Re: !!need help on DBM file and IPC::Shareable...

[Stas Bekman]

Martin,
Both questions aren't related to mod_perl. Please use comp.lang.perl.misc
or other appropriate forums instead! Thank you!

>   I was trying to use either DBM_File or IPC::Shareable to handle about 
> 100M data locally without a separate database machine. The data 
> structure I tried to store was a complex Hash with hash and array 
> inside( actually use MLDBM for nested Hash and array, IPC::Shareable 
> for nested Hash). The underlying store modules tied were Storable and 
> Data::Dumper. But one error always occur ->the serial store will 
> return negative error no. usually (-1,220). Another weird thing I 
> obsereved is that the file size reported by 'ls' deosn't agree with 
> the actually disk usage. My last try was to load approx 100MB data 
> into a MLDBM file. It failed when almost finishing loading all data 
> because a store failed. 'ls' report the file size was about 1.169GB, 
> while the partition was only about 250MB. 'du' showed the correct 
> usage, it was about 100MB. Can anyone here tell me what is the exact 
> problem here, and whether it is possible to handle about 50MB at least 
> with these methods. 
> 
>   Another related question is when tie the MLDBM file, what fcntl open 
> mode should be use, if I need to do minor update when several 
> processes are using the same file, i.e. Whether it can be shared among 
> processes for read/write. If MLDBM cannot, whether Berkeley DB_file 
> can do the job?
> 
>   Comments appreciated!
> 
> -Martin
> 
> 
> 
> 



___
Stas Bekman  mailto:[EMAIL PROTECTED]www.singlesheaven.com/stas  
Perl,CGI,Apache,Linux,Web,Java,PC at  www.singlesheaven.com/stas/TULARC
www.apache.org  & www.perl.com  == www.modperl.com  ||  perl.apache.org
single o-> + single o-+ = singlesheavenhttp://www.singlesheaven.com

disk space requirement

[Allan Tejano]

How much space required to install the mod_perl?(necessary files excluding
the documentation, etc.)
As what I have read, I need also to install the Perl interpreter when using
mod_perl.
How much size the interpreter requires?

Your answers is very much appreciated. I have some hardware limitations
which might not
able to install such packages.

Re: Mandrake 6.1 and Apache::Util loadproblem..

[Gustav Kristoffer Ek]

On Mon, 4 Oct 1999, Morten Bøgeskov wrote:

> I've been trying to install mod_perl and Apache_1.3.9 on my mandrake
> distribution, but thinga are not alle that well..

...

> Compiled apache and mod_perl (dso) with no problem... however..
> If I use the ``use Apache::Util qw(:all);''-statement, I get this 
> in my error_log:
> [Mon Oct  4 08:23:12 1999] [error] Can't locate loadable object for module
> Apache::Util in @INC (@INC contains: /usr/lib/perl5/5.00503/i386-linux

...

Try installing Apache::Util from cpan.

- gustav


Gustav Kristoffer Ek, Netcetera, Brolæggerstræde 4, 1211 København K
Telefon +45 33 14 70 00 / +45 20 40 00 05 - Faximile +45 33 14 62 00
Webdesign, Webhotel, Mailhotel, UUCP & mere http://www.netcetera.dk/

Re: secure way to connect to database

[Gunther Birznieks]

On Wed, 13 Oct 1999 [EMAIL PROTECTED] wrote:

> 
> This seems to work fine for us.  It meets the requirements you state as
> having the connection password in just one place as well.
> 
> I personally dont think that putting the password into the environment is
> such a good idea.  Too much potential for someone to steal it.
> 
Also, not all web servers are kind enough to export the equivalent of
environment variables from a config file so it's not cross-webserver if
you ever switch to apache (unlikely) or more likely, you want to share
your code with a friend who has an alternateweb server.

I would tend to agree on the security stance. Although I think it is a bit
arguable. The issue for me is thatanyone breaking into the web server
with a rote script will be able to view the environment and figure out
what it means, but only a Perl programmer would be able to go into the
source code and pull out the connection information. It's not as easy. But
a person who hacks in and knows what they are doing will be able to get
the password regardless.

If you want to be more secure, then you use a middleware strategy so that
you create a restricted RPC or object server between the database and the
web server such that the db password is in the RPC server, and the web
server only has access to a restricted subset of RPC functionality. That
way, the hacker has to break both the web server and the mddleware server
to gt to your DB unprotected.

But as with all things, at some point thee are diminishing returns with
performance being the thig most hit by layered approaches (unless you
build fancy caching in your middleware).

Later,
  Gunther

Re: Apache::DBI & MySQL

[Perrin Harkins]

Viren Jain wrote:
> 
> I included the command "PerlModule Apache::DBI" in my mod_perl Apache
> configuration files. Yet, over time there builds up more connection in
> mysql than apache processes (only Apache/CGI should be accessing MySQL) and
> most processes seem to have very high "Time"s under the "sleep" stat when I
> do a 'processlist' in mysql. Please advise.
>   -- Viren

If ANYTHING is different in your connect string, Apache::DBI will keep a
separate connection open.  You probably have slight variations in your
connect strings.
- Perrin

Re: Apache::DBI & MySQL

[Ken Williams]

Do you really need the persistent connections when using mysql?  Since mysql is
so fast to connect, I've just been using regular DBI connection methods.  I
have one connection opened per request, and when the request is done, the
connection gets closed.  It's fast enough for me, you should do your own tests.

I'm not sure why you have too many connections.  Sounds pretty odd.


[EMAIL PROTECTED] (Viren Jain) wrote:
>   I included the command "PerlModule Apache::DBI" in my mod_perl Apache 
>configuration files. Yet, over time there builds up more connection in 
>mysql than apache processes (only Apache/CGI should be accessing MySQL) and 
>most processes seem to have very high "Time"s under the "sleep" stat when I 
>do a 'processlist' in mysql. Please advise.
>  -- Viren
>

  ------
  Ken Williams Last Bastion of Euclidity
  [EMAIL PROTECTED]The Math Forum

Apache::DBI & MySQL

[Viren Jain]

I included the command "PerlModule Apache::DBI" in my mod_perl Apache 
configuration files. Yet, over time there builds up more connection in 
mysql than apache processes (only Apache/CGI should be accessing MySQL) and 
most processes seem to have very high "Time"s under the "sleep" stat when I 
do a 'processlist' in mysql. Please advise.
  -- Viren

Re: Confirmation of hits, etc.

[Mehryar Mansoor]

Deja.com: (130 million pageviews/month)
http://www.deja.com
Apache/1.3b5 mod_perl/1.08

cheers,
mehryar


On Tue, 12 Oct 1999, Thomas Lockney wrote:

> I don't have any clue what the figures are, but you might want to add
> DejaNews to that list.
> 
> Rex Staples wrote:
> > 
> > I am assembling a proposal to move an existing web structure from
> > IIS/ASP to Apache/mod_perl.  The best defense I can have for my proposal
> > is a site whose traffic is in the 5-10 million page views a day on a
> > mod_perl server.
> > 
> > I've checked out the list of sites running mod_perl as well as the
> > testimonies, and I have some data to deliver, but much of it is 18
> > months old.
> > 
> > Below are several high-profile (and hopefully high-trafficked) sites I
> > am going to include in my proposal, but I was hoping that some of the
> > minds on this list might know either the most recent traffic figures for
> > these sites or of other sites whose traffic is in the 5-10 million page
> > views/day range.
> > 
> > Art Today: subscription clip-art service (250k hits/day)
> > http://www.arttoday.com
> > Apache/1.3.4 (Unix) mod_perl/1.17 on Solaris
> > 
> > CMPnet: a technology information network (500k+ hits/day)
> > http://www.cmpnet.com
> > Apache/1.3.9 (Unix) mod_perl/1.16
> > 
> > IMDB: Internet Movie Database (1.25 million pageviews/day as of March
> > 1998)
> > http://www.imdb.com
> > Apache/1.3.7-dev (Unix) mod_perl/1.19_01-dev
> > 
> > Slashdot (500k hits/day)
> > http://www.slashdot.org
> > Apache/1.3.6 (Unix) mod_perl/1.21
> > 
> > Commissioner.com (12 million pageviews/day on Sundays 1999)
> > http://www.commissioner.com
> > Apache/1.3b5 mod_perl/1.10 on Linux
> > 
> > Hot Bot mail and member web pages:
> > http://members.hotbot.com
> > Apache/1.3.4 (Unix) mod_perl/1.21 on Solaris
> > 
> > CBS Marketwatch
> > http://marketwatch.cnation.com
> > Apache/1.3.6 (Unix) mod_perl/1.21 on Linux
> > 
> > Thanks for any contributions!
> > 
> > Rex Staples
> > collegestudent.com
> 

Re: secure way to connect to database

[mschout]

On Wed, 13 Oct 1999, Oleg Bartunov wrote:

> Hi,
> 
> I'm developing Web application with database (postgres) backend
> and would like to know what is the right and secure way to establish 
> connection to database. I worry about password which has to be
> specified in DBI->connect. There are many scripts, .htaccess and
> I don't want to spread password, even if I could maintain 
> file access permissions. Previously, I just used environment
> variable DBI_DSN (in httpd.conf) to describe database and used
> DBI->connect() method to access database. It was very convenient
> because you have only one place in http.conf where you configure
...

What we do in this sort of situation is to just create a package containing
utility functions (e.g.: for project "Foo", we might put utility functions
into the package Foo::Util).  In Foo::Util, we put (among other things):

--
use DBI;

sub dbi_connect {
return DBI->connect( connection args ...);
}
-

Then whenever we need the connection in a Registry script, a pure mod_perl
handler, or anything else, we just say:

use Foo::Util;
my $dbh = Foo::Util::dbi_connect();

This seems to work fine for us.  It meets the requirements you state as
having the connection password in just one place as well.

I personally dont think that putting the password into the environment is
such a good idea.  Too much potential for someone to steal it.

Regards,
Mike

mod_perl, gcc and IRIX 6.5

[Joel Reymont]

Hi!

Has anybody built mod_perl with gcc 2.8.1
on Irix 6.5? I managed to build apache 1.3.9
with DSO support but can't manage to build 
mod_perl 1.21.

Thanks in advance, Joel

!!need help on DBM file and IPC::Shareable...

[lma]

Hi, 

I was trying to use either DBM_File or IPC::Shareable to handle about 
100M data locally without a separate database machine. The data 
structure I tried to store was a complex Hash with hash and array 
inside( actually use MLDBM for nested Hash and array, IPC::Shareable 
for nested Hash). The underlying store modules tied were Storable and 
Data::Dumper. But one error always occur ->the serial store will 
return negative error no. usually (-1,220). Another weird thing I 
obsereved is that the file size reported by 'ls' deosn't agree with 
the actually disk usage. My last try was to load approx 100MB data 
into a MLDBM file. It failed when almost finishing loading all data 
because a store failed. 'ls' report the file size was about 1.169GB, 
while the partition was only about 250MB. 'du' showed the correct 
usage, it was about 100MB. Can anyone here tell me what is the exact 
problem here, and whether it is possible to handle about 50MB at least 
with these methods. 

Another related question is when tie the MLDBM file, what fcntl open 
mode should be use, if I need to do minor update when several 
processes are using the same file, i.e. Whether it can be shared among 
processes for read/write. If MLDBM cannot, whether Berkeley DB_file 
can do the job?

Comments appreciated!

-Martin

RE: e-commerce

[Mukesh Wani]

I work for an e-commerce company iCelebrate.com, Inc.. and we use mod-perl

Mukesh Wani
http://www.icelebrate.com


I wonder if anyone could list me some e-commerce web sites using mod_perl -
like amazon, cdnow, etc.

Thanks!
../Ricardo

###
Guitar fan Chris Black of London actually had a wedding 
ceremony to officially marry his Fender Stratocaster last year.
###
__
FREE Email for ALL! Sign up at http://www.mail.com
---
FREE! The World's Best Email Address @email.com
Reserve your name now at http://www.email.com

Apache::Session and auto-expiration

[Dmitry Beransky]

Hi,

I've been trying to figure out how auto-expiration works in the new version 
on Apache::Session.  After going through the code of IPC.pm, I think I got 
the idea, but still it would be nice if this was documented somewhere.  I 
don't think it is. Is it?

Regards

---
Dmitry Beransky
Programmer/Analyst

University of California, San Diego
Multimedia Interactive Learning Lab (http://mill.ucsd.edu)

Re: authentication via login form

[Ofer Inbar]

Gunther Birznieks <[EMAIL PROTECTED]> wrote:
> On Mon, 11 Oct 1999, Ofer Inbar wrote:
> 
> > Eugene Sotirescu <[EMAIL PROTECTED]> wrote:
> [...snipped...]
> > 
> > When a browser session comes in without appropriate authentication
> > cookies, they get a login screen.  When they post username and
> > password, check that against the locally stored user table, and if
> > they match, issue a set of authentication cookies.  These hold three
> > pieces of information:
> >  - the username
> >  - the date-time (seconds since epoch) these cookies were issued
> >  - an MD5 hash
> > 
> > The hash is of: username, per-user secret, application secret,
> >  application's version number, IP address of browser session, and
> >  time cookies were issued.
> > 
> [...lots more snipped...]
> 
> I am curious because I've seen this sort of statement a couple times.
> 
> Wouldn't passing the username and time of the cookie issuance weaken the
> MD5 hash since you would be giving a perpetrator more information to
> create the MD5 hash themselves? It seems to me that at the very least,
> don't pass the time to the user because that doesn't add value to the
> client side.

Including the time and username in a readable form is necessary,
because without it, there's no way for the web application to *read*
those values when the user accesses the site again and sends in the
cookies.  If all you can read is a hash, how do you know who they're
trying to authenticate *as*?  Read every user out of the database and
try them all one by one?  But if you're not given the time, you can't
even try that brute force strategy, unless you repeat it for every
possible (or likely) time the hash might have been encoded with.  You
need to be able to read the user to know who they're claiming to be,
and you need the time to know whether their cookie set is expired or
not, and you need to know *both* in order to test the hash at all.

Now, by the avalanche property of MD5, every single bit of the input
should have a 50% chance of affecting each bit in the resulting hash.
So, letting the user know some of those bits shouldn't help them be
able to break the hash, as long as the stuff they *don't* know is hard
enough to break.

So, of course, the security of this hash is not based on the user not
being able to figure out their own username and the time they got the
cookies, and their IP address.  Heck, they could figure all that stuff
out whether they were handed it in a cookie or not.  The security is
based on the fact that they can't guess their per-user secret and the
application's global secret.  If you want to, you can also add some
other semi-random possibly hard to guess value to the mix, perhaps
your process ID (which by itself is somewhat guessable, but does add a
bit more uncertainty when combined with the secrets).

The reason all that other information (username, time, IP), that the
user does know or can figure out, is in the hash, is to ensure that
they cannot change it.  Otherwise, they could log in as one user, then
come back with a perfectly valid hash but pretending to be some other
user, and get that other user's privileges.  Or, they could keep
coming back with the current time, so their hash never expired.  But
if those values are included in the hash, and the user changes them,
unless they can guess the secrets and come up with a new hash, their
cookie set is no longer valid.

  --  Cos (Ofer Inbar)  --  [EMAIL PROTECTED] http://www.leftbank.com/CosWeb/
  --  WBRS (100.1 FM)   --  [EMAIL PROTECTED] http://www.wbrs.org/
   A cos is an abstraction for a stream or datagram channel, used in BSD
   and BSD derivatives.  -- Ben Tober <[EMAIL PROTECTED]>

mod_perl rpm ready for testing

[David Harris]

Hi,

I've just completed the first copy of the mod_perl RPM that I said I was going
to create about a week ago. Sorry this took so long, I had a whole bunch of
things that needed to be done first.

The files are up at:
http://www.davideous.com/modperlrpm/distrib/

Features of this RPM:
 - installs mod_perl as an "add in" to the red hat apache
   package, but does not install mod_perl as a DSO and
   all the problems that brings (more details in the appended
   README.RPM file)
 - includes the four header files required for building
   libapreq (libapreq package will follow shortly)
 - distributes plain text forms of the pod documentation
   files that come with mod_perl
 - checks the module magic number on the existing apache
   package to see if things are compatible

I've appended a copy of the README.RPM file distributed with this package which
explains how I went about packing this stuff to make it work like a "add in"
but not make it a DSO.

I'd appreciate it if some people could give this package a whirl using some of
the advanced mod_perl features that don't work in the DSO. This would really
help my confidence that this approach really works. Also, if somebody (perhaps
Geoffrey S Young who was researching this, I think) has a listing of the
features that are broken in the DSO form, please send to the list - I'd like to
include it in the package documentation, and some people might be able to test
that stuff.

I know that this is not the latest copy of mod_perl or Apache. I just tossed
this out. When I get some positive feedback, I'll look at creating an Apache
1.3.9 version (for the red hat 6.1 folks) and try to get the latest mod_perl
version running for Apache 1.3.6.

 - David Harris
   Principal Engineer, DRH Internet Services

=


README.RPM
notes on this un-conventional RPM packaging of mod_perl

by David Harris <[EMAIL PROTECTED]>
on Oct 13, 1999


This package will install the mod_perl library files on your machine
along with the following two Apache files:

  /usr/lib/apache/mod_include_modperl.so
  /usr/sbin/httpd_modperl

This package does not install a complete apache subtree built with
mod_perl, but rather just the two above files that are different
for mod_perl.  This conceptually thinks of mod_perl as a kind of an
"add on" that we would like to add to the regular apache tree. However,
we are prevented from distributing mod_perl as an actual DSO, because it
is not recommended by the mod_perl developers and various features must
be turned off. So, instead, we distribute a httpd binary with mod_perl
statically linked (httpd_modperl) and the special modified mod_include.so
required for this binary (mod_include_modperl.so).  You can use the exact
same configuration files and other DSO modules, but you just "enable"
the mod_perl "add on" by following the below directions.

To enable mod_perl, do the following:

  (1) Configure /etc/rc.d/init.d/httpd to run httpd_modperl instead of
  httpd by chaning the "daemon" command line.
  (2) Replace mod_include.so with mod_include_modperl.so in the
  module loading section of /etc/httpd/conf/httpd.conf
  (3) Uncomment the "AddModule mod_perl.c" line in /etc/httpd/conf/httpd.conf

Or run the following command: (and the other version to disable mod_perl)

  /usr/sbin/modperl-enable on
  /usr/sbin/modperl-enable off

secure way to connect to database

[Oleg Bartunov]

Hi,

I'm developing Web application with database (postgres) backend
and would like to know what is the right and secure way to establish 
connection to database. I worry about password which has to be
specified in DBI->connect. There are many scripts, .htaccess and
I don't want to spread password, even if I could maintain 
file access permissions. Previously, I just used environment
variable DBI_DSN (in httpd.conf) to describe database and used
DBI->connect() method to access database. It was very convenient
because you have only one place in http.conf where you configure
coonection stuff. You can even  omit any connection stuff in .htaccess
I use Mason and in all components I use database handler already
defined in Mason's handler. This is ok if datbabase you work with 
doesn't requires password for connection. Now I need to figure
out how to keep my work simple (as above) and specify password
in one place, which I for sure could keep secure.
There is possbility to use environment DBI_PASS in httpd.conf
but obviously it's very dangerous and this doesn't work for some
reason - BDI->connect failed, while DBI_PASS is there and
shell script works fine (Edmund, have you tried DBI_PASS env. variable )
Anyway, it's not secure way and I'm asking your recommendation.


Regards,

Oleg


_
Oleg Bartunov, sci.researcher, hostmaster of AstroNet,
Sternberg Astronomical Institute, Moscow University (Russia)
Internet: [EMAIL PROTECTED], http://www.sai.msu.su/~megera/
phone: +007(095)939-16-83, +007(095)939-23-83

Autentication/Authorization -Syncronization problem via HTTPD::UserAdmin Text

[Clifford Lang]

Apache 1.3.9
mod_perl 1.21
Solaris 2.51

How can I keep all children in sync and up to date with my .htpasswd file?
I have a very volital site with users beening added and deleted constantly.
I use an Embperl admin page to update/remove users. And as I refresh the
page I get different counts from the userlist.

Is user information kept in the servers cache / shared memory?  If so, how
can I read / update that?  I would like all children to be updated, or at
least forced to import the data if the time stamp has changed.

If the file based is just not suitable, how is DBM based?  Will I have the
same problem of syncronization?  Is there an easy way to convert or import
my current lists?

TIA, Cliff

Re: [SITE] the great redesign of 1999

[Neil Kandalgaonkar]

At 19:09 -0500 1999-10-12, Matt Arnold wrote:
> While
>art/layout issues are certainly subjective, I actually saw it as the area of
>least controversy, and that's why I tried to slip it through.  :-)

Ha! Not likely. We've all sat through meetings where people agonized over
colors and passed over backend issues in silence.


>Jesse Kanner <[EMAIL PROTECTED]> sez:
>> Will you have any comps of the second level pages? Which information would
>> go where?

Second and even third level architecture is very important. It's
seductively easy to focus on the front page.


> And I don't want to bemoan the
>lack of any content which I'm not willing to create.  :-)

Why not? I think for a site like this, it would be fine to make a good
master plan and put an incomplete site. Volunteers should hopefully arise
to patch up the holes, or the site maintainers can actively needle the
community about stuff that needs to be written.



>Robin Berjon <[EMAIL PROTECTED]> sez:
>> As a side note, reading about that desert idea this morning triggered a
>> neuron somehow, so I quickly modified an old template of mine that hadn't
>> been used and uploaded it at http://www.knowscape.org/modperl/ ...

I liked this a lot! The eagle theme is great, although the association
between that particular engraving and mod_perl may be a trademark of
O'Reilly (caveat: IANAL).


>  I see people
>turning away from salvation only because we failed to offer an adequate
>invitation.  We must act now, lest we lose yet another soul to an expensive,
>proprietary, inferior product.

I don't care about other "souls" per se. I'd like a site that was useful to
*me*. Selfish? Yes! Paradoxically, I think you'll find a site which
energizes and serves the existing community will ultimately attract more
people that one which flails about trying to impress newcomers with
Microsoft-like spec sheets.

mod_perl would come into more disrepute if we made a site that was weak on
content. This doesn't mean we have to come up with a surpassingly wonderful
site all at once, we should just design a process that attracts the best
content, is easy to administer, links to the best content, allows for easy
updates, etc. etc.

--
Neil Kandalgaonkar [EMAIL PROTECTED]
Systems Architect, Stylus Inc.   http://www.stylus.ca/

RE: startup.pl output in headers ???

[Kees Vonk 7249 24549]

I have managed to get it back to work. Restarting the server 
and touching the index.html file made no difference, but when 
I cleared the browser's cache it all started working again. I 
still don't know what went wrong, but the browser obviously 
cached the gone-wrong document. I have reapplied the changes 
and everything still works.


Kees

Re: PC Week: Attacked and hacked!

[Matt Sergeant]

On Wed, 13 Oct 1999, Ruben I Safir wrote:
> Matt -
> 
> I share your sentiments but I would like to point out a few things about
> the use of CGI.pm and Embperl and/or Modperl which which would be
> different then if I was writing the uudecoding by my self.
> 
> Normally, I would parse out metachars in the processes of decoding input
> from the browser.  When I use embperl, (and CGI.pm by default),
> everything is in a nice HASH for me.  What's to stop someone from
> entering metachars of {}, or other perl code into a field and have it
> processed by embperl?

What's unsafe about this per-se? Only if you use that data in an unsafe way
without first doing a check on that data is it truly unsafe. There's
nothing different about this to a C CGI app that doesn't check a parameter
that writes to a file doesn't contain #!/bin/sh or a filename doesn't
contain "..".

> My own decoding routines only let in what I deem safe.  CGI.pm is doing
> this for me.

There's no difference that I can see in doing your own decoding and
checking and letting CGI.pm do the decoding and then you do your own
checking. Either way you have to do your own checking.

--


Details: FastNet Software Ltd - XML, Perl, Databases.
Tagline: High Performance Web Solutions
Web Sites: http://come.to/fastnet http://sergeant.org
Available for Consultancy, Contracts and Training.

Re: PC Week: Attacked and hacked!

[Ruben I Safir]

Matt -

I share your sentiments but I would like to point out a few things about
the use of CGI.pm and Embperl and/or Modperl which which would be
different then if I was writing the uudecoding by my self.

Normally, I would parse out metachars in the processes of decoding input
from the browser.  When I use embperl, (and CGI.pm by default),
everything is in a nice HASH for me.  What's to stop someone from
entering metachars of {}, or other perl code into a field and have it
processed by embperl?

My own decoding routines only let in what I deem safe.  CGI.pm is doing
this for me.
It the data input being scrubbed or checked?

Ruben



Matt Sergeant wrote:
> 
> On Tue, 12 Oct 1999, Ruben I Safir wrote:
> > Dear Boss
> >
> > Thanks for pointing this article from PC Week out.
> >
> > I've already read and reviewed this, and discussed it with the hacker
> > after it was anounced 3 weeks ago on http://slashdot.org.
> > The hacker attacked a shrink wrapped CGI application with a documneted
> > hackers weakness that has been passed around the net.
> >
> >
> >
> > See: http://slashdot.org/articles/99/09/24/1224221.shtml
> >
> >
> >
> >
> > Note this discussion below which has been reviewed.  Please review it as
> > well so tha everyone is fully versed in the details of network security.
> >
> > I'm wondering if anyone else has comments on this.  How secure is CGI.pm
> > and EMBPERL?
> 
> All CGI scripts, no matter what language they are written in, can be
> insecure. There's no need to discuss this here - simply read the cert's CGI
> script security document. If you haven't read it and follow it's
> precautions (which the developers of the photoads script obviously didn't)
> then you shouldn't be developing secure web sites. There's really nothing
> further to discuss.
> 
> --
> 
> 
> Details: FastNet Software Ltd - XML, Perl, Databases.
> Tagline: High Performance Web Solutions
> Web Sites: http://come.to/fastnet http://sergeant.org
> Available for Consultancy, Contracts and Training.
> 
> -
> Please check "http://www.mysql.com/Manual_chapter/manual_toc.html" before
> posting. To request this thread, e-mail [EMAIL PROTECTED]
> 
> To unsubscribe, send a message to the address shown in the
> List-Unsubscribe header of this message. If you cannot see it,
> e-mail [EMAIL PROTECTED] instead.

code cache

[Neeme Vool]

Hi

Lets consider two separate files, with different names:
first.html


[-$qstr="/trtickets/solvermodules/contract_ver2_refuse.html?$fdat{blaah}";-]
Blaah
[-$qstr="/trtickets/solvermodules/contract_ver2_pysi.html?$fdat{blaah}";-]
Blaah


second.html


[-$qstr="/trtickets/solvermodules/contract_ver2_refuse.html?$fdat{blaah}";-]
Blaah
[-$qstr="/trtickets/solvermodules/contract_ver2_uucp.html?$fdat{blaah}";-]
Blaah


when I load some times file first.html, I see every time source:


Blaah
Blaah


and then, when i load file second.html, I excpect to see source:


Blaah
Blaah


but I get:


Blaah
Blaah



Neeme Vool

startup.pl output in headers ???

[Kees Vonk 7249 24549]

Apache 1.3.6 / mod_perl 1.21 / perl 5.005_03

I have ran into a little problem. Everything on my site was 
working fine. I decided to make a few changes to my 
httpd.conf to see if I could speed things up even further. 
However then I started to get the following output on my 
browser:

Perl default module loading beginning... Perl default module 
loading complete. HTTP/1.1 304 Not Modified Date: Wed, 13 Oct 
1999 12:50:33 GMT Server: Apache/1.3.6
(Unix) mod_perl/1.21 mod_ssl/2.3.5 OpenSSL/0.9.3a Connection: 
Keep-Alive Keep-Alive: timeout=15, max=100 ETag: 
"f61-12cf-37e79f6f" 

As far as I can see that is a 304 header prefixed with two 
lines from my startup.pl file (there is a print statement at 
the beginning and end of the file). So I changed things back 
to what they were before and the problem persisted. I then 
commented out the PerlRequire statement (so there was no 
reference to startup.pl left), but that did not make any 
difference either. 

When I checked other urls everything seems to work but the 
homepage (url = https://server:port/).

There is nothing in the logs and I have no idea where to 
start looking. Anyone got any good ideas?


Kees

RE: Logging Session IDs from environment variables

[Young, Geoffrey S.]

well...

variables set by the notes and subprocess_env methods should be available
for the entire length of the request, no matter what phase they are set.  

I just set up a test handler that used both notes and subprocess_env to set
up variables in a PerlInitHandler and was able to capture them by adding
them to the LogFormat directive.  Make sure the directive quotes the quotes
(that is, \"{NOTES_VAR}n\" for example).  That you are using
PerlAuthenHandler should not make a difference.

I'm not sure if mod_perl implements a way to get pnotes stuff into your
logs, which is a pretty cool function.  Anyone?

hope this helps - if not, try posting the relevant bits...

--Geoff



> -Original Message-
> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> Sent: Monday, October 11, 1999 10:34 AM
> To:   [EMAIL PROTECTED]
> Subject:  Logging Session IDs from environment variables
> 
> Hi all
> 
> I have asked this before, but I still haven't managed to shed any light on
> it, so I was hoping that somebody might be able to shed some more light.
> 
> (While you're about it, have a look at the site we have just launched :
> http://www.orgasmicwines.com - mod_perl & mysql based site.)
> 
> If I store my sessionID in an environment variable (or in $r->notes), I
> can
> see it in other Apache:: modules, but when I try to log it using the the
> CustomLog directive in httpd.conf, the environment variable (or $r->notes)
> is blank.
> 
> Does this have anything to do with the fact that I'm setting the ENV
> variable in a PerlAuthenHandler, before %ENV is set up?  And that
> shouldn't
> affect $r->notes, should it?
> 
> Any help greatly appreciated
> 
> Many thanks
> 
> Clint

ApacheCon 2000: Call for Presenters

[Rodent of Unusual Size]

Please forgive the one-time broad-spectrum spam..  I want
to ensure that as many potentially interested parties have
an opportunity to participate as possible, particularly
since time is quite short until the submission deadline.
Thanks for letting me invade your mailbox temporarily..

-BEGIN PGP SIGNED MESSAGE-

URGENT: SUBMISSION DEADLINE: Friday, 22 October 1999, 17:00 PDT

ApacheCon 2000
Conference: March 8-10, 2000
Exhibition: March 9-10, 2000
Caribe Royale
Orlando, Florida

Presented by the Apache Software Foundation

DEADLINE: Friday, 22 October 1999, 17:00 PDT
Acceptance Notification by: November 5, 1999

Come share your knowledge of Apache at this educational and fun-filled
gathering of Apache users, vendors and friends. Apache founders and
leading contributors are designing the technical program that will
include four tracks and over 40 sessions. Topics to be covered include:

· Securing Apache on Windows
· Securing Apache on Unix
· Security and eCommerce
· Java
· Performance
· Perl
· PHP
· XML

ApacheCon 2000 will attract over 1,000 Apache users and supporters
including:

· Open source software developers
· Apache software developers
· Web site administrators
· Technical managers responsible for running Web sites

Session Requirements:
If you would like to be a speaker at the ApacheCon 2000 event, please
go to the ApacheCon Web site and complete the form there, at URL
.

Or you can reply to this message, or to [EMAIL PROTECTED], with the
following fields filled in.

NOTE: If you are offering more than one session, PLEASE send a separate
message for each!

1. Your name:
2. Your email address:
3. Session title:
4. Is this a technical session, or is it intended for managers
   and/or businessmen?
5. Audience experience level (novice, experienced, or expert):
6. Session length:
a) 3 hours (tutorial only):
b) 2 hours:
c) 1.5 hours:
7. Style (presentation, tutorial, or panel discussion)
8. Session abstract (10 lines maximum):

Only educational sessions will be considered; no product-specific
sales or marketing sessions, please. Course material will be made
available to the public after the Conference.

Ken Coar
ApacheCon 2000 Chair
- -- 
#kenP-)}

Ken Coar
Apache Software Foundation  
"Apache Server for Dummies" 
-BEGIN PGP SIGNATURE-
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQCVAwUBOAN1t5rNPMCpn3XdAQETiAQAhabp0JP0m04VwbKuV6HnGuQZthH/JaWz
drFstkwln3JDLOpY2tbQHdd50y8e0gQuKAC3ztSCxtjGskkKTg7WUJbtwOfBPJVY
Q6n8aikiMq0+oy412iySfsfExHvdswMPXBhXS08j0AT4Mkuygtvv2Q5gvRT8GnHb
CBYcFIYaClk=
=t+1l
-END PGP SIGNATURE-

e-commerce

[ricarDo oliveiRa]

I wonder if anyone could list me some e-commerce web sites using mod_perl -
like amazon, cdnow, etc.

Thanks!
./Ricardo

###
Guitar fan Chris Black of London actually had a wedding 
ceremony to officially marry his Fender Stratocaster last year.
###
__
FREE Email for ALL! Sign up at http://www.mail.com

Re: authentication via login form

[Gunther Birznieks]

On Mon, 11 Oct 1999, Ofer Inbar wrote:

> Eugene Sotirescu <[EMAIL PROTECTED]> wrote:
[...snipped...]
> 
> When a browser session comes in without appropriate authentication
> cookies, they get a login screen.  When they post username and
> password, check that against the locally stored user table, and if
> they match, issue a set of authentication cookies.  These hold three
> pieces of information:
>  - the username
>  - the date-time (seconds since epoch) these cookies were issued
>  - an MD5 hash
> 
> The hash is of: username, per-user secret, application secret,
>  application's version number, IP address of browser session, and
>  time cookies were issued.
> 
[...lots more snipped...]

I am curious because I've seen this sort of statement a couple times.

Wouldn't passing the username and time of the cookie issuance weaken the
MD5 hash since you would be giving a perpetrator more information to
create the MD5 hash themselves? It seems to me that at the very least,
don't pass the time to the user because that doesn't add value to the
client side.

Later,
  Gunther