse på sjukhus på grund av att våra grannar gett oss KOL.

snälla, respektera era grannars trivsel och försök röka lite mindre, åtminstone när det gäller från balkonger eller fönster.”


Gissa om snacket går nu?

Discovered CSRF with AJAX, phpBB and Private Messaging…

A few months ago I was asked a question, if it was possible to forge private messages on a webforum. I said yes of course, and explained – to the mortals – how it theoretically could be done with AJAX (or similar). But it’s not guaranteed that it does since AJAX are dependent of the browser security and the code running on the site. In my mind it should not be any problems however, as long as the browser doesn’t leave the domain, or the communication is handled by two trusted sites.

To see if my theory really worked, I decided to test it. I chose an older version of phpBB since this was (and probably still is for a lot of websites out there) actually a bug, and fixed in new releases – and phpBB is a forum that is both easy install and use. It’s also free, and used by many. Continue below…

Läs mer

XSS at IMVU – Still unprotected

In the end of march 2007, the IMVU-team announced a flaw in their system that made it possible hijack other users accounts by simple XSS injections. Of course, the people behind those attacks were stupidly exposed since the hijackers were sending large amounts of credits to themself. The XSS was stopped by simply disabling all javascript/html-coding temporary until this issue was solved.

The issue was solved. Almost. One problem seem to be that the IMVU-team missed the natural way of evading such fixes. With a small change in a script that makes it possible to hijack accounts, the issue is still reachable by whoever that finds out the way to do this. Allowing users to enter their own html-code at any website will always open doors to new hacking threats. The best solution against such things is to really consider disabling this completely (or disable javascripting in the webbrowser). But then, IMVU will probably not be as ”fun” as the users there thinks it is now…

There are also two threads at the IMVU-forum that might be interesting, to refer to, regarding this subject.

The first thread is probably the first signs of where people started to discover that something was wrong.
The second thread is where IMVU disabled scripting, and where they was supposed to fix this issue.

API module structure `php5_module’ in file is garbled

Upgrade Apache 2.0.x to Apache 2.2.x together with PHP 5.2.x 

Step-by-step for complete idiots

There might be other ways to do a proper clean installation of Apache (well, upgrade for me though) but this worked good for me.

I’ve been running Apache 2.0 with PHP 5.2 for a while now and recently I decided to upgrade the server to Apache 2.2 since 2.0 is getting older. The problem was that this compilation didn’t work out properly and every time I’ve tried to upgrade I got those stinkin error messages:

API module structure `php5_module’ in file is garbled

I was of course very frustrated and nothing helped. When I was googling on the problem I saw that more people had the same problems and everybody promised gold if they just did this or that. If there was any instructions or HOWTO’s for this problem, the information wasn’t enough to solve anything. People also said ”Install from a fresh source” which I also did. Didn’t work either – of course.

Here’s the part that I missed because of the lack of documentation!

What I forgot due to my own frustration was that ”from a fresh source” also meant ”Install TO a fresh destination”. I wasn’t thinking that way at all, so when I tried to reinstall the software, I used my old destination. I was thinking that overwriting old libraries should fix the problems anyway. But of course they didn’t. Why?

Well. One of the reasons was because I didn’t understand more than the instructions I was reading no the internet. I never thought about going one step further and THINK!

When I was making a new version of apache, the compiler still used the old apxs2-binary for apache 2.0 and that’s what people means with ”fresh source”, actually. So do NOT compile to your old spot without cleaning that place up – specially the apxs2-part! Of course I could choose to install pre-compiled packades from various distributions or the packages from apache friends, but realizing that I probably get other crap installed to apache too, made me avoid those packages completely without looking. I like personalize my system, I will do that as long as I can. This probably will cause more hair-loss, but my system is at least still mine!

This is how I solved the problem without shutting anything down for my users. The solution might be very unique but my webserver is a bit dependent on where all the files are stored today. No packages or cleaning up would help me out here here. Besides, if something goes wrong, the server may be gone for hours.

The following system is used:

Current apache version: 2.0.59
Going to: 2.2.4
Current PHP version: 5.2.0
Going to: 5.2.2

Before I was using Apache 2.x, I was (of course) using Apache 1.x, so the current path configuration is /usr/local/apache2
Also note that the use of apr may differ a bit depending on where you have it installed.

> tar jxf httpd-2.2.4.tar.bz2
> tar jxf php-5.2.2.tar.bz2
> cd httpd-2.2.4
> configure –prefix=/usr/local/apache2.2 –with-apr=/usr/local/apr –with-apr-util=/usr/local/apr
> make && make install
> cd ../php-5.2.2
> configure –with-apxs2=/usr/local/apache2.2/bin/apxs –with-apr=/usr/local/apr –with-apr-util=/usr/local/apr
> make && make install

(The italic line over here may be the golden key to success!)

Now, so far, so good. Running apache from the new installed directory should work properly. At this point, I have to go back to my apache configuration. Since I have more things to compile for the webserver, I now run my full configuration… When I’m checking the modules directory in the new installation I also see that the is included. This means that it really went good, through the first step.

> cd ../httpd-2.2.4
> # — run full configure here with above settings —
> make && make install

> Now… If everything’s ok, httpd should still start properly… And actually – it does!

root@predator:/usr/local/apache2.2/bin# ./httpd
(98)Address already in use: make_sock: could not bind to address [::]:80
(98)Address already in use: make_sock: could not bind to address
no listening sockets available, shutting down

But since the old webserver still running, nothing more than this happens. But that’s ok with me – as long as the new compilation isn’t garbled!

The next step is to move all configuration to the new place. So I’m just lifting over my conf-dir to the new apache directory. To be sure to not ruining anything I’m not moving anything, just copying… Now, it is very important to change your configuration to the right directory since it now reading from the old one. But instead of doing this, everything I do is renaming the old directory and replacing it with the new one…

shell> mv apache2 apache2.0
shell> mv apache2.2 apache2

Now, there’s a new problem. The new apache-directory was pointed to apache2.2 and that directory doesn’t exist anymore. I’m not please here, so to make everything look like before, I now run configure for apache one more time. This time I’m using the old prefix again (–prefix=/usr/local/apache2) but this time I also doing a cleanup just to make sure that everything changes the way I want.. You should also use the same thing for PHP 5.2.2 – start with PHP (otherwise you might loose something important and nothing would work any good)!

> make clean && make && make install…

And meanwhile my old server runs like nothing has happened…

If everything went ok all the way down here, the only thing you have to do now is to restart your apache server… Weiha!

Thanks to Dan Anderson for the very informative description of this, that made my thinking a little bit further!

This is a repost from this forum