Security

Zen Cart Patch Needed For Admin Security

by damonp on July 4, 2007

in Security

Zen Cart has released a patch for all versions v1.2 through v1.3.7 that fixes a serious security hole in the admin login/password reset system.

I strongly advise all current ZenCart users to see to it that this patch is performed on their systems. The patch takes less than fifteen minutes to complete.

If you need help with this patch, I can install for $25.
[click to continue…]

Popularity: 1%

{ 0 comments }

Coding on a Live Site

by damonp on June 29, 2007

in PHP,Security

I have written several times about debugging a live site and posted snippets for working on the themes of a live WordPress install. One trick I haven’t mentioned is using the PHP error log.

PHP on any production site should be configured to not display errors. I see all too often on random sites that PHP has been configured to show errors (sometimes even in Google results). This gives away too much information about your application and server.

On the servers and applications I work on all of the time, I configure PHP to log errors to /var/log/php_errors. Simply tailing this file through a console will quickly show any errors caused by the edits.

To enable logging, check these two variables in your php.ini:

; Log errors into a log file (server-specific log, stderr, or error_log (below))
; As stated above, you're strongly advised to use error logging in place of
; error displaying on production web sites.
log_errors = On
; Log errors to specified file.
;error_log = filename
error_log = /var/log/php_errors

To tail the log file from an SSH console:

tail -f /var/log/php_errors

Popularity: 1%

{ 0 comments }

Exim Queue Snippets

28 June 2007

These are all useful when trying to track down an open formmail script. List bounce messages exiqgrep -f ‘^<>$’ Freeze bounce messages exiqgrep -i -f ‘^<>$’ | xargs exim -Mf Freeze messages from user@domain.com exiqgrep -i -f user@domain.com| xargs exim -Mf Find out what user your webserver runs as. Use this as the email address [...]

Read the full article →

Zencart Hack – Logout Customer Automatically After X Failed Payment Attempts

22 June 2007

Credit card slamming is the practice of trying hundreds or thousands of card numbers and security code combinations to find the few in the batch that will actually work. I have discussed credit card slamming here and over at the ZenCart forums several times in the past. The code snippet below can be used in [...]

Read the full article →

Nolisting – Poor Man’s Greylisting

20 March 2007

Nolisting – Poor Man’s Greylisting I thought this was an interesting option to try to weed out some spam on servers inundated by spam. It wouldn’t be a permanent fix as it would only require a trivial workaround. But in my experience, these types are lazy and will go off to easier pickens if they [...]

Read the full article →

Combating Card Fraud (or at least slow it down)

15 March 2007

I have a major client whose Authorize.net gateway account gets hit sometimes hundreds of times a day with charge attempts. Most are posted by an automated script from IPs coming out of Indonesia or Eastern Europe in an attempt to find a valid credit card number and security code. Fortunately, it hasn’t cost the client [...]

Read the full article →

Chkrootkit Grep

9 November 2006

chkrootkit bindshell | grep "INFECTED\|Vulnerable"

Read the full article →

MySQL Client Security on the Command Line

23 June 2006

The MySQL client allows specifying the database password on the command line using the following parameters: mysql -utheusername -pthepassword thedatabasename If you are in a habit of doing this… STOP NOW! If you are using a shell like Bash, the password is saved in the bash_history file. Should anyone into the server, they can easily [...]

Read the full article →

Stop Forum Spam

9 June 2006

Spammers have now moved from email spam to blog comment spam to forum spam. I have received several complaints of dozens of daily messages posted to public forums. One enterprising spammer has been posting advertisement for his forum spamming services with links to an email address for contacting him. If you have a low volume [...]

Read the full article →

Security By Obscurity

23 March 2006

Good security consists of multiple layers of procedures and applications, all with the goal of keeping unauthorized users out and ensuring properly authorized users have access to only the things they should. With public internet servers and web applications this can mean things such as: Ensuring users create at least moderately secure passwords Instituting mandatory [...]

Read the full article →