Paul Gregg

Jack of all Tech.

TinyURL PHP “flaw” ?

Written By: pgregg - Mar• 19•2009

The Register is running a story today TinyURL, your configs are showing which points out that TinyURL has a /php.php page displaying the contents of phpinfo().

The article then goes on to make some scary sounding claims from security consultant Rafal Los “Why would you want to run a web service as ‘Administrator’ because if
I figure out a way to jack that service, I completely, 100% own that
machine.” and “More importantly… why is this server running as ROOT:WHEEL?!

Sorry Rafal – but you appear to have no idea how web servers work, or all that much about (web) security.

All unix based webservers start as root if they want to bind to the restricted (and default) port 80, after which they switch to the configured UID for request handling.  So, right there, goes all Rafal’s claims about pwning the machine.

Check your own server, the _SERVER and _ENV values will reflect the
starting shell/environment, which just happens to be root.  In
other words, there is nothing wrong with the settings. Having said that, they do have register_globals turned on, which isn’t ideal – but it isn’t a gaping hole if the underlying php code is safely coded.

Also to TinyURL’s credit, they are running Suhosin patch to harden their server.  They’re also running the latest production PHP (which is more than I can say).  Granted, they probably don’t want to be exposing phpinfo() – but this all just an overblown storm in a teacup.

St. Patrick’s Day in Downpatrick

Written By: pgregg - Mar• 17•2009

I took the kids to the St. Patrick’s Day parade today in Downpatrick,
Co. Down (in Ireland for the non-Irish based people), the “home” of St.
Patrick.

The event itself is described by the organisers:

“ST PATRICK‘S DAY CROSS-COMMUNITY CARNIVAL PARADE
This cross-community event, the centre-piece of the festival, will be a
spectacular cavalcade of floats, bands, people in fancy dress and lots
of attractions! Parade theme: ‘The Sun, the Moon and the Stars’. The
parade will assemble on the Ardglass Road at 1.00pm and depart at
2.30pm for the town centre where it will arrive at approximately
2.50pm. Parade route: Ardglass Road, Edward Street, John Street, Irish
Street and Market Street. The closing date for parade entries is Friday
27 February 2009. Organised by Down District Council.”

Anyway, I took loads of photographs and put them all up over on my photo gallery:

http://photos.pgregg.com/v/Users/pgregg/stpatrick2009/

The
kids enjoyed it greatly, though the funniest moment was a local
Manchester United supporters club who went the entire route to boos and
chants of ” FOUR – ONE ! ” (in reference to Liverpool beating Manu 4-1 at the weekend).

The
parade had a huge variety of themes, only a few of them Irish.  Others
included an American Flag waving troop from Florida, Salsa dancers,
puppeteers on stilts, Spongebob (anything with Spongebob is a win),
Chinese Dragons and drummers, through to kids dressed as Star Wars
characters.



Valentine’s CISS

Written By: pgregg - Feb• 14•2009

Printers. Love them or hate them, you still have to feed them Ink (or Toner) cartridges.  
These are expensive little beasts to keep running – it has been commented that printer ink is expensive, and to give to an idea just how expensive it is:

  • Printer Ink is 7 times more expensive than Dom Perignon.
  • Printer Ink is more expensive than the most expensive perfumes.
  • Printer Ink is more expensive than human blood.

Or if you want to see the scale, here is an often posted image (attribution unknown):  Update, found the original source at Gizmodo from Nov 2006.

1-compare.jpg

Like many people I had found the relative comfort of 3rd-party or remanufactured Ink cartriges which brink the cost per cart down from around £3 (instead of £9) for my particular model.

However, as I was installing the last of my replacement carts, before having to order more, imagine my horror when the magenta cart simply failed to work.   Nothing – printer refused to accept it, thankfully my old cart had a dribble of ink left and was able to convince the printer to keep going while I got my order in for more.

Next step, the online store where I order my carts, SVP, typed in my printer model in the search box as they recommend and the first hit wasn’t my usual multipack of 3rd party R265 carts – no, it was a CISS (Continuous Ink Supply System).   Interesting.

Here is the page: http://svp.co.uk/product/ciss_for_epson_r265_r360_rx560_printers_mte058

Intrigued, I read the install manual they have on the page and thought it looked easy enough to try. And so I bought one – couldn’t hurt – it cost the same as a complete set of carts and would last 10 times longer on the first fill.

The device arrived a few days later, I sat on it a few days more, then got stuck in.  I took some photos of the completed install and I have to say I am very impressed with it.

2-IMG_7042_500w.jpg
4-IMG_7046_500w.jpg

I originally had the Inkwells on top of the printer, but I found it was putting out way too much ink – blobs of the stuff – and I figured gravity was playing a part.  Placing it down beside the printer saw the ink flow backwards, so I taped a few empty DVD cases together to get the right approximate height beside the printer and placed it there.

5-Ink_Well_500w.jpg

I have printed the equivalent of 20 full A4 colour pages at photo quality – quality is excellent and although the computer thinks the carts are now half full (or half empty), the evidence above shows just how much money I am going to save even in the short term.

6-ink_levels.jpg

If you are feeling the cost of Ink is too high (who doesn’t?) and if you can find a well reviewed CISS system for your printer, I would encourage you to give it a go.

PHP on LinkedIn.com

Written By: pgregg - Feb• 03•2009

Since LinkedIn opened up its Groups system, there has been a huge growth in the number of groups related to PHP.  Some with charters, some without; some with a specific community background and others with a specific regional focus.  I am posting this to bring attention to some of them.

In order of popularity (member count) some general groups (non-regional) are:

Some of these are useful if you are looking for a job (the recruiters tend to play nice and stay on-topic), others ban job posts and stick to discussions.
There are literally hundreds of groups related to PHP in some shape or fashion – pure PHP, LAMP, PHP&Mysql, Frameworks, and many regional *PUG type groups.

Migrated to MovableType

Written By: pgregg - Feb• 03•2009

Well after a few days of poking and prodding and working my way around Ubuntu Hardy Heron bug compiling Image::Magick (tip: it is a bug in the supplied gcc-4.2.3 – you can get gcc 4.3 in gcc-snapshot apt package), I finally have a working MT install.

Next up was writing a PunBB article and comment exporter to create a MTimport format file that I could load into MT to pre-populate the blog. Couple of trial runs later and here we are.

Let’s see if I can manage to post a little more frequently.

For those syndicating the old blog, rewrite rules should mean you have nothing to change but please let me know if anything is awry. 
General feed is /feed/all
PHP category feed is /feed/php

To silent fanfare, Microsoft released SQL Server 2005 Driver for PHP

Written By: pgregg - Aug• 07•2008

On July 24, Microsoft released version 1.0 of their native SQL Server 2005 Driver for PHP.

http://www.microsoft.com/downloads/details.aspx?FamilyId=61 … 597C21A2E2A&displaylang=en

Some months back I downloaded a beta version of this after having problems working with international characters (UTF-8) with PDO and MSSQL and impressively the SQL Server 2005 Driver for PHP worked very well.

Congratulations to Microsoft for continuing with this and their recent contribution to ADODB.  I’m looking for better PDO support now :)

VMware releases ESXi for free

Written By: pgregg - Aug• 05•2008

I totally missed this one until a few days ago, but VMware has released the ESXi Hypervisor free of charge.   They obviously see the pending challenge from Microsoft, Xen and Virtualbox and are hoping to gain traction and mindshare in the community – but I have one piece of advice for VMware.

If you want to regain the "developer" mindshare – those evangelists that sponsor VMware in their corporations – then restore the VMTN Subscription.

VMTN was my affordable way in to VMware – and because of that and my persistence in my current workplace, VMware now has over 20 ESX Enterprise license sales.

My year with Microsoft Vista.

Written By: pgregg - Jul• 30•2008

Today sees the 1st birthday of my current laptop so a happy birthday to it.  The machine was a top-of-the-line, fully tricked out Dell Latitude D830, Core 2 Duo 2.2Ghz, 4GB RAM, 160GB HD, nVidia quadro NVS graphics plus the new snazzy 1GB Intel TurboCache Memory module.

Because of the specs – you need a 64bit OS to make use of the 4GB – and the TurboCache part only works on Vista I thought I would give Vista 64 a try – a serious try. I would give Vista a whole year as my primary OS.  Here I am one year later to report my findings.


The is a company laptop, and Vista is not yet an approved OS for use in the workplace, but I work in IT and I’m quite proficient at taking care of myself, plus some IT members are evaluating Vista as an option for corporate roll out. I also installed Automatic Updates from Microsoft to stay current (bypassing the corporate WSUS server that sometimes takes months to push out updates because of close periods, quarter ends, etc).
Thus there was minimal risk to this endeavour.

Setting up a new machine so you can get your work done is always the most painful part of getting a new computer, this proved to be the case again with Vista.  However, the pain was double in that many of the drivers I needed didn’t exist or were hard to source plus some of my loved devices just didn’t work any more (my MSI USB TV dongle has suffered the indignation of remaining in my drawer for a year).

Ricoh were really good with drivers for the multifunction printer/copiers in the office.  Installation of the driver was a bit fiddly, but once done it worked very well.   However, for anyone with Vista it means the drivers need to be installed manually whereas XP users get the driver delivered to them when they connect to the printer.

Most of my regular applications worked fine out of the box, Eclipse, Visual Studio, Office (well you would hope this would), McAfee AntiVirus, however I had significant issues with other necessary applications.

Initially the corporate F5 VPN didn’t support 64bit and I had to wait some months before were were given a beta version to test. 

VMware Workstation was just into beta supporting Vista so I was able to use that from the off which was useful – because I virtualised my old XP laptop and was able to keep that around for legacy app support for the things I just couldn’t get going in Vista – VMware, I love you dearly.   However, I am also our VMware Virtual Infrastructure goto-guy and to this date VMware Virtual Infrastructre Client does not install natively on Vista 64… I had some pretty nasty hoops and hacks to go through to get that installed. I wouldn’t like to have to do that again. Come on VMware, sort it out.

Microsoft AD and Exchange Admin Tools. What can I say? They don’t work.  Microsoft acknowledge that they won’t work on Vista.   Your prime adopters of Vista in a corporate department are the IT people – but we *need* the admin tools to do our jobs.  Thus we need XP.  How can you expect corporate IT departments to push Vista to the workforce when we can’t use it for our basic Windows AD/Exchange administration?  Major, major oversight.

Yahoo Messenger was another troublesome application, and still is.   Before the "beta vista" version, it frequently crashed out and would not remain connected.  However since the beta vista version arrived it has been stable but and it is a big but, RAM usage in it is insane.    I have just started the application and have had no messages sent or received and it is already claiming over 500MB of ram.

Which neatly leads me on to…. RAM usage.   Everything takes more RAM in Vista.  Vista introduces some new processes to the mix like the PresentationFontCache.exe (520MB) plus lots more buried in svchost.exe processes (the DLL service runner program). If I total up the RAM usage in svchost.exe processes I come to 1.8GB ram.
This laptop has been powered on for maybe 30 minutes and it is using 2.5GB ram – what applications are open? Firefox, putty and Task Manager.   By the time I fire up Outlook and some other apps I use I’ll be looking at 3.8GB – which isn’t necessarily bad, it is within my physical RAM limit so the machine isn’t swapping.  However it does bring into question the reason for a 64bit OS in the first place – to make the 4GB ram available.   Would I have been better taking the addressing limit of XP and living with 3.5GB ram?

Finally, and the cruncher.   This machine is slow, sometimes and frequently, painfully frustratingly slow.  I fully expect that it will take minutes from pressing the power on button to getting to my Desktop.   Powering down sometimes takes longer and frequently hangs/locksup/bluescreens when powering down while in the docking station (I can’t believe Microsoft and Dell still haven’t figured out this constant and widespread problem after all these years – this is a constant bugbear for Dell owners).

When in operation the machine will start to act slowly, to the point that I can see the putty terminal window repaint itself.  Firing up SysInternals task manager shows the CPU(s) at 100%, sometimes it is McAfee’s updates, sometimes other apps, sometimes nothing is apparently consuming the CPU, but all the same, it is pegged at 100%.   

This week already I have had 4 "coffee events" – where the machine gets so slow that you decide you may as well go and make some coffee in the vain hope that the machine will rectify itself by the time you get back.   If it is still stuck when you get back then it is a measurable coffee event.   The responsiveness will return perhaps within 5-10 minutes, but it is frustrating and supremely annoying.

My conclusion?

Vista is not a terrible OS by any means.  It is Windows, it works like the Windows and for the most part behaves in an acceptable fashion.  However, I find it hard to justify the resource requirements – I don’t see the benefit.   Vista doesn’t do anything more than XP did except for perhaps the annoying UAC controls and the feeling that somehow you are slightly better protected from the world.   I constantly ask myself if XP would perform better on this machine (which isn’t a slouch) and now that I have completed my Vista year the next (if you’ll pardon the pun) window of opportunity available to me, I will be reformatting and going back to XP.
Vista is years ahead of its time – maybe in 3-5 years when we have Eight Core 10Ghz CPUs it might perform to an acceptable level.

Script to generate a list of valid email recipients from a qmail setup

Written By: pgregg - Jul• 26•2008

Last week I set-up a Postfix+MailScanner+ClamAV anti-spam and anti-virus mail relay server. Testing seemed all good, except that it was scanning lots of bogus email addresses, e.g. to nosuchuser@pgregg.com

Postfix provides a relay_recipients file (at least thats what the MailScanner setup called it) where you specify the specific email addresses that you are prepared to accept email for.

In the old days we used SMTP VRFY – which people dropped because it was a way to verify good email addresses and clean spam lists.   However, by dropping it it seems the spammers just ignored cleaning and just blast out to any and all email address they could find.  The irony being that the problems are now worse because we are constantly being bombarded by spam to bogus addresses.

As my primary email system is (still) qmail I needed a way to build a list of valid emails that qmail would accept – so I set about writing a perl script that would process the control/virtualdomains users/assign and dot-qmail files in the same way that qmail would.

The result is here:
  http://www.pgregg.com/projects/qmail/makevalidrecipients/MakeValidRecipientsList.pl

Feel free to make use of the script – hopefully it can help others too.   Note that it doesn’t handle ~alias users, nor if you have a database backed system – but manual and vpopmail setups should be just fine.  No warranty implied or given though :) Use at your own risk.

Once I added the relay_recipients file to the postfix relay and waited a few days, awstats reported that 99.8% of all my email was to bogus addresses – wow!  That is a massive saving on CPU (antispam/av scanning) and traffic.

Enjoy.

Holy Irony Batman!

Written By: pgregg - Jan• 04•2008

There’s a new website about to be launched over at http://www.mycatholicvoice.com

In the Terms of Service it notes:

"YOU AGREE THAT CATHOLIC CONTENT, LLC, ITS AFFILIATES AND ANY OF THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES, OR AGENTS WILL NOT BE LIABLE, WHETHER IN CONTRACT, TORT, STRICT LIABILITY OR OTHERWISE, FOR   …    ANY FORCE MAJEURE"

:D haha