AWG Blogs

Monday, August 24, 2009

Eclipse Simpletest plug-in Path errors

I struggled with this one until through experimentation I found out the problem. I have the Simpletest plug-in 0.2.5 for Eclipse.

I had

require_once dirname(__FILE__) . '\MyClass.php';
class test extends UnitTestCase {
function test_pass(){
$tc = new MyClass();
$boolean = $tc->my_method() == "hello";
$this->assertFalse($boolean);
}
}

But when running, I kept getting:

PHP Fatal error: Class 'MyClass' not found in ...test.php...[line number]

I finally found out through trial and error that to fix this fatal error I simply needed to replace the opening short tag with the full php tag <?php . That means I'm going to need to do this to all my class files. Might as well make that a best practice from now on.

Sunday, August 23, 2009

IIS 7 and Permissions Quirks

I just enabled IIS 7 on Windows Vista SP 2 and enable FastCGI. I create a new website and point it to a folder under my Documents folder with a test.php file. I open the page http://localhost/test.php in IE and get:

HTTP Error 401.3 - Unauthorized
You do not have permission to view this directory or page because of the access control list (ACL) configuration or encryption settings for this resource on the Web server.


Ok, so I add IIS_IUSRS to folder ACL, but that doesn't fix it. I then added the Users group to the ACL and that fixes it. Strange indeed because my user account is already in the ACL and I'm in the Administrators group, which is also already in the site folder ACL. Now I just have to wonder whether this is a Windows bug, or whether there's some other user under the Users group that's being impersonated by some process. Hmmmmm.

Sunday, August 9, 2009

Use encodeURIComponent in AJAX

In the XMLHttpRequest "send" method it's best to encode the parameters using the Javascript function encodeURIComponent as opposed to escape or encodeURI. For details why, see
http://xkr.us/articles/javascript/encode-compare/ .

I learned this by researching why the solution at http://www.captain.at/howto-ajax-form-post-request.php did not work for me. For example, if I use escape, the '+' symbol converts to a space in the database; and if I use encodeURI, any '&' will cause all subsequent characters to not make it into the database -- because those characters aren't converted with the other two Javascript methods.

Saturday, August 8, 2009

Hacking CAPTCHA

One way to hack one type of CAPTCHA is as follows:

Assuming the web app sets the captcha code in a session variable and assuming it only checks it for equality, you can use Paros Proxy to trap and alter the captcha url in the image tag (assuming, once again, this is the method used to display the image).

First clear all of the target website's cookies (including session cookies -- still not sure how to do this in IE), then open the target web page form with Paros running with "Trap response" checked in the Trap tab. Then edit or remove the link in the image tag to the captcha image generator, then click Continue. When the page is resolved the captcha image will appear broken, indicating the script that produced it never was run for this session and hence no security session variables were set. Finally, leave the captcha input box empty and submit. If all goes well the form will submit successfully.

The way to protect against this kind of attack is to set another secret session variable in the captcha script then check for it in the form validation.

(this advice is provided to assist newbie web developers with no guarantees. Malicious hackers and script kidies are not welcome.)