Month: July 2007

How to secure Session in PHP

How to secure Session in PHP

Introduction – 

1) Shared web servers— Anyone else on the server can read your session files (typically in the /tmp directory) if PHP is running as an Apache module (so the session files belong to the web user) and possibly when PHP is used as a CGI (depending on how sessions are implemented).

Someone browsing the session files (probably) won’t know the site the server the sessions apply to (so may not be able to use a username / password combination they found) but you may still be putting sensitive info (like credit card details) somewhere for all to see. Plus they’ve got a list of valid session IDs…

If you’re just storing passwords in the session, you can get away with this by using md5() (preferably twice) to one-way encypt the password. This doesn’t help though if you need to recover the value of a session variable.

Using a custom session handler to store the sessions in a database is probably the best solution. You might consider MySQL HEAP tables if performance is an issue (assuming MySQL running on same machine as Apache). If it gets to very high traffic, it’s time to think about getting your own server…

2) XSS exploits (and session hijacking) – Using JavaScript users can be fooled into giving away their active session_id…

All someone needs to “hijack” a session is the unique session id. It’s like the key to a railway station locker. The locker doesn’t check you’re the valid owner of the key, before allowing you to open it so anyone with the key can get in.

Research XSS and how to prevent it –

Accept that session hijacking cannot be entirely prevented (checks on IP address, for example, is foiled by AOL, who assign a new client IP on more or less every page request) so double check “critical actions” a user can perform when logged in e.g. when changing password—require the old password, which the session hijacker will (hopefully) not know. Displaying credit card information—do like Amazon and only display the last four digits. Basically limit the damage someone can do if they hijack a session.

3) Session IDs in URL (and hijacking) – If you’re using session IDs in the URL (as opposed to a session cookie), make sure offsite links do not contain the session ID (or the remote site will be able to hijack) – PHP should take care of this. Also your visitors may give away the session ID in the referrer field—ideally pass off site links through a redirect page, to elimate the referrer (although, unfortunately, some browsers keep the last 3 pages viewed I believe—unsure of facts).

** Ideally, don’t pass session ids in the URL—require users to accept a cookie if they need to “log in”.

4) Session Fixation (pre-hijacking) (see http://www.acros.si/papers/session_fixation.pdf)-

If you assign a session to a visitor to your site, before they are logged in (for example for clickpath analysis), make sure that you assign them a new session id when they do login, so that if someone pre-generated the initial session id for them, they won’t get the new ID.

For PHP 4.2.0+, see session_regenerate_id() (in particular the user submitted comments). For PHP < href=”http://www.php.net/session_id”>session_id() function may also be useful (haven’t explored it in this context myself).

5) Sniffing Packets (use SSL/HTTPS) – a session ID can be “sniffed” between the client and your server. If it’s a site where money is changing hands or other sensitive personal information is involved, SSL is a requirement.

Otherwise, without SSL, you have to live with the risk (just like you do every time you use that FTP client…).

6) Cookies are not for session data – on a related note, don’t use cookies for store sensitive information.

Cookie data, unlike sessions, gets stored on the client site. Apart from the “sniffing risk”, a large majority of Windows users have little idea of security and may be “owned by haxor”.

Otherwise, cookies (aside from session cookie PHP creates for you) are generally meant for long term (i.e. between visits) data persistance (e.g. “Remember Me”) rather than “active session” persistance.

There’s probably more things to watch out for (or facts to correct) – suggestions appreciated.

Thank you,

Santhosh Tirunahari

GRUB (GRand Unified Bootloader)

GRUB (GRand Unified Bootloader)

Introduction – GRUB (GRand Unified Bootloader) is the part of GNU project, which was originally designed and implemented by Erich Stefan Boleyn. GRUB is one of the best open source boot loader used to boot Linux operating system. Which can load a wide variety of free operating systems (Linux), as well as proprietary operating systems (like Windows) with chain-loading. LILO(Linux Loader) is another boot loader used in Linux. Now we will start with….

[1] What is Boot Loader? –

Boot Loader is the first software program that runs when a computer start. It is responsible for loading and transferring control to an operating system kernel software (for e.g. Linux kernel). The kernel, then initializes the rest of the operating system. GRUB understands filesystems and kernel executable formats, so you can load an arbitrary operating system the way you like, without recording the physical position of your kernel on the disk. Thus you can load the kernel just by specifying its file name and the drive and partition where the kernel resides.

When booting with GRUB, you can use either a command-line interface or a menu interface Using the command-line interface, you type the drive specification and file name of the kernel manually. In the menu interface, you just select an OS using the arrow keys. The menu is based on a configuration file which you prepare beforehand. While in the menu, you can switch to the command-line mode, and vice-versa. You can even edit menu entries before using them.

root@arunbagul:~# grub –version
grub (GNU GRUB 0.97)
root@arunbagul:~#

GRUB command-line (After booting OS)- just type ‘grub’ on bash command promt # for grub command-line.

root@arunbagul:~# grub
[ Minimal BASH-like line editing is supported. For
the first word, TAB lists possible command
completions. Anywhere else TAB lists the possible
completions of a device/filename. ]

grub>

* Possible GRUB command (just type TAB on grub command-line)

grub>

Possible commands are: blocklist boot cat chainloader clear cmp color configfile debug device displayapm displaymem dump embed find fstest geometry halt he
lp hide impsprobe initrd install ioprobe kernel lock makeactive map md5crypt module modulenounzip pager partnew parttype password pause print quit quiet rea
d reboot root rootnoverify savedefault serial setkey setup terminal terminfo testload testvbe unhide uppermem vbeprobe

grub>

[2] How to get help about any command line –

grub> help root
root: root [DEVICE [HDBIAS]]
Set the current “root device” to the device DEVICE, then attempt
to mount it to get the partition size (for passing the partition
descriptor in `ES:ESI’, used by some chain-loaded bootloaders),
the BSD drive-type (for booting BSD kernels using their native
boot format), and correctly determine the PC partition where a
BSD sub-partition is located. The optional HDBIAS parameter is a
number to tell a BSD kernel how many BIOS drive numbers are on
controllers before the current one. For example, if there is an
IDE disk and a SCSI disk, and your FreeBSD root partition is on
the SCSI disk, then use a `1′ for HDBIAS.
rootnoverify: rootnoverify [DEVICE [HDBIAS]]
Similar to `root’, but don’t attempt to mount the partition. This
is useful for when an OS is outside of the area of the disk that
GRUB can read, but setting the correct root device is still
desired. Note that the items mentioned in `root’ which derived
from attempting the mount will NOT work correctly.

grub> quit

root@arunbagul:~#

** Syntax and naming convention used in GRUB –

The device syntax used in GRUB is a bit different from normal syntax. First of all, GRUB requires that the device name be enclosed with “(” and “)“.
For example :-

(fd0)
(hd0,1)
(hd1,3)

Here “fd” means floppy disk, “hd” means Hard Disk. (fd0)- means first floppy drive , (hd0,1) – means first Hard Disk and first partition of first Hard Disk. and (hd1,3) – means 2nd Hard Disk and 3rd partition of 3rd Hard Disk. How to use GRUB command-line to boot system, please refer below…

NOTE – Drive number and Partition number start from zero(0). Use “tab” to see possible Drive, Partitions no etc.

[3] How to boot operating systems –

GRUB has two distinct boot methods.

a) Load an operating system directly,
b) Chain-loader –
load another boot loader which then will load an operating system.

GRUB support Multiboot. Linux/Unix like OS can be directly loaded, while other OS which are not supported like Windows can be loaded by using “Chain-loader” method.

Step(1)- Set root/boot drive –

* During GRUB menu you can select grub command-line by pressing “c” and to edit GRUB menu you can press “e“…

grub> root (hd0,
Possible partitions are:
Partition num: 0, Filesystem type unknown, partition type 0x7
Partition num: 1, Filesystem type unknown, partition type 0x7
Partition num: 2, Filesystem type is ext2fs, partition type 0x83
Partition num: 4, Filesystem type is ext2fs, partition type 0x83
Partition num: 5, Filesystem type is ext2fs, partition type 0x83
Partition num: 6, Filesystem type unknown, partition type 0x82
Partition num: 7, Filesystem type is ext2fs, partition type 0x83

grub> root (hd0,2)

grub> cat /grub/menu.lst

…..

* use this file to find out which will be your possible root partition..

grub> cat /
Possible files are: lost+found System.map-2.6.22-14-generic abi-2.6.22-14-generic config-2.6.22-14-generic initrd.img-2.6.22-14-generic.bak memtest86+.bin
vmlinuz-2.6.22-14-generic initrd.img-2.6.22-14-generic grub System.map-2.6.22-14-xen vmlinuz-2.6.22-14-xen config-2.6.22-14-xen xen-3.1.gz initrd.img-2.6.22
-14-xen initrd.img-2.6.22-14-xen.bak

Step(2) – Load kernel (don’t forget to mention your root partion ie /)-

grub> kernel /vmlinuz-2.6.22-14-generic root=/dev/sda5 ro quite splash

grub>

Step(3) How to load ‘initrd’ –

grub> initrd /initrd.img-2.6.22-14-generic

Step(4) Just Boot your OS –

grub> boot

*** That’s it to boot your system from GRUB command line!

[4] How Boot unsupported operating systems(OS) by using ‘chain-loader’ method-

Normally, the boot loader is embedded in the boot sector of the partition on which the operating system is installed. Use ‘rootnoverify’ command for setting the correct root device. this command don’t attempt to mount that partition.

Step(1) Set GRUB’s root device to the partition –

grub> rootnoverify (hd0,0)

Step(2) Set the active flag in the partition using ‘makeactive’ command –

grub> makeactive

Step(3) Load the boot loader with the command chainloader-

grub> chainloader +1

Step(4) Just Boot your OS –

grub> boot

* “+1” indicates that GRUB should read one sector from the start of the partition.

[5] How to read any file from GRUB command-line –

* you can easily find out which is the root partition (/) by looking the directory structure!!

grub> root (hd0,4)

grub> cat /
Possible files are: lost+found var boot home media usr etc cdrom bin dev initrd lib mnt opt proc root sbin srv sys tmp initrd.img vmlinuz home2 initrd.img.
old vmlinuz.old

grub> cat /etc/fstab
# /etc/fstab: static file system information.
#
#<file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
/dev/sda5 / ext3 defaults,errors=remount-ro 0 1
/dev/sda3 /boot ext3 defaults 0 2
/dev/sda8 /home ext3 defaults 0 2
/dev/sda6 /usr ext3 defaults 0 2

grub>

[6] How to Boot DOS/Windows from 2nd Hard Disk –

If you have installed DOS (or Windows) on a non-first hard disk, you have to use the disk swapping technique, because that OS cannot boot from any disks but the first one. Use “map” command. This performs a virtual swap between your first and second hard drive.

grub> map (hd0) (hd1)
grub>
grub> map (hd1) (hd0)
grub>

NOTE: This is effective only if DOS (or Windows) uses BIOS to access the swapped disks. If that OS uses a special driver for the disks, this probably
won’t work.

** Another problem arises if you installed more than one set of DOS/Windows onto one disk, because they could be confused if there are more than one primary partitions for DOS/Windows. Certainly you should avoid doing this, but there is a solution if you do want to do so. Use the partition hiding/unhiding technique. If GRUB hides a DOS/Windows partition, DOS/Windows will ignore the partition. If GRUB unhides a DOS/Windows partition, DOS/Windows will detect the partition.

grub> help hide
hide: hide PARTITION
Hide PARTITION by setting the “hidden” bit in its partition type code.

grub> root (hd0,
Possible partitions are:
Partition num: 0, Filesystem type unknown, partition type 0x7
Partition num: 1, Filesystem type unknown, partition type 0x7
Partition num: 2, Filesystem type is ext2fs, partition type 0x83
Partition num: 4, Filesystem type is ext2fs, partition type 0x83
Partition num: 5, Filesystem type is ext2fs, partition type 0x83
Partition num: 6, Filesystem type unknown, partition type 0x82
Partition num: 7, Filesystem type is ext2fs, partition type 0x83

grub> hide (hd0,2)

grub> root (hd0,
Possible partitions are:
Partition num: 0, Filesystem type unknown, partition type 0x7
Partition num: 1, Filesystem type unknown, partition type 0x7
Partition num: 2, Filesystem type unknown, partition type 0x93
Partition num: 4, Filesystem type is ext2fs, partition type 0x83
Partition num: 5, Filesystem type is ext2fs, partition type 0x83
Partition num: 6, Filesystem type unknown, partition type 0x82
Partition num: 7, Filesystem type is ext2fs, partition type 0x83

grub>

grub> help unhide
unhide: unhide PARTITION
Unhide PARTITION by clearing the “hidden” bit in its partition type code.

grub>

For example … see below

grub> unhide (hd0,0)
grub> hide (hd0,3)
grub> rootnoverify (hd0,0)
grub> chainloader +1
grub> makeactive
grub> boot

Thank you,

Arun Bagul

built-in SQL functions

built-in SQL functions

Introduction – The SQL so far is part of the standard that all SQL implementations. Now let’s about the most useful, but most difficult areas of SQL – built-in SQL functions.

Types of functions –

Like most computer languages, SQL includes the capability to perform functions on data. However, each database vendor has implemented their own set of functions. Not only does each vendor choose which functions they will support, different vendors implement the same functionality using different syntax! This basically means that as soon as you open the door to functions, your database code stops being portable. For traditional database applications, that is less of an issue, but for web-based applications using tools like PHP, it means that the SQL functions you embedded in your web application will break when you move from MySQL to Oracle or to SQL-Server. To make matters worse, SQL functions often provide significant performance gains for all sorts of database manipulation, particularly in the case of web applications.

So what’s a we should to do? My advice is to use functions anywhere you can produce a measurable performance gain and document thoroughly what database the SQL was intended to work with. As we’ll talk about in a future column, moving any function-oriented code to a database stored procedure and essentially “black-boxing” it is an excellent approach — this lets the DBA rewrite the stored procedures for optimal performance — but some databases do not support stored procedures, so this is not a perfect solution. There are a number of functions that are available in a wide range of databases, so you can usually get the functionality you need as long as the functions are not too exotic.

There are four basic types of functions –

1) Numeric functions – for statistical, trigonometric, and other mathematical operations,
2) Text functions – for formatting and manipulating text values,
3) Time/date functions – used to parse date values as well as manipulate the date itself, and
4) System functions – for returning database-specific information (such as a username).

How do you know what functions your database supports? Unfortunately, the only reliable way is to check the documentation. As a general rule of thumb, the more a database costs (or the more widely it is used for open source databases), the more functions it supports. Functions open up a huge range of additional functionality for SQL developers, but at the cost of portability between database platforms. However, functions provide improved functionality and performance for data-intensive applications.

How to use functions?

Functions in SQL are typically used in WHERE clauses, though they generally can be used anywhere you’d use a field name or value. One of the easiest ways to learn functions is to see a few in action. We’ll start with a SELECT statement to find names longer than 12 characters…

Step(1) Create Table – student –

mysql> use SQL_function;
Database changed
mysql> show tables;
Empty set (0.00 sec)

mysql> CREATE TABLE student ( name varchar(40) );

Query OK, 0 rows affected (0.00 sec)
mysql>

mysql> show tables;
+————————+
| Tables_in_SQL_function |
+————————+
| student |
+————————+
1 row in set (0.00 sec)

mysql> desc student;
+——-+————-+——+—–+———+——-+
| Field | Type | Null | Key | Default | Extra |
+——-+————-+——+—–+———+——-+
| name | varchar(40) | YES | | NULL | |
+——-+————-+——+—–+———+——-+
1 row in set (0.00 sec)

Step(2) INSERT Few records in student table –

mysql> INSERT INTO student VALUES(‘Arun Bagul’);
Query OK, 1 row affected (0.00 sec)

mysql> INSERT INTO student VALUES(‘Sri madhanvan’);
Query OK, 1 row affected (0.00 sec)

mysql> INSERT INTO student VALUES(‘Hari madhanvan’);
Query OK, 1 row affected (0.00 sec)

mysql> SELECT name FROM student;
+—————-+
| name |
+—————-+
| Arun Bagul |
| Sri madhanvan |
| Hari madhanvan |
+—————-+
3 rows in set (0.00 sec)

mysql>

Step(3) Use functions in WHERE clause –

mysql> SELECT name FROM student WHERE length(name) > 12 ;
+—————-+
| name |
+—————-+
| Sri madhanvan |
| Hari madhanvan |
+—————-+
2 rows in set (0.00 sec)

mysql>

Thank you,
Arun Bagul

MySQL starting problem on cPanel Server

MySQL starting problem on cPanel Server

Introduction – After fresh installation of cPanel server, Whenever I have tried to start MySQL server, it has failed to start due to unknown reason. This is really crazy problem on cPanel!. Even you upgrade MySQL from 4.0 to latest 5.x version, MySQL server simply failed to start!! You will not find any thing in log file ie ” /var/log/mysql.log“. I have tried so many thing to find out the reason of failure. If you try this cPanel /scripts/mysqlup –force command still it won’t help you.

What is the Solution?

The solution to this crazy problem is to remove or comment out the “basedir=/var/lib” line from my.cnf configuration file of MySQL server.

root@cpanel.arunbagul:~# cat /etc/my.cnf
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock

[mysql.server]
user=mysql
basedir=/var/lib

[mysqld_safe]
err-log=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
root@server42 [/var/lib]#

root@cpanel.arunbagul:~#

** Finally the /etc/my.cnf file looks like –

root@cpanel.arunbagul:~# cat /etc/my.cnf
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock

[mysql.server]
user=mysql

[mysqld_safe]
err-log=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

root@cpanel.arunbagul:~#

** Now you can start your MySQL server on cPanel server!!

Cheers,

Arun Bagul