Linux Blog

Securing PHP Web Applications Review

Filed under: General Linux — TheLinuxBlog.com at 11:43 am on Friday, February 27, 2009

Securing PHP Web Applications

As a somewhat seasoned PHP developer, I’m always looking for ways to improve code and keep up with the latest happenings. When I saw the book, “Securing PHP Web Applications” by Addison-Wesley, I thought I’d give it a look. PHP is known for its wide deployment and rapid development. Unfortunately, with such a large user base, it is not uncommon to see mistakes within development. Often developers are unaware that what they are doing is insecure. This book addresses important security concerns every developer should be aware of.

The first ten chapters are on programming practices of which, if you’re a system administrator, may not interest you. If you are a developer you should know, understand, be able to fix and, of course (the fun part), exploit for demonstration.

Chapters 11, 12 and 13 are essential reading to any system administrator who will be supporting a LAMP or WAMP stack.
The IIS chapter may not apply to those reading this blog since we all know that securing IIS is not necessary when you’re running Linux. The chapters on securing PHP, MySQL, and Apache outline the basic concepts and give some important pointers that may not be obvious to everyone.

Chapter 14 (Introduction to Automated Testing) and Chapter 15 (Introduction to Exploit Testing) have really opened my eyes to methods I have not used before. We’ve all heard of Selenium and PHPUnit but what about CAL9000 and PowerFuzzer? I’ll be off to try them soon. I can always appreciate applications designed to help secure applications. Nessus, Nikto and MetaSploit lack any mention in this book but now that you’ve read this review, you’ll know to look into those as well.

Chapter 16 is on designing secure applications and 17 is on patching, which would have been useful for me to explain to someone as to why they shouldn’t be working on their production site (to make things worse with no version control.)

There are so many products out there that are vulnerable to some of the attacks. We see them everyday in the security lists. I think that any company and developer of PHP based Web Applications should have a keen grasp on the concepts outlined within the pages of this book.

I do not think, however, that “Securing PHP Web Applications” is a book that is necessarily intended for every developer out there. I think its a great book for anyone with an active interest in security that has been developing for a while but would like some pointers on how to secure their web apps or a reference for developers in need.

For more information and a sample chapter, please visit the publisher page: http://www.informit.com/title/0321534344 or if you subscribe to Safari Books Online you can access the complete book here: http://techbus.safaribooksonline.com/9780321534347

Fix For Grub Problem After Fedora Update

Filed under: General Linux — TheLinuxBlog.com at 10:06 am on Tuesday, February 24, 2009

After updating a Fedora installation a development server froze sitting there with GRUB on the screen at boot.
It had been like this all night after a successful upgrade earlier that day. yum update was run from a screen session and then connected to from home. What had caused the problem was the kernel and possibly grub had been updated. This caused the system to need a reboot, but after the reboot the drive map had changed.

Fortunately when I came in the next morning I had an e-mail with a link to this website: http://readlist.com/lists/redhat.com/fedora-list/51/259917.html with a solution to the problem.

Here are the step by step instructions since they are not clearly lined out on the site:

1) Insert Fedora installation media
2) boot to rescue mode
3) choose language, skip network settings
4) once you are at a shell, type:
5) grub –device-map=/tmp/drivemap
6) quit
7) vi,pico or nano /tmp/drivemap and move sda and sdb around, or perhaps hda.
8) chroot /mnt/sysimage
9) I had checked that /tmp/drivemap had stayed the same by running cat /tmp/drivemap
10) grub –device-map=/tmp/drivemap
11) quit
12) grub-install
13) reboot

After grub gave its usual message I rebooted, removed the CD and everything worked as expected. Excellent. I’ve always used lilo over grub, but recently the distributions I’ve been using use grub and more importantly the servers I manage. Therefore I guess I better get more accustomed to grub. Luckily the server this went wrong on was a development server and nothing mission critical, so thankfully no one had to make the long haul into the data center to fix this issue at 1:00am. Hopefully you will be just as lucky if you run into this issue.

Command Line Image Editing with ImageMagick

Filed under: Linux Software — TheLinuxBlog.com at 1:52 pm on Friday, February 13, 2009

Image Magick

Image editing is often considered a pitfall of the Linux desktop. When I was in school a number of years ago a Windows user (that later converted to the hipster OS X “better than thou” type) said to me:
“I don’t know why any one uses the command line anymore, it’s obsolete”
People often forget about the power of the command line. The command line may not be the best utility for everything but image editing is a shining example of how it can be used. I wouldn’t recommend trying to type a command that touches up your photos, but any operation that has to be repeated a number of times can be easily accomplished through a series of commands.

While there are many command line image editing tools available, this post focuses on the ImageMagick suite. While all of this can be read in the man page I aim to simplify and document for both myself and other casual ImageMagick users. By far the most valuable resource for ImageMagick is the online documentation.

Basically ImageMagick takes a number of parameters depending on the function you are to perform. Most commonly an input filename, an operation and an output filename. You can specify the same filename for both input and output in most cases, unless you are trying to keep the source image in its original form.

Here are some of my favourite and most used functions of imagemagick:

Resize an image
To resize an imagemagick is very simple. Using convert you specify the -resize option. You have several options when resizing, resize by width or height. You can also resize while adding a background color if your image has strange dimensions

Rotate an Image
Rotating an image is a snap, using convert with the source file -rotate <degrees> out file you can rotate by any number of degrees. 90, 180, 270 are most common, to change orientation but other angles may be used. Keep in mind that you may want to set a background color to do this.

Flipping an image
There are two ways to flip and image and they get sort of confusing. Imagemagick uses -flip for vertical images and -flop for horizontal flipping.

Quality
Adjusting the quality of an image is sometimes desirable for saving files to the web. Use -quality <0-100> (100 being the best) to adjust the quality

Working with GIFS
Gif’s can be edited or created by those patient enough to do so. The major think about working with gifs is the -coalese option. This takes each frame from the gif and makes it its own image. Be careful when using this as it will make Filename.gif Filename-1.gif, Filename-2.gif, Filename-3.gif and overwrite those files if they already exist. You can then work on each frame individually, or with a script and then join them back together.

Security Conference in NC Coming Up

Filed under: The Linux Blog News — TheLinuxBlog.com at 1:20 am on Thursday, February 12, 2009

Just a quick heads up for those that are interested. Carolina Con 09 is coming up and if your going to, or can be in the Raleigh NC area between March 13th and 14th then you should head on over. I’ve been a couple of times and it’s always been a blast. This year the line up looks good and the party will be even better, so mark your calendar and I’ll see you there. http://carolinacon.org/

Things I don’t want to do in 2009.

Filed under: General Linux — TheLinuxBlog.com at 8:59 am on Tuesday, February 3, 2009

Things I don't want to do in 2009
Since we are now in the second month of 2009 I figured it would be a good time to follow up on My Goals for 2009. I have not made much progress on my goals, but hey any progress is progress right? This post is my list of things that I do not want to repeat in 2009, either from 2008 or before. Only the first item is non-technical and this list is not quite as long as my list of things I want to achieve in 2009. I’m sure I’ll think of more as the year goes on. Again, its not an all-inclusive list and I hopefully won’t have to come and amend this document too quickly, if at all, oh who am I kidding I should probably add to this before I even post it.

We’ll start off what happened to me on new years eve 2008. To say the least I got very drunk, meaning that I was so hung over that I couldn’t function. Therefore I spent the rest of the day in bed, I’ll try not to make a repeat of this in 2009 on any account. New years eve or not, what a way to start the new year.

I’m pretty sure that I did this one in 2008, if not I’ve done it in the past and do not want to repeat it. It involves some personal data and a mistyped command, resulting in data loss. What about backups? Well it doesn’t help if the mistyped command was intended to make a backup of the data rather than destroy it.

Working on production machines. This is a touchy subject, sometimes there are times you HAVE to work with production machines, there is just no way around it. What I aim to do, is not work on them as often. For example, I can copy a portion of a live database to my development machine and work on it from there rather than just copy the database or table on a production machine. This way I will prevent locking up tables with a poorly written query and perhaps avoid a restore from backup or rather large oh $#@! moment.

I don’t want to run a certain distribution for my servers in 2009. I’ll keep the distribution anonymous in this one but those that know me will know one of my dirty little secrets. It’s not them, its me. It involves a bleeding edge distribution that gets updated every six months or so. In short it shouldn’t be used in a production environment. I wasn’t involved in the decision to run this distribution but I will be involved in solving this nightmare.

To end this list I give you the epic chmod 755 -R while in the root directory. I don’t think this one needs any more explanation.

APC Access Temperature Query and Conversion. (1 of 2)

Filed under: Shell Script Sundays — TheLinuxBlog.com at 10:54 pm on Sunday, February 1, 2009

This week I present to you; dearest reader part of a script I wrote to monitor the temperature on APC brand UPS’s. The script requires the apcupsd package to be installed and properly configured.

Here is the script:

#!/bin/bash
 
f () {
echo $(echo "($(/usr/sbin/apcaccess | grep ITEMP | cut -d : -f 2 | cut -d \  -f 2)*1.8)+32" | bc);
}
 
c () {
echo "$(/usr/sbin/apcaccess | grep ITEMP | cut -d : -f 2 | cut -d \  -f 2)"
}
 
case "$1" in
c)
c
;;
f)
f
;;
b)
echo "$(/usr/sbin/apcaccess | grep ITEMP | cut -d : -f 2 | cut -d \  -f 2)" C
echo $(echo "($(/usr/sbin/apcaccess | grep ITEMP | cut -d : -f 2 | cut -d \  -f 2)*1.8)+32" | bc) F;
;;
*)
echo $"Usage $0 {f|c|b}"
;;
esac

The script uses basic bash, grep, cut and bc. It requires only one input, and that is f, c or b. f for Fahrenheit, c for Celsius and b for both. The second part of the script is a cron, with some more basic bash. It write a log and e-mails me if the temperature goes over a certain threshold, and it e-mails me again once the temperature has been resumed. I will post the cron script next week as it is a major portion. The tricky part of the cron was making it e-mail me only once.

Until next time, Happy Scripting!

APCUPSD