A college webserver i was given temporary access to allowed me to upload html files and after a short time i became curious if php was enabled as well although it never came up. I threw up a test php echo and yessir, php is a go. Well theres only one directory I’m allowed access to soo i wonder how it handles web console the awesome and dangerous little command line toolbox in a single file.
Just spoofed my boss’s email address while emailing myself from basically one line of php on my own domain. This didn’t work when i tried emailing my yahoo address using another yahoo address and i wasn’t even going to attempt it but of course now I’m glad i did. A little look into the raw content though obviously shows the domain the email traveled from but how many times do you check that when you get a email from firstname.lastname@example.org , most likely never. So my work uses smarter mail enterprise 11.7 which is in clear text on the login screen as well. A simple smarter mail search on yahoo turns up a ton of other subdomains on their sites using this mail client. Branding your software is a good thing but shouldn’t you take into account when a security bug is found how easy it is to find all the sites that use it? probably. For those of you who don’t know php all you have to do to send mail from php is basically
mail(“the send to email here”,”the subject here”,”the message here”, “From: ” . “and whatever from email you want here”);
simple & very useful but the email receiving side should check some of this integrity. Now since I’m on domain.com hosting do you think i could send a email@example.com email to someone there for some password phishing? I hope not. Either way emails this way get sent and are sent all the time across the wires its just the receivers job to check integrity. Now I’m going to go email my works billing department and make sure i get a raise, cheers!
I’ve noticed a theme lately with open source back ends.
It use to be the average joe looking for some pre made php awesomeness could upload a unzipped folder, run some install php that will go through some steps and most likely even setup the MySQL database scheme for the user.
Now I’ve noticed heavy use of vagrant with uncommon ports, uncommon database environments and dependencies that would make it hell for the average joe to get a package up and running on his basic server using common CPanel web hosting. At first i thought this was a coincidence and these devs just want to use a great product like vagrant to keep their dev OS standard, then i noticed how many people were disgruntled with hours and days of trying to transfer this stuff to their servers.
These open source devs aren’t stupid and some of them are running million dollar companies based off this now with tech support and hosting users backend all while bragging that they are open source. I like vagrant but some code out their could have been made more portable. Perhaps ill just start writing my open source ios apps in assembly.
How come adobe fireworks doesn’t use the adobe fireworks hotkeys? are there hotkeys? this is one of the 1000 implementation questions i had while switching between the two to create a layout for website…oh yeah and..
WINDOWS WHAT HAVE YOU DONE?!?!
it’s like a UI murder scene in that OS.
Detective: Mam what happened?
Distraught lady: well i just ..i..i turned on the computer..
Detective: go on…its ok.
Distraught lady: I turned it on and this..this THING showed up.
Detective: You’re safe now..just step back and pick a mac or linux flavor.
Distraught lady: what’s going to happen to it?
Detective: I don’t know we thought bill gates would have said april fools by now..
topic of the week of course…and then I see this ridiculously titled article and had to read it http://www.theverge.com/2014/4/11/5604300/heartbleed-may-not-leak-private-ssl-keys-after-all
Or skip the read for this gem inside…
"Robert David Graham of Errata Security had come to a similar conclusion earlier this week, writing a post titled, “Why Heartbleed Doesn’t Leak the Private Key,” but he publicly retracted the claim after facing disagreement from the security community.”
from there the next line goes on to say “To prove it, CloudFlare has set up an intentionally vulnerable page and challenged hackers to use Heartbleed to pull the site’s private key”
Funny part is by the time I read this article the sites private key was already retrieved by 2 people/sources, well done. Challenge is still on maybe if i have some time tomorrow ill grab it for myself as well. Here’s the link https://www.cloudflarechallenge.com/heartbleed
bududs asked: hi, can you make it possible to search a single track? then maybe show the playlists it is included.
Thanks for the suggestion! But where would the surprise of hearing a song be? Regardless I’ll share your suggestion with the team :)
I’d use it. it was one of my initial 8tracks impulses to use a track to narrow down my mood and discover more music based off that and what users associated it with in their mixes.
Web console isn’t anything new it’s just something I’m using right now on my host’s web server. Now if I was the host I would be cautious but there is no way to when you allow cgi/scripting these days the only way to protect yourself is to only allow html/text with no uploads “good luck getting clients with that..”.
There are thousands of reasons to use a web style command prompt if you have a limited web host like i do that’s pretty behind the times but also dirt cheap. This console is pretty loaded with most of the commands and abilities you’ll need and as i was testing it out i went back a few directories further then i should be able to then tried a “ls” command and received a nice permission denied as expected. Until i went all the way back to the root folder…i was allowed to list all files and directories…weird. Kind of curious now how this sandbox or ‘lack there of’ works…
from my folders i am basically root and can execute just about any script…if the latest iphone filesystem can be jailbroken as fast as it is reverse engineering bsd’s launch daemon im really second guessing using this dirt cheap yet well known host…
I wonder if a email would get me permission to attempt beyond permission denied access. I have work to do how’d I get this side tracked…