Re: register_globals in php4

2002-05-09 Thread Patrick Hsieh 

Hello Christian G. Warden [EMAIL PROTECTED],

Yes. But when a user type the url something like login.php?id=fakeid
Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get fakeid, right?
How do I avoid users affecting the system by changing the variable
values in the URL directly? If not, is there any way to protect myself
from malicious url injection attack?





On Thu, 9 May 2002 09:51:02 -0700
Christian G. Warden [EMAIL PROTECTED] wrote:

 one of the php lists is probably a better forum for this question, but
 in short, register_globals=off means that if you want to use the id
 variable passed in the query string by the browser, you would access it as
 $HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id.  more info
 at http://www.php.net/manual/en/language.variables.predefined.php
 
 xn
 
 On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote:
  Hello list,
  
  php4.1 recommends to set register_globals=off in php.ini to make php
  more strict.  My question is, if I turn off register_globals, what will
  happen if any malicious user just try to modify the variable values in
  the url? Say,
  
  http://www.domain.com/xxx.php?id=3sex=female
  
  Does it work if user just change the value in the URL directly and send
  the url directly to web server?
  
  How can we avoid the malicious attack by directly http GET/POST with
  modified parameter values to make possible system error or compromise?
  
  
  -- 
  Patrick Hsieh [EMAIL PROTECTED]
  GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
  
  
  -- 
  To UNSUBSCRIBE, email to [EMAIL PROTECTED]
  with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

-- 
Patrick Hsieh [EMAIL PROTECTED]
GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: register_globals in php4

2002-05-09 Thread Simon Huggins 

On Fri, May 10, 2002 at 01:11:41AM +0800, Patrick Hsieh wrote:
 Yes. But when a user type the url something like login.php?id=fakeid
 Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get fakeid, right?
 How do I avoid users affecting the system by changing the variable
 values in the URL directly? If not, is there any way to protect myself
 from malicious url injection attack?

You don't avoid that.  You can't avoid it.  register_globals didn't
avoid it either and if you rely on such behvaiour then your application
is clearly very broken.

You should always check the data supplied to your CGI *very* carefully
for just this reason.

See for instance (randomly picked from google):
http://www-genome.wi.mit.edu/WWW/faqs/wwwsf4.html

-- 
Simon  [ [EMAIL PROTECTED] ] *\  JarJar Binks^W^WSupport for  \**
** ]-+-+-+-+-+-+-+-+-[ **\   CRLF-LF translation in the kernel  \*
** [  Htag.pl 0.0.19 ] ***\   must die. - Alexander Viro  \


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: register_globals in php4

2002-05-09 Thread Christian G. Warden 

you must write your application safely.  it sounds like you're trying to
prevent a user from changing their userid.  after they log in, you could
create a session variable with their userid and only use that session
variable.  i still use register_globals=on with my code, but i have the
following code that gets included on every page:
if(!session_is_registered('userid') {
unset($userid);
}
and in my login function, after username and password are verified, i
put the userid in $userid and session_register('userid');
this allows me to always trust that $userid matches the userid of the
authenticated user.
here's an article on secure programming in php:
http://www.zend.com/zend/art/art-oertli.php

xn

On Fri, May 10, 2002 at 01:11:41AM +0800, Patrick Hsieh wrote:
 Hello Christian G. Warden [EMAIL PROTECTED],
 
 Yes. But when a user type the url something like login.php?id=fakeid
 Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get fakeid, right?
 How do I avoid users affecting the system by changing the variable
 values in the URL directly? If not, is there any way to protect myself
 from malicious url injection attack?
 
 
 
 
 
 On Thu, 9 May 2002 09:51:02 -0700
 Christian G. Warden [EMAIL PROTECTED] wrote:
 
  one of the php lists is probably a better forum for this question, but
  in short, register_globals=off means that if you want to use the id
  variable passed in the query string by the browser, you would access it as
  $HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id.  more info
  at http://www.php.net/manual/en/language.variables.predefined.php
  
  xn
  
  On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote:
   Hello list,
   
   php4.1 recommends to set register_globals=off in php.ini to make php
   more strict.  My question is, if I turn off register_globals, what will
   happen if any malicious user just try to modify the variable values in
   the url? Say,
   
   http://www.domain.com/xxx.php?id=3sex=female
   
   Does it work if user just change the value in the URL directly and send
   the url directly to web server?
   
   How can we avoid the malicious attack by directly http GET/POST with
   modified parameter values to make possible system error or compromise?
   
   
   -- 
   Patrick Hsieh [EMAIL PROTECTED]
   GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
   
   
   -- 
   To UNSUBSCRIBE, email to [EMAIL PROTECTED]
   with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
  
  
  -- 
  To UNSUBSCRIBE, email to [EMAIL PROTECTED]
  with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 
 -- 
 Patrick Hsieh [EMAIL PROTECTED]
 GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Try with it....

2002-05-09 Thread Raul Saez 

Try with it... only show status of pid that do not show command.


for i in `for n in [0-9]* ; do echo -n pid: $n ; cat $n/cmdline; 
echo; done|awk '{if($3!~/[a-zA-Z]/){print $2}}'`; do cat $i/status; 
echo; done|more

-- 
Raúl Sáez
Marlborough Stirling
Gran Vía 62, 10º izq
28013 Madrid
tel: +34-91-5487910
fax: +34-91-5400199
email: [EMAIL PROTECTED]
www.puntoseguro.com



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

GPG subkeys and keyservers

2002-05-09 Thread Chris Flipse 


My gpg encryption subkey expired recently; I created a new subkey; it's
signed, expires in a few months, etc.  The key imports fine when I pull
it in from the ascii armored export version ... but exporting it to the
keyserver via --send-key fails miserably.  I get a report of success,
but when I --recv-key, I don't get the new subkey.



(below:  my public/private keypair resides on meteu.  fury is another 
host, which does not have either key.)



  meteu:~ 2% gpg --send-key flip  
  gpg: success sending to `wwwkeys.us.pgp.net' (status=200)
  meteu:~ 3% gpg --export -a flip  /var/www/public.asc
  meteu:~ 4% gpg --list-key flip
  pub  1024D/17984F07 2001-10-06 Chris Flipse [EMAIL PROTECTED]
  uidChris Flipse [EMAIL PROTECTED]
  uidChris Flipse [EMAIL PROTECTED]
  sub  1024g/B03178DE 2001-10-06 [expires: 2002-04-04]
  sub  1024g/BCA91458 2002-05-09 [expires: 2002-11-05]
  
  pub  1024D/17984F07 2001-10-06 Chris Flipse [EMAIL PROTECTED]
  uidChris Flipse [EMAIL PROTECTED]
  uidChris Flipse [EMAIL PROTECTED]
  sub  1024g/B03178DE 2001-10-06 [expires: 2002-04-04]
  sub  1024g/BCA91458 2002-05-09 [expires: 2002-11-05]
  
  meteu:~ 5% 



New subkey exists, supposedly got exported to wwwkeys.us.pgp.net
alright.  However.


  fury:~ 40% gpg --list-key flip
  gpg: Warning: using insecure memory!
  gpg: error reading key: public key not found
  fury:~ 41% wget http://meteu.octoraro.org/public.asc
  --11:46:10--  http://meteu.octoraro.org/public.asc
 = `public.asc'
  Connecting to meteu.octoraro.org:80... connected!
  HTTP request sent, awaiting response... 200 OK
  Length: 2,265 [text/plain]
  
  0K ..  100% @  44.24 KB/s
  
  11:46:10 (44.24 KB/s) - `public.asc' saved [2265/2265]
  
  fury:~ 42% gpg --import public.asc
  gpg: Warning: using insecure memory!
  gpg: key 17984F07: public key imported
  gpg: Total number processed: 1
  gpg:   imported: 1

  fury:~ 43% gpg --list-key flip
  gpg: Warning: using insecure memory!
  pub  1024D/17984F07 2001-10-06 Chris Flipse [EMAIL PROTECTED]
  uidChris Flipse [EMAIL PROTECTED]
  uidChris Flipse [EMAIL PROTECTED]
  sub  1024g/B03178DE 2001-10-06 [expires: 2002-04-04]
  sub  1024g/BCA91458 2002-05-09 [expires: 2002-11-05]
  
  fury:~ 44% 



Key is imported just fine from the ascii armored export.  No problems.



  fury:~ 44% gpg --delete-key flip
  gpg: Warning: using insecure memory!
  pub  1024D/17984F07 2001-10-06   Chris Flipse [EMAIL PROTECTED]
  
  Delete this key from the keyring? yes
  fury:~ 45% gpg --list-key flip   
  gpg: Warning: using insecure memory!
  gpg: error reading key: public key not found
  
  fury:~ 46% gpg --recv-key 17984F07
  gpg: Warning: using insecure memory!
  gpg: requesting key 17984F07 from wwwkeys.us.pgp.net ...
  gpg: key 17984F07: public key imported
  gpg: Total number processed: 1
  gpg:   imported: 1
  
  fury:~ 47% gpg --list-key flip
  gpg: Warning: using insecure memory!
  pub  1024D/17984F07 2001-10-06 Chris Flipse [EMAIL PROTECTED]
  uidChris Flipse [EMAIL PROTECTED]
  uidChris Flipse [EMAIL PROTECTED]
  sub  1024g/B03178DE 2001-10-06 [expires: 2002-04-04]
  
  fury:~ 48% 



Apparently, the version of the key up on the PGP server doesn't have the
new subkey.  So, what am I missing?

-- 
//[pgp] 1024D/17984F07  [http] meteu.octoraro.org
Nice, selfless people don't restore my faith in humanity -- they restore
my faith in randomness.



msg06658/pgp0.pgp
Description: PGP signature

Re: GPG subkeys and keyservers

2002-05-09 Thread Henrique de Moraes Holschuh 

On Thu, 09 May 2002, Chris Flipse wrote:
 My gpg encryption subkey expired recently; I created a new subkey; it's
 signed, expires in a few months, etc.  The key imports fine when I pull
 it in from the ascii armored export version ... but exporting it to the
 keyserver via --send-key fails miserably.  I get a report of success,
 but when I --recv-key, I don't get the new subkey.

Known bug. The non-free stuff at keyserver.net seems to handle it, but the
good old DFSG-free wwwkeys.*.pgp.net doesn't, and corrupt the key.

-- 
  One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie. -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: how to use -j DROPLOG in iptables?

2002-05-09 Thread Vineet Kumar 

* Patrick Hsieh ([EMAIL PROTECTED]) [020508 20:24]:
 Hello,
 
 When I use -j DROPLOG in iptables, my woody complains:
 iptables v1.2.6a: Couldn't load target `DROPLOG':/lib/iptables/libipt_DROPLOG.so: 
cannot open shared object file: No such file or directory
 
 Try `iptables -h' or 'iptables --help' for more information.
 

I've never seen DROPLOG; it's some kind of extension, no? What I have
seen people do is something like this:

iptables -N logndrop
iptables -A logndrop -j LOG
iptables -A logndrop -j DROP

and then use -j logndrop wherever they want to log and drop a packet.

Personally, I don't find it too much trouble to specify 2 lines (a log
and a drop) each time I want to discard a packet. It gives me the added
benefit of specifying a separate --log-prefix for each place in my
filter that things are dropped.

good times,
Vineet
-- 
Currently seeking opportunities in the SF Bay Area
Please see http://www.doorstop.net/resume.shtml



msg06660/pgp0.pgp
Description: PGP signature

Problems with wireless cards ...

2002-05-09 Thread Marcin Bednarz 


Hello all.

I want to install Wireless card in my Linux.
This is a pcmcia card which is being inserted into PCI adapter.

=-=
I have two complets of cards:
2x Planet WL8300 Pci adapter + PCMCIA 3550
(((see www page : http://www.planet-taiwan.com/product/CATALOG/WireFree.htm ))

and

2x Avaya Adapter + PCMCIA
(ups I forgot model - I have it at work - but this is probably not
important)
(((www page: 
http://www.veracomp.pl/pokaz_ceny_test.php?f_szukaj=AVAYAf_kategoria=c_producentf_pokaz_rodzina[]=Avaya%20Wireless%20infrastruktura%20sieci%20wireless
 )))

=-=

What's option is recommended to install this card (in kernel config) ?
How with secure connections ?


Any experience and idea ?


Regards
Marcin Bednarz.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: possible hole in mozilla et al

2002-05-09 Thread Tim Uckun 




Coming from a corporate environment I hardly feel that stable is ancient. 
With most commercial operating systems the quality control seems so poor 
it takes a few years before we feel comfortable moving to a new release.
But with Debian I can point to the unstable-testing-stable system and my 
boss understands that it has already gone through a 'teething' period 
before it's released.
If Debian were to accelerate the path to stable too much stable would 
loose it's value to us. (unless security fixes were released for older 
stable versions)


I am not arguing for any change in the policies for determining what is 
stable and what is not. My feeling is (and I admit I haven't done any 
studies) that stable gets delayed sometimes due to obscure packages having 
bugs or obscure platform specific bugs. It seems to me that most commonly 
used packages like apache, php, postgres etc have a pretty good track 
record and could be considered stable a few months after they are released.


Using the same criterea used the debian folks now you could have more 
frequent updates if you simply selected a small set of carefully chosen 
packages. Kind of a debian sub distro.



--
 Tim Uckun
  Mobile Intelligence Unit.
--
   There are some who call me TIM?
--


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: how to use -j DROPLOG in iptables?

2002-05-09 Thread David Stanaway 
On Wed, 2002-05-08 at 22:25, Patrick Hsieh wrote:
 Hello,
 
 When I use -j DROPLOG in iptables, my woody complains:
 iptables v1.2.6a: Couldn't load target 
 `DROPLOG':/lib/iptables/libipt_DROPLOG.so: cannot open shared object file: No 
 such file or directory
 
 Try `iptables -h' or 'iptables --help' for more information.

The Quick'n Dirty way.

iptables -N DROPLOG
iptables -A DROPLOG -j LOG
iptables -A DROPLOG -j DROP


You may want to consider:
iptables -N DROPLOG
iptables -A DROPLOG -j LOG
iptables -A DROPLOG -p tcp -j REJECT --reject-with tcp-reset
iptables -A DROPLOG -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A DROPLOG -p udp -j DROP

--
David Stanaway


signature.asc
Description: This is a digitally signed message part

Re: possible hole in mozilla et al

2002-05-09 Thread David Stanaway 
On Thu, 2002-05-09 at 01:22, Tim Uckun wrote:
 I am not arguing for any change in the policies for determining what is 
 stable and what is not. My feeling is (and I admit I haven't done any 
 studies) that stable gets delayed sometimes due to obscure packages having 
 bugs or obscure platform specific bugs. It seems to me that most commonly 
 used packages like apache, php, postgres etc have a pretty good track 
 record and could be considered stable a few months after they are released.
 
 Using the same criterea used the debian folks now you could have more 
 frequent updates if you simply selected a small set of carefully chosen 
 packages. Kind of a debian sub distro.


For those that need some of the new versions of packages (EG: Being
stuck with the `stable' version of postgresql would be silly if you used
it heavily) it is not that difficult to get around it by having a
deb-src line that points at testing.

apt-get build-depends apache
apt-get -b source apache

It is not going to work all the time. Sometimes the build depends have
to be built from testing as well... 

Having lots of different stable branches as suggested by someone else
would make the security team pretty difficult, and it is already hard
enough from what I gather.

On another note... I imagine that some of the security updates for
stable have caused some frustration to the security team, as the flaw is
sometimes something that has been fixed in a later version, and applying
that fix to the older (Read: Old version not maintained any more
upstream) version could be non-trivial and seem a little futile when
upgrading to a new version fixes the problem.

--
David Stanaway


signature.asc
Description: This is a digitally signed message part

RE: possible hole in mozilla et al

2002-05-09 Thread Jeff 
 Coming from a corporate environment I hardly feel that stable is
ancient. 

Also coming from a corporate environment, and one specifically focused
on web technologies, I disagree. We have been forced to mix
stable/testing to get basic fixes in things like Apache. Another thing
that really irritates is that the commercial and non-commercial security
scanning tools throw lots of 'this version is insecure' false positives
which all have to be investigated and ticked once proof of patch has
been established, and we run such scanning frequently.

 But with Debian I can point to the unstable-testing-stable system and
my 
 boss understands that it has already gone through a 'teething' period 
 before it's released.

This is also one reason that we use Debian - though more important to us
is the improved security through fine-grained package control.

 If Debian were to accelerate the path to stable too much stable would
loose 
 it's value to us. (unless security fixes were released for older
stable 
 versions)

The opposite is true of our company - stable lags so far behind now that
we have been forced to combine stable/testing/unstable - not only in
things like Apache, but even in basics like the use of netfilter
stateful firewalling in the 2.4 kernel series.


I agree with Tim Uckden's comments - we don't need bleeding edge, but we
also don't need
some-obscure-whizzo-package-on-104-obsolete-hardware-architectures.deb
holding up basic things like Apache, PHP, Perl, Mod_Perl, MySQL etc.

We would be over the moon to have a mini-stable that only contained core
packages, and that kept better pace with the real world.


-Original Message-
From: James Morgan [mailto:[EMAIL PROTECTED] 
Sent: 09 May 2002 01:30
To: debian-security@lists.debian.org
Subject: Re: possible hole in mozilla et al


At 15:38 2002-05-08 -0600, Tim Uckun wrote:
The situation right now is that for production you run an ancient
system 
or cross your fingers, hold your breath and run unstable.

Coming from a corporate environment I hardly feel that stable is
ancient. 
With most commercial operating systems the quality control seems so poor
it 
takes a few years before we feel comfortable moving to a new release.
But with Debian I can point to the unstable-testing-stable system and my

boss understands that it has already gone through a 'teething' period 
before it's released.
If Debian were to accelerate the path to stable too much stable would
loose 
it's value to us. (unless security fixes were released for older stable 
versions)




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: tcp syn flood and /proc configuration

2002-05-09 Thread Peter Cordes 
On Wed, May 08, 2002 at 01:45:32AM +0800, Patrick Hsieh wrote:
 Hello Vincent Hanquez [EMAIL PROTECTED],
 
 But this option seems to bring some side-effect. Is there any
 alternative?
 
 tcp_syncookies - BOOLEAN
 Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
 Send out syncookies when the syn backlog queue of a socket
 overflows. This is to prevent against the common 'syn flood attack'
 Default: FALSE
 
 Note, that syncookies is fallback facility.
 It MUST NOT be used to help highly loaded servers to stand
 against legal connection rate. If you see synflood warnings
 in your logs, but investigation shows that they occur
 because of overload with legal connections, you should tune
 another parameters until this warning disappear.
 See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.
 
 syncookies seriously violate TCP protocol, do not allow
 to use TCP extensions,

 TCP extensions work normally when you aren't being SYN flooded, IIRC.
  
 DJB is one of the co-designers of SYN cookies.  Read his explanation at
http://cr.yp.to/syncookies.html.

 can result in serious degradation
 of some services (f.e. SMTP relaying), visible not by you,
 but your clients and relays, contacting you. While you see
 synflood warnings in logs not being really flooded, your server
 is seriously misconfigured.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , ns.ca)

The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces! -- Plautus, 200 BCE


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: possible hole in mozilla et al

2002-05-09 Thread Javier Fernández-Sanguino Peña 
On Wed, May 08, 2002 at 10:58:38PM +0200, Wichert Akkerman wrote:
 Previously Raymond Wood wrote:
 but I would really like to see either:
a) woody receiving security patches as soon as sid and potato;
  or
b) no woody.
 
 From a security viewpoint b) is the only option, and we have always said
 so. 

s/woody/testing/g

Otherwise that is not true.

Javi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Fixing file system privileges

2002-05-09 Thread Kovacs Istvan 
Hi,

I screwed up file system privileges, issuing a chmod -R in the wrong (/
-- where else?) directory :-( Is there a way to fix this?

TIA,
Kofa

Homepage at http://emil.alarmix.org/kofa/  For PGP public key: send mail
with the subject PGP Public Key Request or finger [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: possible hole in mozilla et al

2002-05-09 Thread Tim Uckun 




I agree with Tim Uckden's comments - we don't need bleeding edge, but we
also don't need
some-obscure-whizzo-package-on-104-obsolete-hardware-architectures.deb
holding up basic things like Apache, PHP, Perl, Mod_Perl, MySQL etc.

We would be over the moon to have a mini-stable that only contained core
packages, and that kept better pace with the real world.


I have given this more thought since I posted my comments and it occurs to 
me that this is a business opportunity more then anything else. What is 
needed is a distro based on debian, following the same rules of safety as 
debian, using the same packages etc. Everything is the same except that 
apt-sources points to a list which contains a smaller set of platform 
specific packages. This list get's updated as often is possible while 
staying with the safety requirements of debian.


As for us we decided to go with freebsd on some systems thinking it might 
offer security along with more frequently updated ports. So far I am not 
impressed with it. The ports are not as easy to use as apt, and ports are 
sometimes just plain old broken.  If anybody has an answer I'm all ears as 
long as the answer does not contain the words microsoft or red or hat.



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

register_globals in php4

2002-05-09 Thread Patrick Hsieh 
Hello list,

php4.1 recommends to set register_globals=off in php.ini to make php
more strict.  My question is, if I turn off register_globals, what will
happen if any malicious user just try to modify the variable values in
the url? Say,

http://www.domain.com/xxx.php?id=3sex=female

Does it work if user just change the value in the URL directly and send
the url directly to web server?

How can we avoid the malicious attack by directly http GET/POST with
modified parameter values to make possible system error or compromise?


-- 
Patrick Hsieh [EMAIL PROTECTED]
GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: register_globals in php4

2002-05-09 Thread Christian G. Warden 
one of the php lists is probably a better forum for this question, but
in short, register_globals=off means that if you want to use the id
variable passed in the query string by the browser, you would access it as
$HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id.  more info
at http://www.php.net/manual/en/language.variables.predefined.php

xn

On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote:
 Hello list,
 
 php4.1 recommends to set register_globals=off in php.ini to make php
 more strict.  My question is, if I turn off register_globals, what will
 happen if any malicious user just try to modify the variable values in
 the url? Say,
 
 http://www.domain.com/xxx.php?id=3sex=female
 
 Does it work if user just change the value in the URL directly and send
 the url directly to web server?
 
 How can we avoid the malicious attack by directly http GET/POST with
 modified parameter values to make possible system error or compromise?
 
 
 -- 
 Patrick Hsieh [EMAIL PROTECTED]
 GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: register_globals in php4

2002-05-09 Thread Patrick Hsieh 
Hello Christian G. Warden [EMAIL PROTECTED],

Yes. But when a user type the url something like login.php?id=fakeid
Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get fakeid, right?
How do I avoid users affecting the system by changing the variable
values in the URL directly? If not, is there any way to protect myself
from malicious url injection attack?





On Thu, 9 May 2002 09:51:02 -0700
Christian G. Warden [EMAIL PROTECTED] wrote:

 one of the php lists is probably a better forum for this question, but
 in short, register_globals=off means that if you want to use the id
 variable passed in the query string by the browser, you would access it as
 $HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id.  more info
 at http://www.php.net/manual/en/language.variables.predefined.php
 
 xn
 
 On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote:
  Hello list,
  
  php4.1 recommends to set register_globals=off in php.ini to make php
  more strict.  My question is, if I turn off register_globals, what will
  happen if any malicious user just try to modify the variable values in
  the url? Say,
  
  http://www.domain.com/xxx.php?id=3sex=female
  
  Does it work if user just change the value in the URL directly and send
  the url directly to web server?
  
  How can we avoid the malicious attack by directly http GET/POST with
  modified parameter values to make possible system error or compromise?
  
  
  -- 
  Patrick Hsieh [EMAIL PROTECTED]
  GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
  
  
  -- 
  To UNSUBSCRIBE, email to [EMAIL PROTECTED]
  with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

-- 
Patrick Hsieh [EMAIL PROTECTED]
GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: register_globals in php4

2002-05-09 Thread Simon Huggins 
On Fri, May 10, 2002 at 01:11:41AM +0800, Patrick Hsieh wrote:
 Yes. But when a user type the url something like login.php?id=fakeid
 Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get fakeid, right?
 How do I avoid users affecting the system by changing the variable
 values in the URL directly? If not, is there any way to protect myself
 from malicious url injection attack?

You don't avoid that.  You can't avoid it.  register_globals didn't
avoid it either and if you rely on such behvaiour then your application
is clearly very broken.

You should always check the data supplied to your CGI *very* carefully
for just this reason.

See for instance (randomly picked from google):
http://www-genome.wi.mit.edu/WWW/faqs/wwwsf4.html

-- 
Simon  [ [EMAIL PROTECTED] ] *\  JarJar Binks^W^WSupport for  \**
** ]-+-+-+-+-+-+-+-+-[ **\   CRLF-LF translation in the kernel  \*
** [  Htag.pl 0.0.19 ] ***\   must die. - Alexander Viro  \


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: register_globals in php4

2002-05-09 Thread Christian G. Warden 
you must write your application safely.  it sounds like you're trying to
prevent a user from changing their userid.  after they log in, you could
create a session variable with their userid and only use that session
variable.  i still use register_globals=on with my code, but i have the
following code that gets included on every page:
if(!session_is_registered('userid') {
unset($userid);
}
and in my login function, after username and password are verified, i
put the userid in $userid and session_register('userid');
this allows me to always trust that $userid matches the userid of the
authenticated user.
here's an article on secure programming in php:
http://www.zend.com/zend/art/art-oertli.php

xn

On Fri, May 10, 2002 at 01:11:41AM +0800, Patrick Hsieh wrote:
 Hello Christian G. Warden [EMAIL PROTECTED],
 
 Yes. But when a user type the url something like login.php?id=fakeid
 Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get fakeid, right?
 How do I avoid users affecting the system by changing the variable
 values in the URL directly? If not, is there any way to protect myself
 from malicious url injection attack?
 
 
 
 
 
 On Thu, 9 May 2002 09:51:02 -0700
 Christian G. Warden [EMAIL PROTECTED] wrote:
 
  one of the php lists is probably a better forum for this question, but
  in short, register_globals=off means that if you want to use the id
  variable passed in the query string by the browser, you would access it as
  $HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id.  more info
  at http://www.php.net/manual/en/language.variables.predefined.php
  
  xn
  
  On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote:
   Hello list,
   
   php4.1 recommends to set register_globals=off in php.ini to make php
   more strict.  My question is, if I turn off register_globals, what will
   happen if any malicious user just try to modify the variable values in
   the url? Say,
   
   http://www.domain.com/xxx.php?id=3sex=female
   
   Does it work if user just change the value in the URL directly and send
   the url directly to web server?
   
   How can we avoid the malicious attack by directly http GET/POST with
   modified parameter values to make possible system error or compromise?
   
   
   -- 
   Patrick Hsieh [EMAIL PROTECTED]
   GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
   
   
   -- 
   To UNSUBSCRIBE, email to [EMAIL PROTECTED]
   with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
  
  
  -- 
  To UNSUBSCRIBE, email to [EMAIL PROTECTED]
  with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 
 -- 
 Patrick Hsieh [EMAIL PROTECTED]
 GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: how to use -j DROPLOG in iptables?

2002-05-09 Thread Vineet Kumar 
* Patrick Hsieh ([EMAIL PROTECTED]) [020508 20:24]:
 Hello,
 
 When I use -j DROPLOG in iptables, my woody complains:
 iptables v1.2.6a: Couldn't load target 
 `DROPLOG':/lib/iptables/libipt_DROPLOG.so: cannot open shared object file: No 
 such file or directory
 
 Try `iptables -h' or 'iptables --help' for more information.
 

I've never seen DROPLOG; it's some kind of extension, no? What I have
seen people do is something like this:

iptables -N logndrop
iptables -A logndrop -j LOG
iptables -A logndrop -j DROP

and then use -j logndrop wherever they want to log and drop a packet.

Personally, I don't find it too much trouble to specify 2 lines (a log
and a drop) each time I want to discard a packet. It gives me the added
benefit of specifying a separate --log-prefix for each place in my
filter that things are dropped.

good times,
Vineet
-- 
Currently seeking opportunities in the SF Bay Area
Please see http://www.doorstop.net/resume.shtml


pgpOxFerHy88y.pgp
Description: PGP signature

Try with it....

2002-05-09 Thread Raul Saez 

Try with it... only show status of pid that do not show command.


for i in `for n in [0-9]* ; do echo -n pid: $n ; cat $n/cmdline; 
echo; done|awk '{if($3!~/[a-zA-Z]/){print $2}}'`; do cat $i/status; 
echo; done|more


--
Raúl Sáez
Marlborough Stirling
Gran Vía 62, 10º izq
28013 Madrid
tel: +34-91-5487910
fax: +34-91-5400199
email: [EMAIL PROTECTED]
www.puntoseguro.com



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

GPG subkeys and keyservers

2002-05-09 Thread Chris Flipse 

My gpg encryption subkey expired recently; I created a new subkey; it's
signed, expires in a few months, etc.  The key imports fine when I pull
it in from the ascii armored export version ... but exporting it to the
keyserver via --send-key fails miserably.  I get a report of success,
but when I --recv-key, I don't get the new subkey.



(below:  my public/private keypair resides on meteu.  fury is another 
host, which does not have either key.)



  meteu:~ 2% gpg --send-key flip  
  gpg: success sending to `wwwkeys.us.pgp.net' (status=200)
  meteu:~ 3% gpg --export -a flip  /var/www/public.asc
  meteu:~ 4% gpg --list-key flip
  pub  1024D/17984F07 2001-10-06 Chris Flipse [EMAIL PROTECTED]
  uidChris Flipse [EMAIL PROTECTED]
  uidChris Flipse [EMAIL PROTECTED]
  sub  1024g/B03178DE 2001-10-06 [expires: 2002-04-04]
  sub  1024g/BCA91458 2002-05-09 [expires: 2002-11-05]
  
  pub  1024D/17984F07 2001-10-06 Chris Flipse [EMAIL PROTECTED]
  uidChris Flipse [EMAIL PROTECTED]
  uidChris Flipse [EMAIL PROTECTED]
  sub  1024g/B03178DE 2001-10-06 [expires: 2002-04-04]
  sub  1024g/BCA91458 2002-05-09 [expires: 2002-11-05]
  
  meteu:~ 5% 



New subkey exists, supposedly got exported to wwwkeys.us.pgp.net
alright.  However.


  fury:~ 40% gpg --list-key flip
  gpg: Warning: using insecure memory!
  gpg: error reading key: public key not found
  fury:~ 41% wget http://meteu.octoraro.org/public.asc
  --11:46:10--  http://meteu.octoraro.org/public.asc
 = `public.asc'
  Connecting to meteu.octoraro.org:80... connected!
  HTTP request sent, awaiting response... 200 OK
  Length: 2,265 [text/plain]
  
  0K ..  100% @  44.24 KB/s
  
  11:46:10 (44.24 KB/s) - `public.asc' saved [2265/2265]
  
  fury:~ 42% gpg --import public.asc
  gpg: Warning: using insecure memory!
  gpg: key 17984F07: public key imported
  gpg: Total number processed: 1
  gpg:   imported: 1

  fury:~ 43% gpg --list-key flip
  gpg: Warning: using insecure memory!
  pub  1024D/17984F07 2001-10-06 Chris Flipse [EMAIL PROTECTED]
  uidChris Flipse [EMAIL PROTECTED]
  uidChris Flipse [EMAIL PROTECTED]
  sub  1024g/B03178DE 2001-10-06 [expires: 2002-04-04]
  sub  1024g/BCA91458 2002-05-09 [expires: 2002-11-05]
  
  fury:~ 44% 



Key is imported just fine from the ascii armored export.  No problems.



  fury:~ 44% gpg --delete-key flip
  gpg: Warning: using insecure memory!
  pub  1024D/17984F07 2001-10-06   Chris Flipse [EMAIL PROTECTED]
  
  Delete this key from the keyring? yes
  fury:~ 45% gpg --list-key flip   
  gpg: Warning: using insecure memory!
  gpg: error reading key: public key not found
  
  fury:~ 46% gpg --recv-key 17984F07
  gpg: Warning: using insecure memory!
  gpg: requesting key 17984F07 from wwwkeys.us.pgp.net ...
  gpg: key 17984F07: public key imported
  gpg: Total number processed: 1
  gpg:   imported: 1
  
  fury:~ 47% gpg --list-key flip
  gpg: Warning: using insecure memory!
  pub  1024D/17984F07 2001-10-06 Chris Flipse [EMAIL PROTECTED]
  uidChris Flipse [EMAIL PROTECTED]
  uidChris Flipse [EMAIL PROTECTED]
  sub  1024g/B03178DE 2001-10-06 [expires: 2002-04-04]
  
  fury:~ 48% 



Apparently, the version of the key up on the PGP server doesn't have the
new subkey.  So, what am I missing?

-- 
//[pgp] 1024D/17984F07  [http] meteu.octoraro.org
Nice, selfless people don't restore my faith in humanity -- they restore
my faith in randomness.


pgpBnn3rAbpLc.pgp
Description: PGP signature

Re: GPG subkeys and keyservers

2002-05-09 Thread Henrique de Moraes Holschuh 
On Thu, 09 May 2002, Chris Flipse wrote:
 My gpg encryption subkey expired recently; I created a new subkey; it's
 signed, expires in a few months, etc.  The key imports fine when I pull
 it in from the ascii armored export version ... but exporting it to the
 keyserver via --send-key fails miserably.  I get a report of success,
 but when I --recv-key, I don't get the new subkey.

Known bug. The non-free stuff at keyserver.net seems to handle it, but the
good old DFSG-free wwwkeys.*.pgp.net doesn't, and corrupt the key.

-- 
  One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie. -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Problems with wireless cards ...

2002-05-09 Thread Marcin Bednarz 

Hello all.

I want to install Wireless card in my Linux.
This is a pcmcia card which is being inserted into PCI adapter.

=-=
I have two complets of cards:
2x Planet WL8300 Pci adapter + PCMCIA 3550
(((see www page : http://www.planet-taiwan.com/product/CATALOG/WireFree.htm ))

and

2x Avaya Adapter + PCMCIA
(ups I forgot model - I have it at work - but this is probably not
important)
(((www page: 
http://www.veracomp.pl/pokaz_ceny_test.php?f_szukaj=AVAYAf_kategoria=c_producentf_pokaz_rodzina[]=Avaya%20Wireless%20infrastruktura%20sieci%20wireless
 )))

=-=

What's option is recommended to install this card (in kernel config) ?
How with secure connections ?


Any experience and idea ?


Regards
Marcin Bednarz.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]