Bitmasking for C#

Referring to the scripts that handles the bitmasking for the, this is how to make the same routine in C-Sharp. Based on the Hashtable-namespace to get it as similar as possible.

public Hashtable BitMask(int MaskVal, params  int[] bitcheck)
                 Hashtable ReturnThis = new Hashtable();
                 Hashtable Arr = new Hashtable();
                 int loadbits = 8;
                 try { loadbits = bitcheck[0]; } catch (Exception)  { }
                   * PHP SOURCE
                   *   function bitmask ($bit = '', $loadbits = 8)
 *    {
                   *       for ($i = 0 ; $i < $loadbits ; ++$i) {$arr[] = pow(2,$i); }     //  Automatisera bitvärden
                   *       for ($i = 0 ; $i < count($arr) ; ++$i) {$mask[$i] = ($bit &  $arr[$i]) ? '1' : '0';}     // Sätt 1 till de bitvärden som är  påslagna
                   *       return $mask;
                   *   }
                 for (int i = 0 ; i  < loadbits ; ++i) {Arr.Add(i.ToString(), Math.Pow(2, i).ToString());}     // Automatisera bitvärden
 for (int i = 0; i < Arr.Count; ++i)  {ReturnThis.Add(i.ToString(), Convert.ToInt32(Convert.ToBoolean(MaskVal & Convert.ToInt32(Arr[i.ToString()].ToString()))).ToString());}
 return  ReturnThis;

”How do I sort a HashTable?”

I consider hashtables in C# as a similarity to a normal array in PHP. But it’s not! Hashtables is great to use when it comes to ”temporary storage” of variables, but they are useless if you need to sort the information. Google doesn’t help either. It’s always about half solutions and you have to guess most of the time, how you should solve the problem, and it’s not getting better since I’m lazy. But this was actually solved. I needed to sort a kind of score of sales with the highest value on top, like in top ten. And it was for ASP.NET.

Via google I found out that an ArrayList could fix my issue. The only problem was that the sort was handled as strings, which gave a very ugly result.

So here’s my solution!

  // [.. source ..]

  // The first hashtable content
  SalesData.Add(Säljare, SoldItems.ToString());

  // [.. more source ..]

  // Time to sort our data. Create a new hashtable!
  Hashtable SortList = new Hashtable();
  string CountString = "";

  // Scan through the salesmen and collect all values in reversed order (where all salesmen with 30 sold items will put in one
  // hash, 29 in another, and so on...
  foreach (string SalesScorers in SalesData.Keys)
                               // Check the length of the counted items. If the answer is only "1", put a zero before the value
                               // so the outdata will be 01, 02, 03, ... 10, 11, 12, ... 28, 29, 30, and so on.

                               if (SalesData[SalesScorers].ToString().Length == 1) { CountString = "0" + SalesData[SalesScorers].ToString(); } else { CountString = SalesData[SalesScorers].ToString(); }

                               // Then add the new data, with the scores as a key, and the salespeople as the value.
                               // The nice part here is that the salespeople are identified with an id instead of their names, so there
                               // will always only be one space per person.                           if (!SortList.Contains(CountString))
                                                            SortList.Add(CountString, SalesScorers + " ");
                                                            SortList[CountString] += SalesScorers + " ";

  // Now, create an arraylist, and sort it by the key.
  ArrayList Lista = new ArrayList(SortList.Keys);

  // Make the order descending, so the highest value will be put first

At this point you can now foreach through all of the salesmen, and split them up into separate peaces, and the output result is beautiful!

There’s probably other ways too, but with HashTables there’s apparently no easy way to solve this, like it is in PHP where you can use the built-in sorting functions…

Discovered CSRF with AJAX, phpBB and Private Messaging…

A few months ago I was asked a question, if it was possible to forge private messages on a webforum. I said yes of course, and explained – to the mortals – how it theoretically could be done with AJAX (or similar). But it’s not guaranteed that it does since AJAX are dependent of the browser security and the code running on the site. In my mind it should not be any problems however, as long as the browser doesn’t leave the domain, or the communication is handled by two trusted sites.

To see if my theory really worked, I decided to test it. I chose an older version of phpBB since this was (and probably still is for a lot of websites out there) actually a bug, and fixed in new releases – and phpBB is a forum that is both easy install and use. It’s also free, and used by many. Continue below…

Läs mer

XSS at IMVU – Still unprotected

In the end of march 2007, the IMVU-team announced a flaw in their system that made it possible hijack other users accounts by simple XSS injections. Of course, the people behind those attacks were stupidly exposed since the hijackers were sending large amounts of credits to themself. The XSS was stopped by simply disabling all javascript/html-coding temporary until this issue was solved.

The issue was solved. Almost. One problem seem to be that the IMVU-team missed the natural way of evading such fixes. With a small change in a script that makes it possible to hijack accounts, the issue is still reachable by whoever that finds out the way to do this. Allowing users to enter their own html-code at any website will always open doors to new hacking threats. The best solution against such things is to really consider disabling this completely (or disable javascripting in the webbrowser). But then, IMVU will probably not be as ”fun” as the users there thinks it is now…

There are also two threads at the IMVU-forum that might be interesting, to refer to, regarding this subject.

The first thread is probably the first signs of where people started to discover that something was wrong.
The second thread is where IMVU disabled scripting, and where they was supposed to fix this issue.

API module structure `php5_module’ in file is garbled

Upgrade Apache 2.0.x to Apache 2.2.x together with PHP 5.2.x 

Step-by-step for complete idiots

There might be other ways to do a proper clean installation of Apache (well, upgrade for me though) but this worked good for me.

I’ve been running Apache 2.0 with PHP 5.2 for a while now and recently I decided to upgrade the server to Apache 2.2 since 2.0 is getting older. The problem was that this compilation didn’t work out properly and every time I’ve tried to upgrade I got those stinkin error messages:

API module structure `php5_module’ in file is garbled

I was of course very frustrated and nothing helped. When I was googling on the problem I saw that more people had the same problems and everybody promised gold if they just did this or that. If there was any instructions or HOWTO’s for this problem, the information wasn’t enough to solve anything. People also said ”Install from a fresh source” which I also did. Didn’t work either – of course.

Here’s the part that I missed because of the lack of documentation!

What I forgot due to my own frustration was that ”from a fresh source” also meant ”Install TO a fresh destination”. I wasn’t thinking that way at all, so when I tried to reinstall the software, I used my old destination. I was thinking that overwriting old libraries should fix the problems anyway. But of course they didn’t. Why?

Well. One of the reasons was because I didn’t understand more than the instructions I was reading no the internet. I never thought about going one step further and THINK!

When I was making a new version of apache, the compiler still used the old apxs2-binary for apache 2.0 and that’s what people means with ”fresh source”, actually. So do NOT compile to your old spot without cleaning that place up – specially the apxs2-part! Of course I could choose to install pre-compiled packades from various distributions or the packages from apache friends, but realizing that I probably get other crap installed to apache too, made me avoid those packages completely without looking. I like personalize my system, I will do that as long as I can. This probably will cause more hair-loss, but my system is at least still mine!

This is how I solved the problem without shutting anything down for my users. The solution might be very unique but my webserver is a bit dependent on where all the files are stored today. No packages or cleaning up would help me out here here. Besides, if something goes wrong, the server may be gone for hours.

The following system is used:

Current apache version: 2.0.59
Going to: 2.2.4
Current PHP version: 5.2.0
Going to: 5.2.2

Before I was using Apache 2.x, I was (of course) using Apache 1.x, so the current path configuration is /usr/local/apache2
Also note that the use of apr may differ a bit depending on where you have it installed.

> tar jxf httpd-2.2.4.tar.bz2
> tar jxf php-5.2.2.tar.bz2
> cd httpd-2.2.4
> configure –prefix=/usr/local/apache2.2 –with-apr=/usr/local/apr –with-apr-util=/usr/local/apr
> make && make install
> cd ../php-5.2.2
> configure –with-apxs2=/usr/local/apache2.2/bin/apxs –with-apr=/usr/local/apr –with-apr-util=/usr/local/apr
> make && make install

(The italic line over here may be the golden key to success!)

Now, so far, so good. Running apache from the new installed directory should work properly. At this point, I have to go back to my apache configuration. Since I have more things to compile for the webserver, I now run my full configuration… When I’m checking the modules directory in the new installation I also see that the is included. This means that it really went good, through the first step.

> cd ../httpd-2.2.4
> # — run full configure here with above settings —
> make && make install

> Now… If everything’s ok, httpd should still start properly… And actually – it does!

root@predator:/usr/local/apache2.2/bin# ./httpd
(98)Address already in use: make_sock: could not bind to address [::]:80
(98)Address already in use: make_sock: could not bind to address
no listening sockets available, shutting down

But since the old webserver still running, nothing more than this happens. But that’s ok with me – as long as the new compilation isn’t garbled!

The next step is to move all configuration to the new place. So I’m just lifting over my conf-dir to the new apache directory. To be sure to not ruining anything I’m not moving anything, just copying… Now, it is very important to change your configuration to the right directory since it now reading from the old one. But instead of doing this, everything I do is renaming the old directory and replacing it with the new one…

shell> mv apache2 apache2.0
shell> mv apache2.2 apache2

Now, there’s a new problem. The new apache-directory was pointed to apache2.2 and that directory doesn’t exist anymore. I’m not please here, so to make everything look like before, I now run configure for apache one more time. This time I’m using the old prefix again (–prefix=/usr/local/apache2) but this time I also doing a cleanup just to make sure that everything changes the way I want.. You should also use the same thing for PHP 5.2.2 – start with PHP (otherwise you might loose something important and nothing would work any good)!

> make clean && make && make install…

And meanwhile my old server runs like nothing has happened…

If everything went ok all the way down here, the only thing you have to do now is to restart your apache server… Weiha!

Thanks to Dan Anderson for the very informative description of this, that made my thinking a little bit further!

This is a repost from this forum