February 27th, 2006
Eeep! Had a call from the colo company this morning about moving servers. Seems we’re going to have to move to a new machine because the IP address we’re currently on is being.. uh.. I dunno, lost? Given away? Cancelled? Something like that anyway.
So we’re moving from a 1Ghz RaQ550 to a new Dell P4 thing that we have to share. We get a 20GB harddrive and at least 400MB RAM (Which is more than our current 256, anyway) but the CPU.. well that’s the kicker. I’m not sure how that’ll work.
It will however, feature the open source ‘Blue Quartz’ config panel so we’ll be able to move stuff over pretty quickly. I may just spend the day working from home when the time comes in order to make sure everyone’s site is all set up. I think it’ll have to be a weekend job as well, since I’ll have every single customer breathing down my neck otherwise.
If this site disappears at any time before the end of March… well you know why 
Tags: Server, Work
Posted in Computers | No Comments »
February 16th, 2006
Blame VISA – apparently they supplied Egg with some software around December and it’s broken something. You won’t be able to use your Egg Card (your card will be declined) until 14:50 tomorrow (Friday). How lovely!
And a bloody nuisance, too. I was all set to buy NOD32 and renew a few domain names but no – card declined. Half my jobs tonight are being put off until tomorrow now.
I bet someone’s having omelets for tea over at Visa.
Update:
OK, so I can’t use my Egg Card because it’s blocked, so I try to use my Switch card to buy NOD32 and what happens? Incorrect number of digits, that’s what! My card number is 19 digits but the JavaScript source checks that numbers are 16 or 18 in length.
Grrrrrrrrrrrr!
Tags: Egg, Fail
Posted in Various | No Comments »
February 15th, 2006
Looking over the website counter area I’ve noticed an increasing number of people are searching for information on how to calculate the distance between two postcodes. My original post on the matter sent people off in the direction of jibble.org but I’ve had at least one person mention that the uk postcode database isn’t available anymore.
For that reason I’ve uploaded the UK Postcode Database (with grid references) to my NTL space, here:
I’ve removed the link above since the legal status was questionable. A fully legal, open version of the postcode database can be found at New Popular Edition Maps.
Have a look at the page on jibble (link above) for further information.
Original Post
Currently I am mucking about with postcodes, converting them to coordinates that I can plonk onto a map of the UK, and maybe thereafter use to calculate straight-line distances between two codes. Lucky for me (yay me!) I found a free, plain-text database on jibble.org that already had the coords as metres – saving me 90% of the work I originally envisaged converting Grid References.
I’m plonking them into a simple MySQL table at the mo, then I’ll be able to get the positions by searching on the first half of someone’s postcode. It’s not accurate down to street level but it’s fine for someone looking the length of the country. The next stage will be to write a function that takes into account the size of my bitmap image of the UK, complete with various pixel offsets, and returns an X or Y position in pixels representing the location of that postcode. I don’t forsee any problems.
(Hopefully Google wil link to this page from now on…)
Tags: Database, Postcode
Posted in PHP, WebDev | 4 Comments »
February 14th, 2006
I was at a client’s last week and the guy who handles the email mentioned that they were getting a lot of spam from the same email addresses, all of which were at the default name of our server. I had a quick look and, sure enough, email was being sent through a mail script on the back end of my client’s Contact Us page. Because the To: address is hardwritten into the script, my client received copies of the spam as well as the injected recipients.
How the Email Injection Attack works…
The injection attack works with any mailing script that uses the PHP mail() function. If the script accepts a name and email address, and formats those into the From: field of your email, then they can be used to insert extra email addresses anonymously.
Ordinarily you would take a name ($name) and an email address ($email) and create a string like so:
$headers="From: $name <$email>\r\n";
which creates:
From: MyName <user@domain.tld>
followed by a ‘\r\n’, or Character Return+Line Feed.
Using a form on another server, or even the existing form if there’s no client-side length checking, the spammer submits the following as $name:
blah%0ASubject:SpammerSubject%0Abcc:victim@domain2.tld
PHP’s mail() function puts these into the headers as usual, but the headers now contain an extra Subject: and Bcc: field that were not there before. Either the $name or $email variables (in our example) can be used for this, and there’s nothing to stop them attaching files using MIME.
So How to I Protect Against Email Header Injection Attacks?
Thankfully, protecting yourself is quite easy – probably the easiest way is for you to check the vulnerable fields for illegal content on receipt by your processing script. My approach was to write a simple function using a regular expression, thus:
<?php
function spamcheck($spammed_field) {
$spammed_field=strtolower($spammed_field);
if((eregi("cc: ",$spammed_field))||(eregi("subject: ",$spammed_field))) {
$spamhost=$_SERVER['REMOTE_HOST'];
$spamrefr=$_SERVER['HTTP_REFERER'];
$spamaddr=$_SERVER['HTTP_X_FORWARDED_FOR'];
if(strlen($spamaddr)<7) { $spamaddr=$_SERVER['HTTP_CLIENT_IP']; }
if(strlen($spamaddr)<7) { $spamaddr=$_SERVER['REMOTE_ADDR']; }
$thisfile=$_SERVER['SCRIPT_NAME'];
$spamtext="FILE: $thisfile \nFROM: $spamrefr \nADDR: $spamaddr \nHOST: $spamhost \nINFO:\n$spammed_field\n";
mail("spamcheck@domain.tld","ALERT: $spamaddr",$spamtext,"From: SpamCheck <spamcheck@domain.tld>\r\n");
die();
}
}
?>
All you have to do to check the vulnerable fields is include the function and call it for each one:
include('spamcheck.php');
spamcheck($name);
spamcheck($email);
If either ‘Cc:’, ‘Bcc:’ or ‘Subject:’ is found somewhere it shouldn’t be, the script generates an email containing the name of the script and the spammer’s IP address, sends it to spamcheck@domain.tld and promptly dies.
Tags: Attack, Email, Injection, PHP
Posted in PHP, WebDev | No Comments »
February 11th, 2006
As my birthday treat to myself, I’m planning a trip to Tokyo for September of this year. I’ve snagged myself a basic language course on DVD and a small (and slightly out of date) guide book and I’m planning on doing a crash course over the next few months.
Mooching about the Internet today I found cheap economy-class flights over at WorldWideFlights.com and a cheap 2-and-a-half-star hotel on Expedia that brought the total flight/hotel cost down to under £1400 – two people for two weeks.
The only thing I’m not looking forward to is the 15-hour flight, or whatever the hell it is.
Tags: Tokyo
Posted in Japan, Travel | No Comments »
February 6th, 2006
Apologies for the lack of updates – I’ve just returned from two weeks in sunny Jamaica. A break was long overdue and I’m just getting over the minor jetlag in order to get straight back to work tomorrow. Mad? Me? Sure!
Had a glorious fourteen nights in the 5-star Sunset Jamaica Grande in Ocho Rios. Most of the time I was just lazing around topping up the tan but I did get to swim and play with some dolphins at Dolphin Cove (and in a stunning display of insensitivity, I later had a dolphin steak sandwich at Bob Marley’s Mum’s Caff) as well as meet the locals and visit a friend’s dad for his birthday.
Back home I found a patch that hadn’t been applied to the webserver and only found that it reduced the server to PHP 4.0.3 after I’d installed it. A few nerve-wracking minutes later and I had 4.3.9 back up and running. Gah!
Tags: Dolphin, Jamaica
Posted in Jamaica, Travel | No Comments »