Skip to main content

Posts

Showing posts from March, 2012

Installing a Unified Communications SSL certificate in Microsoft IIS 6.0

Just another working day in Redmond Being placed in the dire situation where my project has to go live and is being served by a Windows server that has no administrator I was forced to open up my RDP client and venture back in time to the days of dinosaurs and IIS. Unified Communications SSL Certificates are pretty much the only solution I could find to allow a single installation of IIS to share a single certificate that is valid for multiple domains that don't conform to a wildcard.  Whew, what a mouthful.  In other words if you have the domains http://www.ihatemicrosoft.com , http://www.apacheisfree.com , and http://www.graphicalinterfacesareforpansies.com you can use a SSL single certificate to secure them by setting up Subject Alternate Names . Getting them up and running was a cinch for me made only slightly more complicated by previous failed installation issues which I had to identify and undo. Firstly if somebody else has tried to install the certificate and failed

Preventing Directory Traversal attacks in PHP

Directory traversal attacks occur when your program reads or writes a file where the name is based on some sort of input that can be maliciously tampered with.  When used in conjunction with log poisoning this can lead to an attacker gaining remote shell access to your server. At the most simple it could be to include a file like this: echo file_get_contents($_GET['sidebar']); The intention would be for you to be able to call your URL and send a parameter indicating which sidebar content you want to load... like this:  http://foo.bar/myfile.php?sidebar=adverts.html Which is really terrible practice and would not be done by any experienced developer. Another common place where directory traversal attacks can occur is in displaying content based on a database call. If you are reading from or writing to a file based on some input (like GET, POST, COOKIE, etc) then make sure that you remove paths .  The PHP function basename will strip out paths and make sure that y

Continuous Integration with Jenkins and Git

http://jenkins-ci.org/ Jenkins is a free and open source solution for monitoring the execution of jobs, including software project builds. By monitoring the outcome of a build you are able to provide continuous quality control throughout the development period of a project.  The aim is to reduce the effort required in quality control at the end of development by  consistently applying small amounts of effort to quality throughout the development cycle. Under the continuous integration (CI) model developers should consistently integrate their development efforts into the repository.  There should be time delay between committing code changes and the new build - this allows developers to recognize and correct potential problems immediately.  Of course measures must be in place to flag errors with the build. The advantage to developers and project managers to having a stable repository to which commits are made and tested are multiple.  I don't need to replicate the Wikipe

Adding a CakePHP based virtual host in Apache 2.2

It's very simple to set up a name based virtual host in Apache 2.2 using the default Ubuntu package. I'm assuming that you have installed Apache already and that you have edited /etc/apache2/sites-enabled/000-default to change the AllowOverride None to something like this: <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all </Directory> If you have not already used this command sudo a2enmod rewrite then do so in order to enable mod_rewrite. Now edit your /etc/hosts file and add an entry that points to the server where you are setting up the virtual host. The line should look something like this: 192.168.0.100 mysite.local Where the IP address points to the server where you are setting up the host and mysite.local is a nickname for the site. Remember to add the .local :) Now create a file in /etc/apache2/sites-ava