Jump to content
php.lv forumi

Aleksejs

Moderatori
 View Profile  See their activity

  • Posts

    4,584

  • Joined

  • Last visited

  • Days Won

    1

 Content Type 

Posts posted by Aleksejs

  1. Denial of Service through hash table multi-collisions

    in Drošība

    Posted

    http://www.nruns.com...ory28122011.pdf

    Hash tables are a commonly used data structure in most programming languages. Web

    application servers or platforms commonly parse attacker-controlled POST form data into

    hash tables automatically, so that they can be accessed by application developers.

    If the language does not provide a randomized hash function or the application server does

    not recognize attacks using multi-collisions, an attacker can degenerate the hash table by

    sending lots of colliding keys. The algorithmic complexity of inserting n elements into the

    table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single

    HTTP request.

     

     

    == PHP 5 ==

    PHP 5 uses the DJBX33A (Dan Bernstein's times 33, addition) hash function and parses POST

    form data into the $_POST hash table. Because of the structure of the hash function, it is

    vulnerable to an equivalent substring attack.

    The maximal POST request size is typically limited to 8 MB, which when filled with a set of

    multi-collisions would consume about four hours of CPU time on an i7 core. Luckily, this time

    can not be exhausted because it is limited by the max_input_time (default configuration: -1,

    unlimited), Ubuntu and several BSDs: 60 seconds) configuration parameter. If the

    max_input_time parameter is set to -1 (theoretically:

    unlimited), it is bound by the max_execution_time configuration parameter (default value:

    30).

    On an i7 core, the 60 seconds take a string of multi-collisions of about 500k. 30 seconds of

    CPU time can be generated using a string of about 300k. This means that an attacker needs

    about 70-100kbit/s to keep one

    i7 core constantly busy. An attacker with a Gigabit connection can keep about 10.000 i7

    cores busy.

     

    Video:

    http://www.youtube.com/watch?v=_EEhviEO1Vo

     

    Iespējamais risinājums:

    http://cr.yp.to/critbit.html

  7. Localizing PHP Applications "The right way" with gettext

    in Interesanti palasīties

    Posted

    Pamācība piecās daļās kā veidot lokalizējamu PHP aplikāciju:

    Pirmā daļa

    When it comes to localizing your PHP application, you may have a lot of options at your disposal. We chose to use the GNU gettext library and its PHP extension, a powerful and easy approach that localizes the application “The right way!” In this installment you saw what’s needed to install gettext and the PHP extension, briefly used Poedit, and whetted your appetite with a simple Hello World script.

     

    Otrā daļa

    In this part you learned what each function call does in the Hello World script introduced in Part 1. In terms of its API, gettext isn’t really a large library. There are only a handful of functions, most of which you will only use once in your entire application. The most frequently used will be gettext(), or it’s shorthand alias _(), and its plural form equivalent ngettext(). You also learned how to target multiple Locales (en_US and fr_FR in our example), and how gettext falls back to the msgid when its missing a translation.

     

    Trešā daļa

    In this part you learned how using the default locale’s strings as msgids in target domains can improve performance and organization, and how switching between locales based on the user’s preference can be accomplished. You also learned that while gettext allows only one default lookup domain, you can use multiple domains with dgettext() provided you’ve bound them first.

     

    Ceturtā daļa

    In this part of the localization series you saw one of the most powerful features of gettext. Programmers who may try to write their own inline if statements each time they need to present a pluralized message will soon find the approach cumbersome and fragile. Gettext abstracts the logic so you can keep your code clean. All you need to do is determine the correct expression to calculate the plural forms index for each language you translate, provide the msgid and msgid_plural pair and then a set of indexed msgstrs that gettext can choose from and gettext takes care of the rest.

     

    Piektā daļa

    In this last part of the series, you learned how to extract translation strings automatically from your PHP source files using the xgettext tool, generating a PO template file. The template can then be used for generating any target domain catalogs you need, thus leaving the cumbersome process of messages extraction to the computer.

     

    Throughout the five parts you’ve learned how localization can be just a matter of writing separate translation files for a target locale, and then referenced using gettext(), its shorthand alias _(), and its plural counterpart ngettext(). You’ve also seen how taking advantage of gettext’s fallback behavior can lead to more readable code and translation catalogs, and how translations can be neatly organized into their own domains (messages.po for general messages, errors.po for error strings, etc.).

  10. don't execute directly

    in Iesācējiem

    Posted

    Visvienkāršākais:

    inklūdējamos failus turi ārpus webam pieejamās direktorijas.

    Ja weba sakne ir te:

    /var/www/superlapa/

    tad turi:

    /var/www/ievietojumi/

    un attiecīgi failā, kas atrodas:

    /var/www/superlapa/

    include('../ievietojumi/ievietojamais.php');

  11. Iesakiet web veikala scriptu!

    in eKomercija un ePakalpojumi

    Posted

    GoCart

    GoCart is an open source e-commerce application which is focused on offering an easy to use/customize solution and not having a huge number of features but only the important ones.

    It can have unlimited categories, tiered categories with any depth, unlimited products-product images-options and can display related items.

    The built-in shipping methods include a flat or table rate, USPS, FedEx + UPS and has support for Paypal, Authorize.net and "COD (collect on delivery)" payment methods.

  14. Aizmirsi paroli fīča

    in Vispārēji

    Posted

    Iesaku iepazīties ar š;o dokumentu, lai pārliecinātos, ka kaut kas no tur minētā nav palaists garām:

    Security Patterns Repository Version 1.0 PDF

    Skatīties sadaļu par Account Reset un tur pieminētajiem papildpatterniem.

     

    Šī StackOverflow diskusija ir atzīta par labu esam:

    The Definitive Guide To Website Authentication

     

    Šis "manifests" arī satur kodolīgus uzstādījumus:

    Secure Web Application Framework Manifesto – Draft

    3.2.5 SECURE PASSWORD RESET / CHANGE

    Insecure forgotten password mechanisms are one of the easiest ways for attackers to break into an application. In particular, forgotten password questions are often easy to answer and are susceptible to brute forcing. If a secure web application framework provides password reset functionality, it should use the following sequence or one that provides a similar level of security:

    * Users visit a password reset page where they submit their User ID or email address. The page should also include an anti-automation technique, such as a CAPTCHA image with accessibility options for visually impaired users, to prevent user enumeration

    * Upon form submission, the site displays a page indicating that an email with instructions was sent to the user

    * In the interim, the site should send an email with a temporary link to the user. The link should expire after a short period of time (e.g. 1 hour)

    * When the user clicks on the link, they should be taken to a page where they respond to pre-determined forgotten passwords

    * The application should enforce account lockout if the user fails to correctly answer a question after a configurable number of tries (e.g. five wrong answers)

    * Users should be informed via email that their password has been changed, but the password itself should never be sent via email

    For cases where a user wants to change their password after successfully authenticating, ensure that the user enters both the old password and new password prior to changing. This is particularly important in web applications due to the risk of Cross Site Request Forgery on password reset pages.

  23. Izglītība / darbs

    in Netēma

    Posted

    Mācīšanās nebeidzas nekad. Ja beidzas, tad beidzas izaugsme un pamazām zūd konkurētspēja, kuru kādu laiku vēl uztur pieredze. Kad konkurētspēja samazinājusies līdz kritiskai robežai, tad (ja iespējams) vai nu jāatsāk mācīties, vai jāpārprofilējas uz citu darbības jomu (kurā ir mazāka nozīme izaugsmei), vai gluži vienkārši jāizbauda dzīve un jāpārtiek no iepriekšējā laikā iekrātā.

  25. Stenfordas inženierijas skola piedāvā piedalīties trijos tālmācības pr

    in Saites uz noderīgiem resursiem

    Posted

    Stenforda turpina:

    http://www.crypto-class.org/

    Ievads kriptogrāfijā

     

    http://www.algo-class.org/

    Ievads algoritmu izveidē un analīzē

     

    http://www.pgm-class.org/

    Varbūtību grafiskie modeļi

     

    http://www.game-theory-class.org/

    Spēļu teorija

     

    http://www.nlp-class.org/

    Dabīgo valodu apstrāde

     

    http://www.hci-class.org/

    Cilvēka-datora mijiedarbība

     

    http://www.saas-class.org/

    Programmatūra kā serviss

     

    http://jan2012.ml-class.org/

    Aparātapmācība

     

    http://www.cs101-class.org/

    Ievads datorzinātnē no 0

×
×
  • Create New...