Tony Baltazar

Free Software / Ruby / Security / Arsenal Football Club

Archive for May, 2010

Nitko2 web server assessment

May 31

Posted by admin in Security | No Comments

I decided to run a vulnerability scan on my fully patch Cent0S 5.2 rubyninja.net Apache web server using Nitko and learned quite a bit on the vulnerabilities found.

1st vulnerability found:
My webalizer statistics were being displayed without any restriction.
Fix: Enable .htaccess password protection and limited to permit local IP access.

2nd vulnerability found:
PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings. (index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000)
Fix: Set expose_php = Off within /etc/php.ini

3rd vulnerability found:
Apache default manual webpages were publicly accessable.
Fix:edit /etc/httpd/conf.d/manual.conf

4th vulnerability found:
HTTP TRACE method is active, suggesting the host is vulnerable to XST.
Fix: Out of all vulnerabilities found this one was the most interesting. Apparently the TRACE http request method can be used by malicious applications to trick a web browser into issuing a TRACE request against an arbitrary site and then send the response to the TRACE to a third party using web browser features. To fix this issue, I just had to add the following entry to httpd.conf: TraceEnable off

This article fully explained the issue. http://www.ducea.com/2007/10/22/apache-tips-disable-the-http-trace-method/

I still need to read the full Nitko documentation to check out all of its features. But I still think this is a really good tool for any Apache administrator.
http://cirt.net/nikto2

Make MySQL client display the selected working database

May 29

Posted by admin in MySQL | No Comments

Before knowing of this MySQL feature, whenever I was working on a database I always use the \s command to verify which database I was about to alter. Instead of using this command, MySQL client has a prompt global variable which lets you modify the display prompt when connecting to a MySQL server.

Simply add the following entries to my.cnf
[mysql]
prompt=’[db: \d] ‘

Heading to Madrid

May 27

Posted by admin in Football | No Comments

I may hate his football tactics, but Jose Mourinho is a legend in the making.

Converting a CD to an iso image

May 22

Posted by admin in Linux/Unix | No Comments

Converting a disk to an iso image is easier to do in Linux than in other operating system.
dd bs=2k if=/dev/cdrom of=~/disk_image.iso

rubyninja is offline until further notice

May 11

Posted by admin in Random Crap | No Comments

Both the factory hard drive and 500 GB Western Digital hard drive seem to be failing. I ran the extended Apple hardware diagnostic test and the core hard ware passed the test (hd not tested).

Lesson learned here … Thank god for backups.

New Primary laptop

May 3

Posted by admin in Apple, Random Crap | No Comments

It’s been over a week since I purchased my new 13 in MacBook Pro, and I finally managed to fully transfer all of my files from my old white plastic MacBook. Even though I bought the Core 2 Duo instead of the 15 in i5 MacBook Pro, this laptop is by and the the best machine I’ve ever owned. The only problem is the stock 2 GB that the laptop come with. It is very noticeable when I have VirtualBox running in the background. So I’m planning on upgrading the RAM to 4 GB within a month so.

Hacker humor

May 1

Posted by admin in Perl, Programming | No Comments

While reading the regex portion of Apress’s Beginning Perl Second Edition by James Lee, the following sample code totally made my day.


#!/usr/bin/perl -w
use strict;

$_ = "There are two major products that came out of Berkeley: LSD and UNIX";

s/(\w+)\s+(\w+)/$2 $1/;

$_ = ucfirst($_);
print $_, "?\n";