Tuesday, November 17, 2009

Codeigniter 1.7.2 and userauth 0.9.2t7

Been a long time since i wrote anything to this blog. Good thing for all you Codeigniter fans this quick post is about userauth. UserAuth is a simple ACL(Access Control List) Login for CI (CodeIgniter).

To complete a successful install of userauth version 0.9.2t7 just copy the files into your bare codeigniter install. It's safe to copy all files in all the folders in your application folder. Except for the config folder, all the files in this folder you have to merge with your install. You would only have to worry about this if ci version your using is very new and has new variables.

Once you merge all the files in the application/config folder you need to edit the file models/user_group_model.php

In the user_group_model you only need to replace all instances of "use_table" (without quotes) with "from" (also without quotes).

That's it. You should have a working install of ci userauth mini-app. This process should actually work with any version. You just have to merge the code and files. Enjoy.

Sunday, March 15, 2009

python append all subdirectories to sys.path

This is my pather class. It appends/prepends the application subdirectories to sys.path


#!/usr/bin env python
#
# -*- coding: UTF-8 -*-
#
# PyNutButter BETA Version 0.1.0.1
#
# Copyright 2009 - Infinity and Beyond by Alex Goretoy, All Rights Reserved.
#
# Permission to use, copy, modify, and distribute this software and its
# documentation for any purpose and without fee is hereby granted,
# provided that the above copyright notice appear in all copies and that
# both that copyright notice and this permission notice appear in
# supporting documentation, and that the name of Vinay Sajip
# not be used in advertising or publicity pertaining to distribution
# of the software without specific, written prior permission.
# VINAY SAJIP DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING
# ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
# VINAY SAJIP BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR
# ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER
# IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
# OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
# SEE ALSO LICENSE FILE IN PROJECT ROOT DIRECTORY
#
__author__ = "Aleksandr Ilyich Goretoy "
__status__ = "beta" #production
__version__ = "0.1.0.1"
__date__ = "14 March 2009"



import os
import sys
class _pather(object):
def __init__(self,cwd="",send="append",depth=0,height=1):
"""
pwd - directory to get listing from
send - append or prepend to sys.path
depth - 0 is current dir, 1 is next level directory
height - root, dirs, files
"""
self.path=[]
self._path=[]
self.send=send
if cwd is not "":
self.set_paths(cwd,send,depth,height)

return None
def append(self,path):
for i in range(len(sys.path)):
try:
if str(path) == str(sys.path[i]):
if sys.path.index(path)>0:
del sys.path[i]
except(ValueError,IndexError):
pass
self._path=self.path
self.path=path
return sys.path.append(str(self.path))
def prepend(self,path):
for i in range(len(sys.path)):
if str(path) == str(sys.path[i]):
del sys.path[i]
self._path=self.path
self.path=path
return sys.path.prepend(str(self.path))

def set_path(self,value,prepend="",append=""):
self.pathstr="%s/%s/%s"%(prepend,value,append)
if self.send == "append":
self.append(self.pathstr)
else:
self.prepend(self.pathstr)

def set_paths(self,pwd,send="append",depth=0,height=1):
self.send=send
self.pathlist= list( ( (root,dirs,files) for root, dirs,files in os.walk(pwd) ) )[depth][height]
if self.send == "append":
list((self.append("%s/%s"%(pwd,x)) for x in self.pathlist if not x.startswith(".")))
else:
list((self.prepend("%s/%s"%(pwd,x)) for x in self.pathlist if not x.startswith(".")))

python append application working directories subdirectory to sys.path

This is a little script to show how to append the application working directories subdirectories when os.environ['PWD'] _not_ in application directory


#!/usr/bin/env python
import os,sys
print __file__
print os.environ["PWD"]
s=os.environ["PWD"]+"/"+os.path.dirname(__file__)
sys.path.append(s+"/python_stdout_colors")
print sys.path



doing only os.environ['PWD'], os.get_cwd() or os.path.dirname is _not_ enough and will cause errors in your application if a user opens it in different directory than where the script is

Tuesday, January 27, 2009

yahoo session cookie generator

gammarays has release a paper and a video showing proof of concept on how to bypass yahoo security by simply generating his own cookie and totally leaving login.yahoo.com out of the picture.....If you own a yahoo account, then this may be of a concern to you.....Doesn't surprise me that something like this would happen to another microsoft shop...seeing as this is only one layer user authentication....Security matters...I hope they resolve this issue faster than I can finish playing bee on guitar hero...Who needs to hijack cookie when you have yahoo cookie generator, eh...Next we should see viruses and spam coming from your trusty contacts... Just like CAPTCHA, I tell you. It's not in the algo you use to construct the image. It's in how you present it to the user that determines it's strength.

edited:
video:
milw0rm.com/video/watch.php?id=84

paper:
milw0rm.com/papers/270

more on this from Rizki:
ilmuhacking.com/web-security/yahoo-session-cookie-generator/

Saturday, January 24, 2009

learn dd command

nice thread about dd command.....check it

linuxquestions.org/questions/linux-newbie-8/learn-the-dd-command-362506/

If you want a good book on this subject also check out File System Forensic Analysis by Brian Carrier (creator of TSK)

No sense in me, doubling someones efforts...

Thursday, January 1, 2009

SSL broken! Hackers create rogue CA certificate using MD5 collisions

Wow, what a way to start the new year.

It was a matter of time before SSL would be broken.

It's about time. Will be interesting to see what will come of this.


blogs.zdnet.com/security/?p=2339


HAPPY 2009!