Currently the posts are filtered by: snippet
Reset this filter to see all posts.

Tell me your password

Posted in TYPO3/ on May 18, 2009 by Marcus.

Move credentials outside of the webroot

I've created a new tutorial that shows how to move credentials outside of the webroot. By default TYPO3 stores any kind of configuration into file typo3conf/localconf.php. Besides graphics configuration, etc... also database username/password and the encryption key is stored in there.

Although there's no way to get hold of this data as website user, I personal don't like the approach to store data that is intented to kept private inside the webroot.

The tutorial does explain the reasons in more detail. Have a look!

Permalink | Comments: 0
Tags: snippet, typo3
Views: 0

back

Best of RFI - Part 1

Posted in hacks/PHP/ on May 16, 2009 by Marcus.

Even a loser gets lucky sometimes

Like million other hosts in the internet, this box is attacked to exploit vulnerabilities.

I recently saw following piece of code in a Remote File Inclusion (RFI) attack. Although it might be created by a kid, it's still a nice snippet that I want to share with you. Guess what, it actually works.

Disclaimer: I'm unsure about the license.

<?php
function ConvertBytes($number){
        $len=strlen($number);
        if($len<4){
                returnsprintf("%d b",$number);
        }
        if(($len>=4)&&($len<=6)){
                returnsprintf("%0.2f Kb",$number/1024);
        }
        if(($len>=7)&&($len<=9)){
                returnsprintf("%0.2f Mb",$number/1024/1024);
        }
        returnsprintf("%0.2f Gb",$number/1024/1024/1024);
}                
       

$dir=@getcwd();

        // free
$freeBytes= disk_free_space($dir);
$freeUnits= ConvertBytes($freeBytes);
if(!$freeUnits)$freeUnits=0;

        // total
$allBytes= disk_total_space($dir);
$allUnits= ConvertBytes($allBytes);
if(!$allUnits)$allUnits=0;

        // used
$usedUnits= ConvertBytes($allBytes-$freeBytes);

       
echo('free: '  .$freeUnits."<br>\r\n");
echo('total: '.$allUnits  ."<br>\r\n");
echo('used: '  .$usedUnits."<br>\r\n");
?>

I personally like the CamelCase approach, the sprintf() usage and the early returns. What do you think?

Permalink | Comments: 2
Tags: php, rfi, , snippet
Views: 0

back

Categories

  • advisory(7)
  • book(1)
  • [-]database(1)
  • exploit(1)
  • hacks(2)
  • others(5)
  • PHP(1)
  • TYPO3(22)

Tag cloud