"Congratulations! your software is now open source, wether you like it or not."
A college webserver i was given temporary access to allowed me to upload html files and after a short time i became curious if php was enabled as well although it never came up. I threw up a test php echo and yessir, php is a go. Well theres only one directory I’m allowed access to soo i wonder how it handles web console the awesome and dangerous little command line toolbox in a single file.
Just spoofed my boss’s email address while emailing myself from basically one line of php on my own domain. This didn’t work when i tried emailing my yahoo address using another yahoo address and i wasn’t even going to attempt it but of course now I’m glad i did. A little look into the raw content though obviously shows the domain the email traveled from but how many times do you check that when you get a email from firstname.lastname@example.org , most likely never. So my work uses smarter mail enterprise 11.7 which is in clear text on the login screen as well. A simple smarter mail search on yahoo turns up a ton of other subdomains on their sites using this mail client. Branding your software is a good thing but shouldn’t you take into account when a security bug is found how easy it is to find all the sites that use it? probably. For those of you who don’t know php all you have to do to send mail from php is basically
mail(“the send to email here”,”the subject here”,”the message here”, “From: ” . “and whatever from email you want here”);
simple & very useful but the email receiving side should check some of this integrity. Now since I’m on domain.com hosting do you think i could send a email@example.com email to someone there for some password phishing? I hope not. Either way emails this way get sent and are sent all the time across the wires its just the receivers job to check integrity. Now I’m going to go email my works billing department and make sure i get a raise, cheers!
I’ve noticed a theme lately with open source back ends.
It use to be the average joe looking for some pre made php awesomeness could upload a unzipped folder, run some install php that will go through some steps and most likely even setup the MySQL database scheme for the user.
Now I’ve noticed heavy use of vagrant with uncommon ports, uncommon database environments and dependencies that would make it hell for the average joe to get a package up and running on his basic server using common CPanel web hosting. At first i thought this was a coincidence and these devs just want to use a great product like vagrant to keep their dev OS standard, then i noticed how many people were disgruntled with hours and days of trying to transfer this stuff to their servers.
These open source devs aren’t stupid and some of them are running million dollar companies based off this now with tech support and hosting users backend all while bragging that they are open source. I like vagrant but some code out their could have been made more portable. Perhaps ill just start writing my open source ios apps in assembly.
How come adobe fireworks doesn’t use the adobe fireworks hotkeys? are there hotkeys? this is one of the 1000 implementation questions i had while switching between the two to create a layout for website…oh yeah and..
WINDOWS WHAT HAVE YOU DONE?!?!
it’s like a UI murder scene in that OS.
Detective: Mam what happened?
Distraught lady: well i just ..i..i turned on the computer..
Detective: go on…its ok.
Distraught lady: I turned it on and this..this THING showed up.
Detective: You’re safe now..just step back and pick a mac or linux flavor.
Distraught lady: what’s going to happen to it?
Detective: I don’t know we thought bill gates would have said april fools by now..
topic of the week of course…and then I see this ridiculously titled article and had to read it http://www.theverge.com/2014/4/11/5604300/heartbleed-may-not-leak-private-ssl-keys-after-all
Or skip the read for this gem inside…
"Robert David Graham of Errata Security had come to a similar conclusion earlier this week, writing a post titled, “Why Heartbleed Doesn’t Leak the Private Key,” but he publicly retracted the claim after facing disagreement from the security community.”
from there the next line goes on to say “To prove it, CloudFlare has set up an intentionally vulnerable page and challenged hackers to use Heartbleed to pull the site’s private key”
Funny part is by the time I read this article the sites private key was already retrieved by 2 people/sources, well done. Challenge is still on maybe if i have some time tomorrow ill grab it for myself as well. Here’s the link https://www.cloudflarechallenge.com/heartbleed