Saiweb » php

php mail() – Making it not suck using sendmail

Buzz — Sun, 18 Sep 2011 12:22:46 +0000

Ok ok … as some of the people work with are aware, I did this months ago fro one project, ment to blog and document it then in fact I have a draft post last modified 06/05/2011 covering full spam score reduction, and half finished instructions on setting up a mail relay … so in the interim of finishing that post I’m going to cover improving user experience through proper php configuration.

Out of the box, php will use sendmail, and it will do so as follows.

mail() forks sendmail process
sendmail attempts to send email to destination server
sendmail returns on send complete

Generally this isn’t a problem but what if at point 2. there is an issue with the destination MTA ? well in that case php will infact sit around waiting fot sendmail to complete, leaving your user with a hung screen / hung ajax call.

So what to do?

Simply put you want to offset the sending email process you do not want the end user sat around waiting for sendmail to finish sending the email, but you do want the email to send … decisions … decisions.

So edit yout php.ini .

1	sendmail_path = /usr/sbin/sendmail -t -i -O DeliveryMode=b

This sets the delivery mode to background, sendmail will return to php near instantly and send the email in the background by placing in into a queue.

TL;DR

Put the above in your php.ini to not hang around to sendmail, and hav it return instantly.
Tweet

PHP & Caching an in depth review – Follow up using Varnish

Buzz — Wed, 10 Aug 2011 20:59:26 +0000

Ok, so following up on PHP & Caching with Varnish, let’s cut to the hard facts shall we?

Using the same tests as

ab -c 100 -n 500 -g ./saiweb-nocache-nogzip.bpl http://www.saiweb.co.uk/
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking www.saiweb.co.uk (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Finished 500 requests

Server Software: Apache
Server Hostname: www.saiweb.co.uk
Server Port: 80

Document Path: /
Document Length: 92719 bytes

Concurrency Level: 100
Time taken for tests: 0.184 seconds
Complete requests: 500
Failed requests: 0
Write errors: 0
Total transferred: 47597095 bytes
HTML transferred: 47379409 bytes
Requests per second: 2716.92 [#/sec] (mean)
Time per request: 36.806 [ms] (mean)
Time per request: 0.368 [ms] (mean, across all concurrent requests)
Transfer rate: 252573.13 [Kbytes/sec] received

Connection Times (ms)
min mean[+/-sd] median max
Connect: 1 4 1.1 4 6
Processing: 9 31 7.0 32 47
Waiting: 2 7 5.7 4 26
Total: 15 35 6.8 36 53

Percentage of the requests served within a certain time (ms)
50% 36
66% 38
75% 39
80% 39
90% 41
95% 44
98% 48
99% 51
100% 53 (longest request)

2716.92 requests per second with a server load average of 0.1, and in this case varnish is serving cache from disk.

Caching using varnish (Or even nginx / mod_cache) means that PHP does not get executed at all, the cache system grabs the cache content and serves it.

This of course has the benefit of reducing the CPU and memory resources needed for the running of your application, but it does have some caveats.

This only works for GET requests, and content not reliant on Cookies (Truely dynamic content will not cache)
But on the “flipside” Varnish supports ESI, which when setup correctly you can target the dynamic sections of a pag for “passthrough” and have the rest cached

More details to come, as I have time to add them I have have a lot of posts to make on boxgrinder, KVM, libvirtd etc.
Tweet

wptouch redirection vulnerability

Buzz — Thu, 07 Jul 2011 12:05:52 +0000

In theroy this: http://www.exploit-db.com/exploits/17423/ could be used to facilitate phishing,

To patch this update to 1.9.28, and apply this patch: https://raw.github.com/Oneiroi/PenTesting/master/patches/wptouch-edb17423.patch

UPDATE 07072011 .9.30 does not suffer from this exploit.

wptouch redirection vulnerability

Buzz — Tue, 21 Jun 2011 10:46:15 +0000

In theory this: http://www.exploit-db.com/exploits/17423/ could be used to facilitate phishing,

To patch this update to 1.9.28, and apply this patch: https://raw.github.com/Oneiroi/PenTesting/master/patches/wptouch-edb17423.patch

1
2
3

cd /path/to/blog/wp-content/plugins/wptouch/
wget https://raw.github.com/Oneiroi/PenTesting/master/patches/wptouch-edb17423.patch
patch < wptouch-edb17423.patch

update This: http://wordpress.org/news/2011/06/passwords-reset/ causes a 1.9.29 version to be rolled out.

1.9.29 is still vulnerable to this, the patch instructions above still work for 1.9.29

Dissecting the hack – packed r57shell

Buzz — Wed, 26 May 2010 12:00:46 +0000

Before you read any further note, I will not be including the original hack file, simply due to peoples stupidity in putting this on a production environment to play with, if you use the code you do so at your own risk, and by reading this blog entry / using the code provided you agree to accept all liability upon yourself for your own actions. Don’t be an idiot.

Around 10 days ago I came across this seemingly innocuous little file.

What I am going to cover in this entry is dissecting the ‘payload’ and not so much the web app in question or methods used to compromise it,

Whereas I will not at this time provide the original file, I will provide you with the md5 and sha1 hashes of the file so you can check it’s not lurking on your systems:

md5: 9ee3e6523d154114460d320477a8665a
sha1: 9c64fecea5620d70a716bbd74f6e89612a4a79c7

The bit we are interested in is the last line of the file:

1	eval(gzinflate(base64_decode('DATA')));

Were you to run this line you would get

1	eval(gzinflate(base64_decode('DATA2')));

Confused yet? now I can appreciate the thinking behind packing a payload to avoid detection, but in this case the payload is packed 12 times, and no before you ask I did not manually run each returned statement to find this out.

Enter Python-Fu:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

#!/usr/bin/env python
# saiweb.co.uk payload unpack script 26/05/2010
# copy the eval(gzinflate()) line to payload.raw, place in same directory as this file.

"""
Copyright (C) 2010 Buzz saiweb.co.uk.co.uk

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program. If not, see .

Additional Terms as Per section 7

Attribution:

Redistribution/Reuse of this code is permitted under the GNU v3 license, as an additional term ALL code must carry the original Author(s) credit in comment form.
"""

import base64, zlib, re, sys

def main():
print 'Running ...'
f = open('payload.raw')
php = f.read()
f.close()
iteration = 0
while re.search('eval$gzinflate\(base64_decode\(\'',php):
iteration += 1
print 'Iteration: %d' % iteration
raw = re.sub('eval\(gzinflate\(base64_decode\(\'','',php)
raw = re.sub('\'$\)\);','',raw)

gstring = base64.b64decode(raw.strip())
php = zlib.decompressobj().decompress('x\x9c' + gstring)
#print payload
#sys.exit()
print php
if __name__ == '__main__':
main()

Copy the first payload lines into a file named payload.raw, take the above code and copy it into a file named dissect.py.

When dissect.py is run you will get the following output:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

python ./dissect.py
Running ...
Iteration: 1
Iteration: 2
Iteration: 3
Iteration: 4
Iteration: 5
Iteration: 6
Iteration: 7
Iteration: 8
Iteration: 9
Iteration: 10
Iteration: 11
Iteration: 12
<?php
...

As such you may want to run it using the following command:

1	python ./dissect.py > r57.php

And what you will find after unpacking 12 times in total, the “payload” is the r57shell, this script is an information gathering tool and pseudo shell, meaning it will run any command on the host server that php can, providing in most cases ssh esq access to the exploited host, allowing you to do pretty much anything you wanted at this point, some of the features also include /etc/passwd /etc/shadow dumping, aswell as searching for a tirade of common file *.sql* admin* etc, it’s a one stop script for information gathering on a LAMP/WAMP based host.

Defense: modify php.ini to disable eval(), exec, shell_exec and all none essential functions.

And of course, ensure your web apps are patched and up to date as well as the host they are running on.

Simple measures to a faster PHP app – Part 1 Double Quotes

Buzz — Fri, 20 Nov 2009 10:25:06 +0000

In some situations using a double quotes string is required i.e. “this\nstring\nappears\over\nmany\nlines” …

However in 99% of cases it is used without even thing about in implications of doing so … PHP will infact evaluate any string wrapped in double quotes, this adds a processing overhead, but it seems people do not actually reliase how much in comparrison to using single quotes for the same string.

Take for example this code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

/**
* double-quotes-are-bad.php ~ D.Busby (Saiweb.co.uk)
**/
$start = microtime(true);
$var = "This is a stiring it may not actually have anything to be parse within"
. " However the issue remains that infact php will attempt to evaluate every char"
. " In this string, which in this example may not be so bad, as it's just one string"
. " In one file, buit imagine what happens when every string in your webapp uses double quotes";
$end = microtime(true);
$len = strlen($var);
$res = round($end-$start,10);
echo $len.' Chars evaluated in '.$res.' seconds'."\n";

$start = microtime(true);
$var = 'This is a stiring it may not actually have anything to be parse within'
. ' However the issue remains that infact php will attempt to evaluate every char'
. ' In this string, which in this example may not be so bad, as it\'s just one string'
. ' In one file, buit imagine what happens when every string in your webapp uses double quotes';
$end = microtime(true);
$len = strlen($var);
$res2 = round($end-$start,10);

echo $len.' Chars evaluated in '.$res2.' seconds'."\n";

$speed = round((1 - $res2/$res) * 100,2);

echo 'Single quotes are '.$speed.'% faster'."\n";

?>

Now I am running this on a live server, that is serving in excess of 100 pages a second, take a look at the output:

320 Chars evaluated in 1.40667E-5 seconds
320 Chars evaluated in 3.0994E-6 seconds
Single quotes are 77.97% faster

320 Chars evaluated in 1.28746E-5 seconds
320 Chars evaluated in 3.0994E-6 seconds
Single quotes are 75.93% faster

320 Chars evaluated in 1.3113E-5 seconds
320 Chars evaluated in 2.1458E-6 seconds
Single quotes are 83.64% faster

320 Chars evaluated in 1.19209E-5 seconds
320 Chars evaluated in 2.861E-6 seconds
Single quotes are 76% faster

320 Chars evaluated in 1.3113E-5 seconds
320 Chars evaluated in 2.861E-6 seconds
Single quotes are 78.18% faster

The improvement is consistently in excess of 75%, so the moral of the story? don’t use “” if you do not need to!

Thanks to everyone along the way who’ve discussed and proven development methods along the way with me, and sorry it’s taken so long to get them written up.

Call to undefined function imagettfbbox()

Buzz — Tue, 13 Oct 2009 13:19:20 +0000

Call to undefined function imagettfbbox()

Either you do not have php GD installed (check your phpinfo(); and see if GD has laoded with TTF support)

Or if you are compiling from source add: –with-gd –with-freetype-dir=/lib64 –with-ttf=/lib64 –enable-gd-native-ttf

to your configure line.

Note: you’ll need gd-devel and freetype-devel libs installed, and im using /lib64 as im running a 64bit OS.Tweet

WordPress Flowplayer 2.0.9.9

Buzz — Thu, 03 Sep 2009 16:33:24 +0000

Finaly it is ready and in a state I am happy to release it.

Features

Complete code re-write, much more efficient and easier to update
Flowplayer 3.1.1
License detection, will only use the commercial version if you enter a license!
Playlists
Better wordpress API integration, all settings now stored in wordpress no more config files!
Same admin interface

(Videos from Apple.com)

php mail() sh: -t command not found

Buzz — Fri, 03 Jul 2009 16:06:25 +0000

PHP mail() not working?

getting “sh: -t: command not found” when testing using the cli?
what you have is a missing devel package!!!!

In my case sendmail-devel was missing, you’d think the configure script would alert on this but alas no, devel pack installed and one recompile later and the issue is solved.

PHP BUG #48139

Buzz — Tue, 05 May 2009 14:24:27 +0000

Because a picture is worth over 9000 internets … apparently

UPDATE: AKA “hayabusayuri” link … seriously who plays everquest? … maybe all that time playing everquest finally made the guy snap … and PHP & windows … never a good combination … infact Windows and internet is a bad combination

LINKY

Screencap incase it is removed:

(Thanks to the guys who forwarded me this)Tweet