Christopher Kunz

Unser Hosting-Kunde aka-aki hat ein Spiel angekündigt. Location-based, social, “weather aware”, klingt auf jeden Fall hochspannend. Präsentiert wird das Ganze am 17.12. in Berlin.

I have recently installed SilverStripe to test if it fits into our shared hosting concept. Read after the break about my impressions.

The automatic updater for WordPress uses FTP to upload data (which is generally a good idea because of safe mode). However, it fails if the FTP account is chrooted (i.e. you cannot change to directories below your home directory).

This is bad, because most, if not all shared hosting servers have chrooted ftp accounts. There is, however, an easy fix. You just recreate the root directory structure within your home directory.

If your home directory has the physical directory “/www/12345/mydomain.com/” and your wordpress is in the “./wordpress” subdirectory, you can just log in with ftp and do this

mkdir /www; 

cd /www; 

mkdir 12345; 

cd 12345; 

mkdir mydomain.com

Then you can use a PHP one-liner to create a symlink to your wordpress subdirectory:

<?php symlink(“/wordpress”, “wordpress”); ?>

After this, you should verify the directory is created OK and can be changed into via ftp:

cd /www/12345/mydomain.com/wordpress

After this, the automatic update worked, at least for me.

Over the last months, a drought has started in this blog and the two or three readers that might still be left deserve a status update. In fact, I would like to recap the last couple of months to get my head clear and tell all of you what’s been going on.

If you’re interested in what I’ve been doing these past weeks, just click on the extended entry and you shall be enlightened.

I rarely get spam that’s really weird, but this (probably a filter evasion or mal-training attempt) is really... WTF?!

Mon May 04 17:29:27 2009: Request 78291 was acted upon.
Transaction: Ticket created by lamb.helene@google-mailing.com
Queue: [de-punkt]info
Subject: ein kleines blaues Ma:dchen aufgeschnallt.
Owner: Nobody
Requestors: lamb.helene@google-mailing.com
Status: new


Dann darfst du gehn nach der Hallig.
Die Luft geht fremd und rein.
Bernhard Suphan. Neudruck, Hildesheim
dann begann das grosse Massensterben.
Es war einmal ein Mann,
dass er nicht, ihr letzter Hort noch, geht:
verbreitet haben.
eines deutschen Sa:ngers
Der wackre Schwabe forcht’ sich nit,
Und seine Glocken klangen


I recently read about the APS project and became curious. APS, shorthand for Application Packaging Standard, is - as far as I understand it - a relatively recent standard that provides SaaS providers (i.e., us as a hosting provider) with a standardized format for software packaging. So far, some sounding names from the PHP Open Source community have embraced APS, including the notorious, but indispensable phpBB, Drupal, Magento and Typo3.
For hosters, APS is supposed to be a great addition to their portfolio:

The introduction of APS advances the web hosting industry. By implementing APS, hosting service providers can gain access to a great variety of APS applications. In turn, application vendors that implement APS, can get access to a vast sales and marketing channel via APS-enabled hosting providers.

Unfortunately, I can’t seem to find detailed documentation on the process of implementing an APS socket - the only freely available docs seem to be the standards document and ISV guidelines, both of which don’t really help me.

Now, I reach out to you PHP guys - has any of you ever had something to do with APS (preferrably on the hoster/provider side of things)? Do you have pointers as to where to start the socket implementation? I’m looking forward to your input.

It is not usually my custom to comment negatively or nitpick on other people's articles in magazines, especially not in magazines I have written for. This time however, I really must raise my voice to point out a couple of (well, actually a lot of) issues in an article about SQL injection in the current (October/November) issue of the german "PHP Magazin". I stumbled upon this when Pelle Boese of Mobile SEO fame told me about it.

As a couple of you should still remember, I wrote for that magazine until about one and a half years ago. I stopped writing for a couple of reasons. First and foremost, my shift towards Grid computing, my master's thesis and work took too much time. However, the, let's say, lean editorial process always kinda weirded me out. Mostly, manuscripts were printed as written, with no editorial changes at all. This is very trusting, but sometimes leads to fuck-ups like the one below.

Achtung, wirre Gedanken ahead, nicht so ernst nehmen... In einem Gespräch mit Arzt fiel das Stichwort "Kredit ohne Schufa", was mich automatisch an zwei Dinge denken läßt (freies Assoziieren, ich komme!):

1. Peter Zwegat und "Raus aus den Schulden"
2. Schwarz-weiße Kleinanzeigen im ADAC-Clubmagazin

Ich lese seit Jahren von diesen "Krediten ohne Schufa", "Krediten bei negativer Schufa", oder auch "Schweizer Krediten" (weil die Zinsen so hoch wie die Alpen sind, vermutlich) und wollte jetzt mal schauen, was da so dahintersteckt.

Grundsätzlich geht es ja bei dieser Art der Kreditvergabe (übrigens auch gerne genommen: "Handy ohne Schufa", "Kreditkarte ohne Schufa", "Auto ohne Schufa", "Weißrussische Ehefrau ohne Schufa", "Selbstmord ohne Schufa" und was weiß ich) darum, daß die Vermittler bzw. die Kreditgeber sich die eigentlich bei jeglicher Art von Waren- und anderen Kreditgeschäften übliche Anfrage bei der Schufa bzgl. etwaiger Negativmerkmale sparen. Das lassen sie sich - so meine zu diesem Zeitpunkt des Blogartikels noch unbestätigte Vermutung - mit deutlich höheren Zinsen vergolden.

Nach langem Hin und Her, das eigentlich schon mit unserem Einzug bei AboveNet/GlobalSwitch (lang ist’s her, das muß 2001 gewesen sein) los ging, war es schließlich heute soweit:

Dear Christopher Kunz,

We have processed your application and Filoo GmbH is now a RIPE NCC member.

Please find your new ORGANISATION object below.

Damit ist die Filoo GmbH nun RIPE-Mitglied und die geplante nächste Ausbaustufe unseres Netzwerks kann losgehen. Aber vor der Freude an Peerings, eigenen IP-Netzen und ungezügeltem Netzwachstum steht erst einmal intensive Einarbeitung ins Thema gesetzt. Bevor wir unsere Allokation in erste produktive Netze umsetzen können, wird also noch die eine oder andere Woche ins Land gehen.

Aber egal - jetzt bin ich erstmal froh, daß wir die Mitgliedschaftsformalitäten hinter uns haben und als LIR anfangen können.

By way of a discussion in #php.de @ IRCNet, I stumbled about “phpshield.com” which offers a PHP encoding solution for a deadbeat price of 55 bucks. Other choices, like SourceGuardian, ioncube or Zend are much more pricy.

However, the phpShield.com home page did not offer the slightest clue who actually is behind that product. How someone would entrust their PHP scripts (which obviously include their intellectual property) to a product that’s not only closed-source but also sold by an anonymous third party is beyond me.

It’s common practise to whitelabel your solutions and sell them under different brands with different feature sets to different target audiences. We do this with gameservers and hosting, too. However, we always clearly state who is behind the whitelabelled solution (and we are also obliged to do this by law, which I think is good). The phpshield people do not have any clue on their pages. The domain is registered to this dude:

Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (qjprnbdw@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O phpshield.com
Bellevue, WA 98007
US
Hm. Their hoster, hostovo, belongs to an Inovica Ltd. in the UK. Waitaminute... inovica? Ah yes, the guys that sell SourceGuardian for over 4 times the price of PHPShield. And oddly enough, PHPShield.com’s privacy policy lists Inovica Ltd. as the sole proprietor of any IP on the page. I’m seeing a pattern here...

I really have to ask: Why are they trying to hide? To me, that is not acceptable business practice. Incidentially, I’m currently evaluationg PHP encoding solutions for a customer request and I just struck one off the list.

UPDATE: Adrian has responded in a very helpful comment, clearing a lot of the issues up. Please check the comments to this entry.

Das hier schlug heute morgen in der mailbox webmaster ätt de-punkt.de auf. Die übliche langweilige Headeranalyse sparen wir uns mal, kommt eh’ aus einem Botnet (in diesem Fall aus dem schönen Argentinien... hm, Steak!). Interessant ist eigentlich nur der Inhalt:

To: <xxx@de-punkt.de>
Subject: Achtung, bitte Logindaten und Passwort bereithalten

Subject: ACHTUNG, gemeiner VIRUS. Dringend diese Datei auf Ihrem Webserver
einbinden
===============================

Sehr geehrte Damen und Herren,
im Moment werden Millionen Webserver von Viren befallen.
Bitte binden Sie unbedingt den Anhang zum Schutz auf Ihrer Webseite
in folgendes Verzeichnis ein:
www.de-punkt.de/robots.txt
Die Robots-Datei erstellen Sie mir Ihrem Editor:
__________________________________________
User-agent: *
Disallow: /
____________________________________________
Diese speichern Sie als robots.txt und binden Sie in Ihrem Hauptverzeichnis
ein.


Nur so ist sicher, dass kein Schaden entsteht indem Sie dem Virus
verbieten, Ihre Webseite zu besuchen.
Bitte beeilen Sie sich, da an diesem Wochenende mit einem erheblichen
Angriff zu rechnen ist.

Noch Fragen?

Internet-Security-Team
Meisenweg 11

47441 Moers

0900-8XXXXX2

Offenbar möchte da jemand, daß de-punkt.de seinen PR6 abgibt, indem wir einfach allen Bots den Zutritt zu unserer Website verwehren - denn nichts anderes steht in der “angehängten” robots.txt. Interessanter Ansatz des Social Engineering, stellen sich eigentlich nur zwei Fragen:

1. Wer fällt bitte auf so etwas rein?

2. Wer hat diese Mail noch bekommen?

Zu 2: Offenbar so einige, es gibt bereits diverse Blog- und Newseinträge, wenn man “Internet Security Team Moers” googled, so etwa hier, hier und hier.

 

With the last entry in this blog being over 2 months old, I guess it’s time for a quick update. Actually, not much has changed. I am in the middle of my master’s thesis, lagging behind schedule as usual, and in parallel trying to get past my last exams for university. Doing both in parallel is not as much fun as you might think, especially with some other stuff looming behind.

I have successfully deployed a couple of customers in the last weeks, most notably the folks at SwooDoo. Their PHP-MySQL-AJAX-driven flight search engine is definitely one of those useful sites that I’m proud to host.

The second edition of our book, PHP-Sicherheit, is now under wraps, expanded by about 50 pages. I have written up a chapter on ext/filter (with a mixed recommendation) and expanded the web server filtering chapter by mod_parmguard. Other than that, Stefan has completely rewritten the chapter on “Hardening PHP” and we have changed a whole lot of stuff that was either outdated or included some tiny little errors. I wouldn’t go as far as to say you need to buy this book if you don’t have the first edition, but if you don’t have it at all, wait until late march to grab your copy.

Next weekend, I’ll be presenting some funny XSS stuff at the Heise booth on CeBIT (Hall 5, Booth E38). If someone wants to meet me at the fair, please drop me a line ASAP.

Apart from that, the next time I’ll be visible in the PHP community is the PHP Conference Spring Edition taking place in Stuttgart May 21 - 23. I’ll be presenting XSS stuff on the Webinale part of the conference. Due to time constraints, I won’t be present for more than 2 days, though - so probably I’ll leave straight after my session. Why is that? My thesis is due on the 31st, so go figure.

That was a weird week. I think I rarely changed locations that often, and I kinda lost track of what time zone, currency and/or event I was currently at. However, it turned out to be a very rewarding week, too.

All in all, I roughly travelled around 5600 km, which is probably quite a lot given the fact that I otherwise leave Hannover rarely. I changed timezones twice, currencies 4 times (including transit airports), and spoke at two different (un-)conferences. There were nights in school gyms, Sofia park bars, hostel dorms and for 2 nights, I even slept in my own home (tue->wed->thu).

My overall perception was that the security topic is still kinda “hot” and although most attendees (naturally, those at PHP Vikinger were more on top of things) seemed to have a firm grasp of what could go wrong with PHP applications, there is still a lack of trustworthy and well-designed solutions to the various security dilemmas. As Kris Köhntopp said on the PHP Vikinger, using stuff like mod_security, our Hardening Patch or other assorted security products is not a real solution, since there is no programmatical and wellformed approach to them. Instead of having a defined and limited outer and inner area for applications (like, an array of all possible URL entries to the application, as well as all possible output it generates), we are putting out fires as they emerge. Of course, we do that because we currently have no other way of keeping our boxes alive and the attackers out as long as possible, but still, Kris has a point.

We have been running mod_php on our customer hosting servers for several reasons, but I have never been truly satisfied with that situation. The security risks are the most obvious problem, since Safe Mode is not a practicable solution and open_basedir is not quite secure enough for mission-critical applications.
Now I need to assess (err... not asses.) the breakage potential - I hope you can help me with that.