Web

MacMegasite has been down all morning due to problems at Geek-Hosting.com.

I plan to move MacMegasite to this host (where I have a reseller account), which also hosts worldbeatplanet.com and shareyourmusic.com.

I still have space & bandwidth available on this host which I can sell. I’m considering the pricing $2.50/month for 100M/1G and $4.75/month for 200M/2G. If I sell the remaining capacity at that price, it will completely pay for my hosting costs. However, that won’t leave me enough space & bandwidth to host MacMegasite, although I could buy more.

If you’d like to host a site on my server, contact me or see this page for more info.

Comment spam seems to have been increasing lately.

Yesterday I got a comment spam for an online pharmacy from the bogus address hrie@yahoo.com. Today I got two more comment spams from the same address for a different pharmacy. I just added some very aggressive filters to mt-blacklist in an attempt to deal with them.

I just installed PHP-Nuke 7.0 at WorldBeatPlanet.

This seems to be how the luser was able to hack the site.

When I checked my access logs, I found a few items like:

modules.php?name=Your_Account&op=gfx&random_num=604071


The security graphic engine takes the random number and makes an MD5 encryption of it concatenated with other elements such as the $sitekey, $datekey, and the member’s http_user_agent.

At this point the MD5 hash value is switched over to hexadecimal and stored in a variable whereby at a certain starting point (2 by default) a total of x places are read and stored (by default 6).

A potential security risk exists if the default $sitekey value is not changed because a malicious user can manually map out on a PHP-Nuke portal in a one to one relationship between random_num and the number shown in the image. So long as the following values do not change:

• $sitekey
• $datekey
• $random_num
• HTTP_USER_AGENT

The number shown back in the security image will always be the same. Such a mapping would be tedious to complete manually, but the possibility exists nonetheless.

Out of the four variables above, the user can manipulate only two:

• $random_num
• $HTTP_USER_AGENT

This effectively means that the entire process of mapping out the one to one relationship must occur in a single day due to the $datekey parameter. Each day adds a new value to the hexadecimal/MD5 concatenation process.

Lets take this a step further. If a PHP-Nuke webmaster does not change their default $sitekey parameter this could still open them up to attack. A malicious user may install a default PHP-Nuke portal on their own system and now they have access to manipulate all of the four variables above.

This means they can change the date on their system, altering the $datekey to each day of the year, and manually map out all the random_num values to their respective security image code values. At this point, they have a full database for every day of the year that can be used maliciously against default $sitekey value PHP-Nuke sites. With such data, a script can be written to check the random_num value, ie:

modules.php?name=Your_Account&op=gfx&random_num=604071

And such a script could call up the corresponding security code value thereby rendering the purpose behind it useless.

Conclusion? Change your $sitekey immediately from the default value, and change it often. On Nuke Cops for example, the random_num above, 60407, generates the number 588529 using my HTTP_USER_AGENT for today’s date. You will most likely see a different code.

I’ve moved the politics category to a separate weblog which will focus entirely on politics, while this one will be mostly about Macs, programming, web development, and general geekiness, with some fun stuff thrown in.

If you can see this, you’re looking at the new host. I now have a reseller account at PEHosting instead of 3 separate accounts for this site, worldbeatplanet, and shareyourmusic.com. I also now have a new politics weblog where I moved the political content from this weblog.

I just gave all of mcdevzone.com a facelift. I got tired of the pinstrip background, plus I’m now using a separate style sheet for the entire site. I also added a picture to the about page.

I just added an alternate style for blockquotes, which will make them stand out nicely with a border & colored background.

I just got an email from my local Toyota dealer reminding me to bring my car in for scheduled maintenance. It included a link to their website where I could schedule an appointment online.

When I tried to schedule an appointment in Safari, which is my default browser, I was able to enter a date or use the calendar popup, but the time menu never changed from “select date first”. I gave up and tried it in Mozilla. At least Mozilla let me select a time, but as soon as I clicked anywhere else, the time reverted to 7:30. I finally gave up and called them to schedule an appointment.

PHP-Nuke 7.0 has finally been released to the general public. I’ll take a look at it this weekend and see if it’s worth upgrading MacMegasite and WorldBeatPlanet.

I decided it’s time for a new look for my weblog. Yes, that’s Midnight with a real snake in the picture. I took that picture about a month before Midnight moved in with me. He caught and killed a snake outside my building. I just think it’s a really cool picture 🙂