php-general Digest 29 Jul 2011 15:45:45 -0000 Issue 7420
Topics (messages 314226 through 314247):
Re: Membership site
314226 by: John Black
314227 by: Alex Nikitin
314228 by: John Black
Path question.
314229 by: Paul Halliday
314230 by: Nilesh Govindarajan
314231 by: vikash.iitb.gmail.com
314232 by: Dajka Tamas
314233 by: Richard Quadling
I can't execute pf commands
314234 by: Bulent Malik
314235 by: Shawn McKenzie
314236 by: Negin Nickparsa
314237 by: Negin Nickparsa
314238 by: Negin Nickparsa
314240 by: Bulent Malik
314241 by: Ashley Sheridan
314242 by: Arthur Moczulski
314243 by: Shawn McKenzie
314244 by: Negin Nickparsa
314245 by: Negin Nickparsa
314246 by: Negin Nickparsa
314247 by: Jim Lucas
PHP 5.3.7RC4 Released for Testing
314239 by: Ilia Alshanetsky
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
On 28.07.2011 11:13, John Black wrote:
This approach makes it impractical to bruteforce the hash because every
single test will have to run md5() 3000 times before it can validate a
single hash.
--
John
I am sorry, I made a mistake here, 3000 times is not enough for this.
The actual code for the md5 portion looks like this:
$this->hash_rounds['md5'] = 3000;
for( $x=0 ; $x < $this->hash_rounds['md5'] ; ++$x)
{
$hash = md5($salt.md5($salt.$hash).md5($hash.$salt));
}
--
John
--- End Message ---
--- Begin Message ---
Just as a word of caution to everyone on this list, mcrypt version of
blowfish (which is implemented by php) (in linux) has an 8bit bug in it, and
thus should not be used for hashing passwords even as backup. Basically if
you use a character such as say a British pound in your password, blowfish
with php will generate, a wrong hash and allow for some extensive
collisions. For example a hash for "ac" followed by a pound or euro or any
of those extended chars (that are present on European keyboards and such)
and a hash for just that char, would be the same! If you want I can show you
with some demo code. But until fixed, don't use blowfish with php on linux
at least, if you can.
On Jul 28, 2011 5:14 AM, "John Black" <[email protected]> wrote:
> I would like to add some info about storing the password hash in the
> database.
>
> I recently tested how quickly one can brute force a simple md5('foo')
> hash with a modern GPU. The results have been truly eye opening....
> I have been able to break hundreds of hashes with my ATI 6870 in a
> couple of days. Even with passwords in the 8 char length range ... and
> even salted ones.
>
> The problem is that md5 is optimized for speed. Which is nice if you
> want to hash a file but it offers an attacker the option to brute force
> your password.
> The solution is to hash multiple times and if possible using a different
> hashing algorithm.
> http://php.net/crypt can help you here.
>
> I wrote a new password class for my own projects which will use crypt()
> with sha512, sha256, blowfish if available or fall back to a 3000 round
> md5().
> This approach makes it impractical to bruteforce the hash because every
> single test will have to run md5() 3000 times before it can validate a
> single hash.
> This also adds a delay to the login process but the hash is only checked
> once....
>
> The code is released under the BSD license so you may use it in a
> commercial application as well. The zip contains the class file and two
> sample pages demonstrating how to use the class.
>
> Here is a download link, let me know if you like it or have any questions.
>
> http://www.2shared.com/file/kocAJ2HO/class_password.html
> md5: 4ee41496a9d1bc147e5025699e2b764e class_password.zip
>
> --
> John
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--- End Message ---
--- Begin Message ---
On 28.07.2011 12:53, Alex Nikitin wrote:
Just as a word of caution to everyone on this list, mcrypt version of
blowfish (which is implemented by php) (in linux) has an 8bit bug in it, and
thus should not be used for hashing passwords even as backup. Basically if
you use a character such as say a British pound in your password, blowfish
with php will generate, a wrong hash and allow for some extensive
collisions. For example a hash for "ac" followed by a pound or euro or any
of those extended chars (that are present on European keyboards and such)
and a hash for just that char, would be the same! If you want I can show you
with some demo code. But until fixed, don't use blowfish with php on linux
at least, if you can.
Very interesting, thanks for the heads up.
So if you use the class change
$this->hash_supported = 'sha256|sha512|blowfish|md5';
to
$this->hash_supported = 'sha256|sha512|md5';
So blowfish can not be used.
Problem:
Using salt: Vi4mT5vCge5SWQRH7onIlo
hash this: ac€
$2a$08$Vi4mT5vCge5SWQRH7onIleRMijSY4OVXS8.4diEKLENMF5Dd7HcjC
hash this: €
$2a$08$Vi4mT5vCge5SWQRH7onIleRMijSY4OVXS8.4diEKLENMF5Dd7HcjC
hash this: ac£
$2a$08$Vi4mT5vCge5SWQRH7onIle.3A9uIUxgFol/7HjY04C.oWQVa2nvw.
hash this: £
$2a$08$Vi4mT5vCge5SWQRH7onIle.3A9uIUxgFol/7HjY04C.oWQVa2nvw.
--- End Message ---
--- Begin Message ---
I have a few scripts that use "../location/file"
Is this interpreted differently on some systems?
Thanks.
--
Paul Halliday
http://www.squertproject.org/
--- End Message ---
--- Begin Message ---
On 07/28/2011 05:43 PM, Paul Halliday wrote:
> I have a few scripts that use "../location/file"
>
> Is this interpreted differently on some systems?
>
> Thanks.
>
I have no idea about it, but I generally use realpath() to avoid any
such problems. Windows may have, because it uses backward slashes
instead of forward which are used in *nix (incl mac)
--
Regards,
Nilesh Govindarajan
@nileshgr on twitter/identica
--- End Message ---
--- Begin Message ---
On 28 July 2011 18:06, Nilesh Govindarajan <[email protected]> wrote:
> On 07/28/2011 05:43 PM, Paul Halliday wrote:
> > I have a few scripts that use "../location/file"
> >
> > Is this interpreted differently on some systems?
> >
> > Thanks.
> >
>
Use __DIR__."../location/file" otherwise files using these script can not be
moved across folders.
>
> I have no idea about it, but I generally use realpath() to avoid any
> such problems. Windows may have, because it uses backward slashes
> instead of forward which are used in *nix (incl mac)
>
> --
> Regards,
> Nilesh Govindarajan
> @nileshgr on twitter/identica
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
Yes, can be. There is a predefined variable DIRECTORY_SEPARATOR, which you
can use:
on index.php let's say
define('DS',DIRECTORY_SEPARATOR');
define('MY_APP_ROOT',dirname(realpath(__FILE__)));
define('LIB_DIR',MY_APP_ROOT.DS."..".DS."location".DS."file");
Cheers,
Tamas
-----Original Message-----
From: Paul Halliday [mailto:[email protected]]
Sent: Thursday, July 28, 2011 2:14 PM
To: PHP-General
Subject: [PHP] Path question.
I have a few scripts that use "../location/file"
Is this interpreted differently on some systems?
Thanks.
--
Paul Halliday
http://www.squertproject.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
On 28 July 2011 13:36, Nilesh Govindarajan <[email protected]> wrote:
> On 07/28/2011 05:43 PM, Paul Halliday wrote:
>> I have a few scripts that use "../location/file"
>>
>> Is this interpreted differently on some systems?
>>
>> Thanks.
>>
>
> I have no idea about it, but I generally use realpath() to avoid any
> such problems. Windows may have, because it uses backward slashes
> instead of forward which are used in *nix (incl mac)
For PHP on Windows, the / is fine. Obviously, if you are going to be
calling OS based tools from PHP, you'll need to realpath() or use \\
or DIRECTORY_SEPARATOR.
--
Richard Quadling
Twitter : EE : Zend : PHPDoc
@RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea
--- End Message ---
--- Begin Message ---
Hi
I use php5.3 on freebsd
I also use pf ( packet filter) on it.
I need to execute pfctl in php script. But I couldn't execute . I don't get
any errors about that.
Shell commands is allowed in php.ini My
My script is below,
shell_exec('pfctl -s nat');
exec('pfctl -s nat');
If I execute another command like this ; it works
shell_exec('ls -l /var/tmp') ;
What can the problem be ?
--- End Message ---
--- Begin Message ---
On 07/28/2011 11:09 AM, Bulent Malik wrote:
> Hi
>
> I use php5.3 on freebsd
>
> I also use pf ( packet filter) on it.
>
> I need to execute pfctl in php script. But I couldn't execute . I don't get
> any errors about that.
>
> Shell commands is allowed in php.ini My
>
> My script is below,
>
>
> shell_exec('pfctl -s nat');
>
> exec('pfctl -s nat');
>
>
> If I execute another command like this ; it works
>
> shell_exec('ls -l /var/tmp') ;
>
> What can the problem be ?
>
>
pfctl probably requires root privileges, so you can either set the suid
on it or I would set it up in sudoers to allow the apache user to
execute it without a password.
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
did you try it in shell? or just You tried it in PHP?
--- End Message ---
--- Begin Message ---
If you want to execute shell commands as root theres another solution too
try this:
shell_exec('sudo -u root ls -l /var/tmp')
but the solution Of shawn is better then it will not needed to set it again
in another commands
--- End Message ---
--- Begin Message ---
also by gcc you can use code it and run the gcc in shell
I like this one:
setfacl -m u:wwwrun:rw the path that you would like
for permissions you can set it for the folders you have then run this
compiler it will make an executable file you can give a name to them by -o
'r' and 'w' are for read and write also you can have 'x' for execute
permission
now you can use this executable file on any new computer just run it and it
will make
permissions
I don't know in your Os you have wwwrun or not I have it in Suse
*wwwrun is used for doing things permission-wise but Apache doesn't need
to "login" with it. Again, this keeps it safe from attackers.*
*
*
*
*
--- End Message ---
--- Begin Message ---
>> did you try it in shell? or just You tried it in PHP?
Yeah, I tried it on shell and it works on it. Also if I execute it as
command line, it works ;
php test.php
But when I try it on www ( internet explorer, firefox, chrome ..) it
doesn't work.
--- End Message ---
--- Begin Message ---
Bulent Malik <[email protected]> wrote:
>
>
>
>
> >> did you try it in shell? or just You tried it in PHP?
>
>Yeah, I tried it on shell and it works on it. Also if I execute it as
>command line, it works ;
>
>php test.php
>
>But when I try it on www ( internet explorer, firefox, chrome ..) it
>doesn't work.
>
>
Sounds like it might need you to specify the full paths to the commands/apps
you're using in the shell call. Your user might have the right path environment
variable specified, but its unlikely the Apache user will have. This user is
usually called something like apache or www2.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
--- End Message ---
--- Begin Message ---
Answer to your problem is in your pop Apache module configuration. I would
suggest to look how different your cli php.ini file is in comparison to your
Apache php module php.ini file
Also I would not follow the suggestion of adding Apache user to sudoers.
It's quite high risk move in security-wise
Arthur Moczulski
On 28 Jul 2011 19:16, "Bulent Malik" <[email protected]> wrote:
>
>
>
>
> >> did you try it in shell? or just You tried it in PHP?
>
> Yeah, I tried it on shell and it works on it. Also if I execute it as
> command line, it works ;
>
> php test.php
>
> But when I try it on www ( internet explorer, firefox, chrome ..) it
> doesn't work.
>
>
--- End Message ---
--- Begin Message ---
On 07/28/2011 01:22 PM, Arthur Moczulski wrote:
> Answer to your problem is in your pop Apache module configuration. I would
> suggest to look how different your cli php.ini file is in comparison to your
> Apache php module php.ini file
No
> Also I would not follow the suggestion of adding Apache user to sudoers.
> It's quite high risk move in security-wise
Good luck getting it to work another way.
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
Arthur would you please explain it in more details?
--- End Message ---
--- Begin Message ---
Bulint clear private data or cookies maybe your browser stores something and
can't act for this clear them and then try and tell us the result
2011/7/28 Bulent Malik <[email protected]>
> **
>
>
>
> >> did you try it in shell? or just You tried it in PHP?
>
> Yeah, I tried it on shell and it works on it. Also if I execute it as
> command line, it works ;
>
> php test.php
>
> But when I try it on www ( internet explorer, firefox, chrome ..) it
> doesn't work.
>
>
>
--- End Message ---
--- Begin Message ---
another point: I think you tried it in shell as a root but in browser it
can't execute it as a root again I agree with Shawn it is from permission
try the command that I told you I mean edit the command and then run it in
browser
--- End Message ---
--- Begin Message ---
On 7/28/2011 9:09 AM, Bulent Malik wrote:
> Hi
>
> I use php5.3 on freebsd
>
> I also use pf ( packet filter) on it.
>
> I need to execute pfctl in php script. But I couldn't execute . I don't get
> any errors about that.
>
> Shell commands is allowed in php.ini My
>
> My script is below,
>
>
> shell_exec('pfctl -s nat');
>
> exec('pfctl -s nat');
>
>
> If I execute another command like this ; it works
>
> shell_exec('ls -l /var/tmp') ;
>
> What can the problem be ?
Run the following command from your cli
which pfctl
If the results show, like mine does, that pfctl is in /sbin/pfctl then you will
not be able to run that command. Your www doesn't have the /sbin/ folders in
its path.
Try this instead.
shell_exec('which pfctl') ;
If you get results, you should be able to execute it.
But, on the flip side, it re-writes /etc/pf.conf and on my box, its permissions
are "-rw-------". So, you can assume that nobody besides root will be able to
write to this file.
Now, if you go the route Shawn talked about, it will work. Just be sure to
limit the sudoers to only allow the pfctl command and not all allow all commands
on your system.
Jim
--- End Message ---
--- Begin Message ---
The fourth and hopefully final release candidate of 5.3.7 was just
released for testing and can be downloaded here:
https://downloads.php.net/ilia/php-5.3.7RC4.tar.bz2 (md5sum:
143ae4c3c5df93e2a9efae532cb51790)
https://downloads.php.net/ilia/php-5.3.7RC4.tar.gz (md5sum:
8543604a0f171424c73ccaff5061f7ba)
The Windows binaries are available at: http://windows.php.net/qa/
There were a few important fixes made since RC3 and this new RC is
designed to validate that these fixes have not introduced any
regressions.
The intent is that this is the final release candidate before the
final release, which if all goes well will follow in 2 weeks. PHP
5.3.7 is focused on
improving the stability and security. To ensure that the release is
solid, please test this RC against your code base and report any
problems that you encounter.
To find out what was changed since the last release please refer to
the NEWS file found within the archive or on
http://svn.php.net/viewvc/php/php-src/tags/php_5_3_7RC4/NEWS?revision=HEAD&view=markup
Windows users please mind that we don't provide VS6 builds anymore
since PHP 5.3.6.
Ilia Alshanetsky
--- End Message ---
