Web applications often accept input data from users and pass it to database systems. Problems happen when such data contain characters that have special meaning to the database. For example, the single quote (‘) is used by most database systems to terminate a string. Different databases have different such meta-characters. Hackers skilfully exploit the use of meta-characters to run SQL commands in the database.
Consider this code fragment that accepts an employee id from a web form and fetches employee details from the Employee table:
$empId = _GET["employee_id"];
$query = ”SELECT * FROM Employee WHERE emp_id = ” . $empld
If a user fills in the employee_id field with
1 ; UPDATE Employee SET salary = 5000
that would result in the following queries to execute:
SELECT * FROM Employee WHERE emp_id = 1 ; UPDATE Employee SET salary = 5000
Many database systems like Postgre allow multiple queries to execute in a single command. It’s anybody’s guess as to what would happen if the above queries execute. The hacker is exploiting the semi-colon (;) meta-character, which is used as a statement separator in many database systems.
The above is only one example; there are in fact hundreds of ways in which other meta-characters can be exploited to execute a variety of harmful commands.
So how do you protect your application against SQL injection? Some steps are outlined below.
This article gave some tips on how to avoid falling prey to SQL injection attacks. Only the application developer can prevent this type of attack. It cannot be avoided by installing firewalls or SSL certificates. Developers need to think about how to prevent injection attacks when they write code and not as an after thought.
Almost a year back (Aug 15th, ‘08, to be precise), AUTOMATTIC released WordPress 2.6.1 fixing over 60 bugs. Also the version featured with the introduction of ‘right to left’ typing for Hebrew and Farsi language administrators. In a very short period of time (may be around one month), the company alerted 2.6.1 version users of security holes in using the same. Here, in this small article, we are going to analyze those vulnerabilities that made AUTOMATTIC release an upgrade for WordPress version 2.6.1 so soon.
Ok, let’s be clear and to the point. The problem is created by the nature of:
1. mt_rand () function of PHP and
2. the truncation method that MySQL adopts
mt_rand ():
PHP has two random number generating functions: rand (), mt_rand (). The former uses GNU C library and the latter uses Mersenne Twister algorithm. Mersenne Twister algorithm was created by Takuji Nishimura and Makoto Matsumoto of Japan. mt_rand () is predominantly used in most of the PHP applications and most importantly, WordPress 2.6.1 uses it.
Normally a seed is used to initiate the generation of random numbers. If it is possible to determine that seed, we will be able to generate the same sequence for any number of times. In other words, we will be able to hack the working of random generation. Seed can be determined using a lookup. Now, once the seed is found, anyone can generate the sequence that the application generates. If you want to know how this is possible, you got to learn random number generation in PHP or there’s an alternative: bow to the fact that it is the nature of mt_rand () function.
Now, make a request for admin password which would send an activation link to the actual admin. But since we have the seed, we will be able to calculate the same activation link by enabling Keep Alive HTTP request. Activating this link and using a different email ID in the form will allow creation of a new WordPress admin password and thereby complete control.
MySQL Truncation:
Let’s see the next one. When the string input given in a query is longer than the defined maximum length, MySQL, by default, truncates the string to the defined maximum length. For example, if the maximum value of the string column is defined to be 8 then, the input value, “qburst_expressions” will be truncated to “qburst_e”. There will be a warning displayed but, applications are normally not configured to handle those warnings. And importantly, WordPress version 2.6.1 was not.
Suppose I know the WordPress admin name, (let’s say, “godfrey”) and the maximum length of the username in MySQL is set as 32. When I register as a new user with the same name “godfrey”, obviously, MySQL will return an error as there already exists an username godfrey. Now, I try with “godfrey “(with 2 spaces after the name), MySQL will truncate the string to “godfrey” and again return an error due to the same reason. Suppose I try with “godfrey g” (with 25 spaces between godfrey and g) then MySQL will not be able to identify a similar username and also truncate the name to “godfrey” to be inserted into the database column. This happen because the username exceeds the defined maximum length of 32 and the system will not be able to find a match in the database. Now we have 2 admin usernames in the table. This is sufficient to pass the validation and gain access to the password of the original admin, thereby complete control.
| Username | Length | Max Length | After Truncation | Database Change |
|
“godfrey” |
7 |
32 |
“godfrey” |
No change |
|
“godfrey “ |
9 |
32 |
“godfrey” |
No change |
|
“godfrey g” |
33 |
32 |
“godfrey” |
Truncated string (godfrey) inserted as new username into DB |
These holes in security made AUTOMATTIC to work on an upgrade at the earliest. And the next release fixed all these errors. So if you are planning to use WordPress, make sure you use the latest version and remain safe. WordPress 2.8.4 is available for download now. It is the latest stable version of WordPress according to the AUTOMATTIC’s last release.
Drupal is one of the most popular content management system (CMS) used in web development. It is also called content management framework for it enables developers to extend and implement custom content management solutions. Drupal is written in PHP with MySQL as backend.
With Drupal, it is possible to develop and manage blogs, websites, portals, forums, e-commerce sites, social networking sites and many more. A few examples of popular websites developed using Drupal are www.labs.sonyericsson.com, www.jacksonville.com, www.nysenate.gov.
CMS like Joomla, Plone, Wordpress are also existent in the market but the features available in the core Drupal and its extendibility makes Drupal stand in front of its competitors. SEO is better achieved through Drupal. It also provides a number of themes and modules to choose from. Integration of various technologies with Drupal extends its capability further. Apache Solr integration is a recent accomplishment. It is done through the Apache Solr Integration module.
Drupal administration has four main components. Content management enables to manage the website content. Site building controls look and feel of the site. Custom modules and themes help extend the ability of Drupal by not restricting to the available options in core module. Roles and permissions are created in the user management section for managing access rights to different users.
The Drupal presentation is available on Slideshare.
Earlier, search did not have a high priority in the sites that were developed using Drupal. Analysis reveals that the slowness and lack of smartness of the search feature have made the users loose their trust on search. The integration of Drupal with Apache Solr is changing the entire scenario now. Here in this article, I am going to give you a snapshot of this revolution.
Lucene as we know, is a search engine library for enabling text-based search and is written in Java. Solr is a search server developed based on Lucene. It is easy to install and configure and it comes with an HTTP-based administration interface. Documents are first indexed through XML over HTTP. Queries are sent through HTTP GET method and search results are received in XML.
There are two types of search mechanisms used by dominant search engines. Navigational search uses a hierarchy structure (taxonomy). This mechanism is used by Yahoo directory, DMOZ, etc. Google, Yahoo search and other popular search engines use direct search. Both these have their own benefits and drawbacks. Recently the direct method is gaining more recognition and is evident from the growth of Internet dominance by Google and Yahoo search engines.
Faceted search is a new mechanism and it combines both the above techniques. It allows users to navigate multi dimensionally with a pool of words. Here is an illustration that contrasts faceted searching with taxonomical searching.
Lets move on to the other features. Spell checking: With this feature, the user can get search results for a given query and also get spelling suggestions at the same time. This is similar to the ‘Did you mean’ in google. The SpellCheckComponent that forms a part of Solr is designed to provide this inline spell checking of queries.
Solr provides a set of highlighting utilities with which it highlights the location of the query terms in the text of the search results. Solr caches are associated with an Index Searcher. Any item in the cache will be valid and available for reuse as long as that Index Searcher is being used. Solr cached objects will not expire after a certain period of time and the cached objects will be valid as long as the Index Searcher is valid.
Apache Solr Search Integration is a module that integrates Drupal with a Solr server for searching. Solr can be used as a replacement for core content search that already comes with Drupal. The module comes with schema.xml and solrconfig.xml which requires configuration. This module makes all the features of Solr available in Drupal for the development of the new site. A few websites that have currently implemented Solr using this project are AOL, Drupal.org, Netflix, CNET, CitySearch and GameSpot.
http://lucene.apache.org/solr/
http://drupal.org/project/apachesolr
http://www.ibm.com/developerworks/java/library/j-solr1/#ibm-pcon
http://www.ibm.com/developerworks/java/library/j-solr2/#resources
Most anti-virus utilities are powered by a large virus signature database that needs to be constantly updated to help them identify known viruses. The database keeps growing as new viruses are released at an ever-increasing rate. Also these utilities are incapable of recognizing a newly released malware since there is no match in the database.
Prevx is based on behavior-based detection as its primary concept and is very good in doing that job.
Advantages of Prevx:
* Download size of 800 KB compared to the 20 MB size of other malware utilities
* Instantaneous installation and ultra fast scan
* Cloud-based malware detection
* Highest malware blocking score
How does Prevx achieve this?
As mentioned earlier, Prevx doesn’t rely on predefined signatures, it rather looks for patterns of suspicious behavior. In addition, it takes the local age of the file and its distribution index into account, before flagging it as a malware. Newer files are under higher suspicion than a file that has been around for a while. Similarly, a widely distributed file is considered benign compared to one that is found on a handful of computers. Prevx confirms this by checking its online database.
On my computer Prevx took around 30 sec to download and performed a learning scan in 5 minutes. It will clean up low risk adware for free, but anything serious has to be cleaned up by purchasing a license key.
One drawback of Prevx is it needs to contact the database during scan and will not work in offline mode.
You may find more details about this anti-malware utility on their site www.prevx.com.
