Skip to main content

Posts

Showing posts from September, 2021

PHP file upload security

https://www.acunetix.com/websitesecurity/upload-forms-threat/ https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload Some way to create vulnerability files like image with PHP code in comments, descriptions ... ImageTragick! https://help.shopify.com/en/manual/orders/fraud-analysis Beating getimagesize() The getimagesize() function will check if it is an image and will check “mime” to verify image type. Insecure Configuration :  <FilesMatch ".+\.ph(p([3457s]|\-s)?|t|tml)">  SetHandler application/x-httpd-php  </FileMatch> Secure Configuration :  <FilesMatch ".+\.ph(p([3457s]|\-s)?|t|tml)$">  SetHandler application/x-httpd-php  </FileMatch> If the service is up an running with the Insecure Configuration, any one can beat the getimagesize function by writing comments in GIF file. For that an end user need to install an utility in Kali/Ubuntu OS named ‘gifsicle’  For Kali Linux : apt-get install gifsicle  For ...

MMF audio player - Yamaha SMAF format

http://download.music-eclub.com/midradio/detail_m_x.php Mac version seem not work since it's too old. Window 7 work well even though font break (we often not install Japanese fonts). Tried many online and offline video/audio converter but no luck. https://www.file-extensions.org/smaf-tools-file-extensions#desc https://www.file-extensions.org/convert-mmf-to-mp3 https://www.fmjsoft.com/awavestudio.html#main

PHP CLI vs PHP web (CGI ) diferrent --with-config-file-scan-dir=

 https://serverfault.com/questions/968402/load-specific-php-module-for-directory-apache-2-4-centos-7 You can't load two different PHP modules at the same time. Full stop. This is why you must use php-fpm to run different PHP versions. https://medium.com/@pushpendrachauhan/how-migrating-apache-mpm-from-prefork-to-event-based-using-php-fpm-saved-our-day-8a6e371d94fd => note more https://forums.aws.amazon.com/thread.jspa?threadID=283215 https://stackoverflow.com/questions/30446904/how-to-allow-custom-built-scan-this-dir-for-additional-ini-files-php-ini-file https://www.php.net/manual/en/configuration.file.php The configuration file ¶ The configuration file (php.ini) is read when PHP starts up. For the server module versions of PHP, this happens only once when the web server is started. For the CGI and CLI versions, it happens on every invocation. php.ini is searched for in these locations (in order): https://github.com/brefphp/bref/issues/355 AWSTemplateFormatVersion: '2010-09-...

Testing Culture - Martin Fowler

https://martinfowler.com/articles/testing-culture.html  It’s likely that the programmer who wrote this algorithm the first time did execute the program to check for errors in the new code. Most programmers will run a program with some sample inputs to verify that it’s doing what they think it should do. The problem is that these runs are often ephemeral and thrown away once the code is working; an automated test captures those runs as a permanent double-check. - Yeah many time (often in legacy) code that I write some precious test and then have to clean it after done to push to Git. That permanent double-check is important here: We don’t know exactly how that rogue second goto fail got into the code; a likely reason is that it was the result of a large merge operation. When merging a branch into the mainline, large differences can result. Even if a merge compiles, it can still introduce errors. Inspecting such merge differences can be time-consuming, tedious, and error-prone , even...