Friday, June 18th 2010


The dangers of $REQUEST_URI ….
posted @ 3:09 am in [ osCommerce -PHP -Technology -Web Design ]

One of the recent reasons we were failing PCI compliance with some of our sites is because our forms that submit to themselves, namely those with code in the top and html in the bottom, use the PHP $REQUEST_URI to use their own URL as the action for the form to POST back to.

Now… the reason this is dangerous is because it includes all the query string parameters too so if you add code after the query string it includes it in the page = BAD

So…. how do we fix it?

The trick is to use the parse_url() function in PHP to ONLY grab the main path of the page itself rather than all the query strings.

So if we use

action="<?php echo parse_url($REQUEST_URI, PHP_URL_PATH);?>"

then we fix the security loop hole above and happy days 🙂

Additional: If we want to get the complete URL just without the query string we can tokenize the string using strtok as follows:

action="<php echo strtok($_SERVER['REQUEST_URI'],'?');?>"




Wednesday, March 10th 2010


More Plesk 9.2.3 PCI Compliance fixes on CentOS 5
posted @ 8:38 am in [ Fixing Things -PCI Compliance -PHP -Technology ]

Plesk is a right pain when it comes to having your site successfully audited as being PCI compliant, as it has it’s own versions of everything that it uses that you need to patch/fix/SSL upgrade or disable.

Luckily most of these are started with the xinetd daemon, so for SMTPS certificate problems (port 465 if my memory servers me correctly) simply create a folder to move the ones you don’t want into (in my case I used /etc/xinetd.disabled) and move the following files out of /etc/xinet.d

mkdir /etc/xinetd.disabled
mv /etc/xinetd.d/smtps_psa /etc/xinetd.disabled/.
mv /etc/xinetd.d/submission_psa /etc/xinetd.disabled/.

and restart your xinetd

/etc/init.d/xinetd restart

Then the last tasks should be to create valid SSL certificates for the Qmail and disable weak SSL ciphers in Plesk.

To disable weak SSL ciphers in Plesk edit the Plesk config file and add the following line

/etc/sw-cp-server/applications.d/plesk.conf

ssl.cipher-list = “TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH”

so the file will now look like this

include_shell "/usr/local/psa/admin/conf/ssl-conf.sh"
ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"
index-file.names = ("index.php")

Creating Qmail self signed SSL Certificates is best illustrated at the following guide http://www.akadia.com/services/ssh_test_certificate.html

References:
How to create a self-signed SSL Certificate
How to find out which process is listening on which port
port 8443 medium strength SSL ciphers in Plesk
Generating QMail SSL Certificates




Monday, January 18th 2010


Confusing SSL with mixed IP addresses
posted @ 8:21 am in [ Apache -Fixing Things -Hosting -PHP -Technology ]

SSL throws a weird error in that if you have http (port 80) bound to one IP address [say an internal one] and you bind https (port 443) to a different IP address [say an external one] then SSL throws the following very undescriptive error:

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

To fix, edit your Apace configuration file in /etc/httpd/conf/httpd.conf (or similar) and make sure that both virtual hosts have the same IP address – job done 🙂

references: here and here




Friday, December 11th 2009


UKFast – Installing cPanel on fresh CentOS x_64
posted @ 10:28 am in [ Apache -Hosting -osCommerce -PHP -Technology -Web2.0 ]

We’re just starting to move one of our clients Merc (http://www.merc.com/) onto a new webserver as their site has been doing so well that it need a faster, more optimised server to cope with the traffic and went with a new Cloud CentOS x_64 server from UK Fast for a very reasonable £70.00 odd per month.

The server seems lightening quick which is great, but didn’t come with a nice install of Plesk or cPanel or similar so we decided to install cPanel.

It’s actually really easy to do – just follow this really helpful guide here from Network Data Center in the US and you are up and running with a full blown cPanel in a couple of hours.

Job done! 🙂

References:
https://helpdesk.ndchost.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=25




Thursday, October 29th 2009


Fixing cross-site scripting attacks in PHP for PCI Compliance
posted @ 9:49 am in [ Fixing Things -Technology -Web Design -Web2.0 ]

More PCI compliance checks meant that we found a number of scripts in some of the simpler pages on our sites (email register for example) were subject to possible cross-site scripting attacks

(see the Wikipedia entry for a pretty good explanation of what they are and why you need to fix them http://en.wikipedia.org/wiki/Cross-site_scripting)

Anyway – here’s the quick code to fix pretty much any form using htmlspecialchars to encode the input.

Original: (note the weakness in using REQUEST_URI here)

<form method=”post” action=”<?php echo $_SERVER[‘REQUEST_URI’]; ?>” id=”registerTop” class=”smallForm”>

Fixed: (note the replacement of PHP_SELF for REQUEST_URI to stop injection of different pages)

<form method=”post” action=”<?php echo htmlspecialchars($_SERVER[‘PHP_SELF’],ENT_QUOTES); ?>” id=”registerTop” class=”smallForm”>

Happy days – PCI test passed 🙂




Thursday, October 29th 2009


Just in case you wondered who was responsible for all of IE6’s bugs…
posted @ 6:49 am in [ Technology -Web Design -Web2.0 ]

I found this last night while scanning for another document, the thankyou note from Microsoft sent to me for being one of the beta testers on Microsoft Internet Explorer 4 (IE4)!

Obviously I didn’t do a very good job as IE5 and IE6 both turned out to be horribly buggy browsers, but then again they didn’t pay me for the pleasure so it can’t be all bad 🙂


MicrosoftIE4BetaTestersLetter




Tuesday, October 20th 2009


Plesk error 500 and [apc-error] apc_mmap: mmap failed: No space left on device
posted @ 10:55 am in [ Media Temple -PHP -Technology -Web Design ]

Upgrade Plesk 8.0.3 to Plesk 9.0.x on a Media Temple DV server and it dies 🙁

Error 500, nothing in the log files, no where to turn.

Anyways… after a chunk of digging around the problem is to do with running out of memory on the container that Mediatemple allocate for the DV server.

So… you can fix it by lowering the PHP memory requirements in the Plesk 9 PHP.ini file


cd /usr/local/psa/admin/conf/
vi php.ini

Then the setting you want to change is apc.shm_size from the default setting of 40 (Mb?) to 10


apc.shm_size = 10

And then check Plesk to see if it is working


/usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaadm

..and with a bit of luck you should be away! More details in a good discussion on the Plesk forums here




Monday, October 19th 2009


How To Virtualize Any OS For Free
posted @ 6:53 am in [ Technology -Web Design ]

Boot IE6 or IE7 virtual machines on your Mac like our team do without needing to pay Parallels a penny!

http://gizmodo.com/5383982/how-to-virtualize-any-os-for-free

Awesome 🙂




Thursday, October 15th 2009


More YUM and how to fix
posted @ 5:32 am in [ Technology ]

Yum is great – it really is a blessing when it is installed as you can upgrade a whole Linux system really easily.

The problem is that most shared hosting providers use CentOS so that they can provide ‘virtual’ servers to customers, and as it is basically a very good free copy of RedHat Linux.

CentOS however doesn’t come with Yum so you need to install it, and here’s the common errors when installing and how to fix

1. No module named yum

Error:
There was a problem importing one of the Python modules
required to run yum. The error leading to this problem was:

No module named yum

Please install a package which provides this module, or
verify that the module is installed correctly.

It's possible that the above module doesn't match the
current version of Python, which is:
2.4.3 (#1, May 24 2008, 13:47:28)
[GCC 4.1.2 20070626 (Red Hat 4.1.2-14)]

If you cannot solve this problem yourself, please go to
the yum faq at:
http://wiki.linux.duke.edu/YumFaq

This is actually Python complaining that it can’t find the Yum library to install when it runs. You can try installing it into Python (run python, type ‘import yum’) however this never seems to work for me, so alternatives are to add the directory the Yum source is in to the python path, or to run Yum directly with python using ‘python yummain.py ‘. This works quite well 🙂

2. AttributeError: CHECKSUM_VALUE

This seems to be a mismatch in versions between the Yum package you are installing and the version of the Yum Metadata Parser you have installed. Best trick is to remove the one you have, and install a new one from fresh

rpm -qa | grep yum-metadata-parser
rpm -ev --nodeps yum-metadata-parser-VERSIONFROMABOVECMD

Download the version you want from the Yum homepage – http://yum.baseurl.org/download/yum-metadata-parser/

and install this – should fix it nicely 🙂

Also – found this list of requirements for Phthon etc. based on the version of Yum installing

* yum 3.0.1 – Stable Release, Python 2.4+ and rpm 4.3+ systems only. Requires repomd repositories. Works under FC5, FC6 and rawhide.
* yum-metadata-parser 1.0.2 – C-based metadata parser to quickly parse xml metadata into sqlite databases.
* yum 2.6.X – Stable Release, Python 2.3+ and rpm 4.1.1+ systems requires repomd repositories: 2.6.1 latest known to work with some FC3, FC4, FC5, RHEL4 and compatible distributions
* yum 2.4.X – Stable Release, Python 2.3+ and rpm 4.1.1+ systems requires repomd repositories: 2.4.2 latest known to work with: FC3, FC4, RHEL4 and compatible distributions
* yum 2.0.X – for python 2.1+ and rpm 4.1.1-4.3.1 systems: 2.0.8 latest
* yum 1.0.X – for python 1.5.2+ and rpm 4.0.4 systems: 1.0.3 latest – considered obsolete

references:
http://docs.python.org/install/index.html
http://wiki.centos.org/HowTos/PackageManagement/YumOnRHEL
http://yum.baseurl.org/download/2.9/




Thursday, April 23rd 2009


Launch of Mitchell and Peach, natural bath products
posted @ 8:22 am in [ Technology -Web Design -Web2.0 ]

If you’re buying gifts for nans, mums, aunties, daughters, nieces, sisters, girlfriends or girl friends it’s kind of tough to find something original, ethical and beautiful with a nice transparent background.

Well, some good friends of ours have been growing lavender on a farm in Kent for the past god knows how long, and in deciding what best to do with it have made these incredible all natural bath products in soap, shower wash, body cream and bath oil.

They’re really beautifully packaged, lovely smelling and are all round pretty luxurious products so if there’s someone you think might deserve it… it’s a nice way to treat them (and it’s quite a nice story too).

www.mitchellandpeach.com

Oh and if you enter the code MPC1 in the checkout area you get a cheeky £10 off. Nice!

And of course the beautiful e-commerce website is built by Skywire 🙂