A brief description of the fopen PHP vulnerability

One of the PHP vulnerability that is still being found on many websites is the fopen function in PHP – CVE-2007-0448. You can secure your website by disabling includes when calling the fopen function.

According to cvedetails.com “PHP 5.2.0 does not properly handle invalid URI handlers, which allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files via a file path specified with an invalid URI, as demonstrated via the srpath URI”

Its usually  not recommended to enable the fopen function in the php.ini, however, some developers include it in the code itself for a specific task. Lets see how this is exploited:

Lets say we have a page called vulnerability.php containing these code

<?php
$vulnerable = $_GET['vulnerable'];
include($vulnerable);
?>

So, $vulnerable = $_GET[‘vulnerable’]; means to put the ‘vulnerable’ GET property in the variable $vulnerable; i.e GET property that is in the URL. An example is http://mysite.com/page.php?vulnerable=yes&howmuch=Very.

By including the value of the variable ($vulnerable), you allowing an attacker to inject code. Someone for instance can try this on his browser

http://www.mywebsite.com/fopen.php?vulnerable=../../../index.php

This will enable the attacker to get into subdirectories and start exploring the whole directory. However, if you are running PHPFPM for a particular instance, only that particular instance is impacted as PHPFPM allows you to isolate each running instances within the server.


Internet Speed – How far is your ISP truthful ?

Have you ever notice that your ISP (Internet Service Provider) advertise you Internet package in a very tricky way? One of the best way to manipulate you is with the use of technical term such as Bytes and bits. To be more brief its the term Kilobits per seconds (kbps).

However, if you would be browsing the Internet or downloading some files, you would notice that your browser is indicating the speed at Kilobytes per second (kB/s)

To be more clear, your ISP sells Internet service in terms of kilobits per seconds (kbps) whilst your browser indicates you kilobytes per seconds (kBp/s). The trap is the word b – bits and B – Bytes.

lets say you have applied  for a 512 kbps.

Firstly, divide your speed by 8 and multiply by 1024 to convert from kilobits per second to bytes per second; i.e 512 x 1024/8 = 65,536 bytes per second

Then convert from bytes/s to kilobytes/s

65,535 bytes = 65,535/1000 kB/s = 65.5 kB/s 

So, in brief Internet speed is what are advertised to you and what you pay for! On the other hand, what your browser download speed is What you should get!

512 kbps = 65.5 kB/s

1 Mbps = 122.1 kB/s 

2 Mbps = 244.2 kB/s

10 Mbps = 1220.1 kB/s

Now, make as if you are going to download a 700 Megabytes file. What will happen is that your browser will make an estimation of the Downtime. However, you can monitor your downloads with several tools available on the Internet. Lets say, you have a 1Mbps Internet connection from your ISP which means that your speed will be 65.5KB/s.
 
Calculate the Download time as follows

700 x 1024 = 716800 kilobytes (convert from 700 megabytes to kilobytes)

Therefore, if

65.5 kilobytes downloads in 1 sec (i.e 65.5kB = 1 s) then,

716800 kilobytes will download in 716800/65.5 = 5870.6 seconds

5870.597870598 / 60 = 97 minutes

Assume we have still have to subscribe to a 1 mb. The trick is that when you buy an internet connection. Your ISP does not inform you or commit themselves to what is required! and evade the fact by using the famous word “up to”!! What i am referring is that your pay the internet connection up to “xxx kbps”
 

This is called CIR – committed information rate. According to wikipedia, CIR is “Committed information rate or CIR in a Frame relay network is the average bandwidth for a virtual circuit guaranteed by an ISP to work under normal conditions.”

Therefore the CIR is the minimum speed provided by your ISP. Does ISPs provide that CIR? Is this mentioned in the Law?. My understanding is that, one cannot complain until that CIR is mentioned in the contract!!.
 

Another issue is something called PEO (Protocol Encapsulation Overhead). When you’re buying, say an ADSL link of 2 Mbps, your line is syncing with your ISP at 2 Mbps over ATM or any other backbone technology. (PPOA. PPOE). Now, the catch is that the Point to Point Protocol over ATM (PPOA), needs to be encapsulated over the ATM media. There is an overhead to do so, meaning you are not effectively getting 2 Mbps Internet Protocol connectivity.

 

The British Computer Society Facebook group

Its been almost more than one year that i have created a group on Facebook for students and prospective BCS HEQ students to join hands together for more advanced and constructive debates helping everyone to go through the BCS HEQ exams. Already reaching more than 450 members, the group is usually more active during exams period though there are many members encouraging and helping each one and other.

What is BCS ? The British Computer Society (BCS) champions the global IT profession and the interests of individuals engaged in that profession for the benefit of all. Several interesting activities have been carried out by the BCS in terms of setting up standards and frameworks.

As a student member of the BCS, i have access to the online library powered by Safari Books Online. Several facilities such as an email forwarder service as well the BCS online Magazine called ITNOW which are really interesting for students and IT professionals.

On the Facebook group, we  focused on the aim to share notes between students. However, other professionals and students are also welcome to share their knowledge about IT. To give a straight and forward message to fake or illegal learning centers, the group will not accept people advertising their learning centers. The official website of BCS have already a list of registered centres

If you are from Mauritius the link to the official BCS MAURITIUS SECTION WEBSITE is bcsmru.bcs.org 

If you are an IT enthusiast do not delay to join on the Facebook group.


Create a server with NodeJS – LUGM Meetups

A meet up was carried out today by Yog Lokhesh Ujhoodha today at 12:30 hrs at the University of Mauritius under the banner of the Linux User Group of Mauritius. The event with title “How to make a smart server with NodeJs” was announced on Lugm Facebook group as well as on the LUGM mailing list. As a passionate freelance developer he shared his experience of using NodeJs for critical production environment.

He started by giving a straight forward explanation to the audience the difference between a web server and a runtime environment in the context of NodeJs. 

11225431_986950471346011_4262715214018075299_n
Yog in action during the presentation

As you can see on the YouTube video the he laid emphasis on the following   topics:

1. A problem statement

2. Web server architectures

3. Building an event-driven web server with NodeJS

4. Distributed load with NodeJs

5. Useful tools and Real life Benchmarks

 

We ended with some technical questions. Several questions were shoot up by our hangout viewers. You can view the video and ask any questions for more clarifications. About 15-20 persons attended the meetup.

You can also reach Yog through his website at http://shaanxoryog.hackers.mu

Another article coming up on http://www.hacklog.mu


URGENT – STAGEFRIGHT is here – Update your Android now

This is a straight and direct message to everyone on this planet. YOU NEED TO UPDATE YOUR ANDROID MOBILE PHONES, TABLETS etc.. NOW!!

How many amongst you have an Android devices? Are you aware that actually, billions of people around the world are impacted  by a vulnerability called Stagefright. After the announcement was made on 27 July 2015 by Joshua Drake of Zimperium, i still noticed that there are many people who are not at all aware of this vulnerability and its devastating effect.

What is Stagefright ?

“Stagefright has been called the biggest Android security concern ever. It occurs when malicious code is unknowingly triggered by media in multi-media messages (MMS). Stagefright could affect a billion devices, most particularly those running Android Jelly Bean or earlier. This number, if you’ve taken a recent look at the percentages of different Android versions currently in use, is staggering.” – Androidpit.com

You can download the FREE app at Google Play Store to verify if your mobile phone is vulnerable or not.

The aim of this article is to sensitize everyone to update their Android devices. Please do inform your friends and everyone around you.

Please take note that there are some companies which have not yet released those patch. In that case i encourage everyone to voice out their opinions with the help of Twitter.

Note: Some Android cannot be patch as the vendor is not sending any updates. In that case you can disable “mms on reception” . But that does not keep you 100% safe!

Click here – This may interest Security Experts and Software Engineers.