Jump to content

dil_bert

Members
  • Posts

    939
  • Joined

  • Last visited

  • Days Won

    3

Posts posted by dil_bert

  1. hello dear community, 


    topic today: arbitrary file upload :: is this a vulnerability in WordPress


    just recognized some folders in a freshly wordpress-installation 

    see the following: 

     

    
    wp-contents/uploads/
    
    /2016/
    /2017/
    /2018/
    /2019/


    NOTE. THE SITE WAS INSTALLED freshliy IN summer 2019 
    i have had no installation before.. 
    so what happend here ...!?`

    btw found some interesting reading on the net


    well that looks interesting Arbitrary file upload vulnerability in WordPress User Submitted Posts .... curl http://example.com/wp-content/uploads/2019/04/script.php.gif ...</blockquote>https://www.pluginvulnerabilities.com/2018/01/29/arbitrary-file-upload-vulnerability-in-wordpress-forms/

    Quote

     


    The function that handles that, process_submition(), will save submitted files to the directory for the current year/month in the directory /wp-content/uploads/ with the following code:

    362
    363
    $upload_dir = wp_upload_dir();
    move_uploaded_file( $_FILES[$key]['tmp_name'], $upload_dir['path'] . '/' . $_FILES[$key]['name'] );
    The code does try to restrict .php files from being uploaded with the following code:

    358
    359
    if ( $_FILES[$key]['type'] == 'application/octet-stream' or $_FILES[$key]['type'] == 'application/x-httpd-php' )
        wp_die( "Error: For security reasons you can't upload application files!" );
    That code isn’t effective because the “type” value it checks is user specified, so a .php file could be uploaded with the type specified as something else and it will pass that check.

    While this type of vulnerability is fairly likely to be exploited if hackers are aware of it, in the case of the website we were cleaning, the plugin was deactivated, so the vulnerability could not have been exploited.

     

    question - is this anything serious that i have found!? 

  2. hello dear experts,


    Parallax effect involves a web page’s background moving at a slower rate than the foreground. This creates an illusion of depth to the page, giving the content a 3D effect as viewers scroll down. The majority of premium WordPress themes now come with built-in parallax effect on their homepage. Even the free WordPress default theme Twenty Seventeen comes with a parallax feature. 

    What Are the Benefits of Using a Parallax Effect? There are a number of benefits to using a parallax effect on your WordPress website. The first, and most obvious, is the visual aspect of 
    a parallax effect. A parallax effect is aesthetically pleasing, giving your website a fresh, stylish and modern look and feel.  This wow effect can make your content really pop, and creates an exciting and interesting browser experience.

    The issue: I’m using the Twenty Seventeen theme in WordPress (the newest version) with a static front page with 4 additional sections. On the very top part - at the top of the page, as you scroll down, the logo of the page, and the site name, and tagline scroll up over the opening image appears. 

    What is visible: There’s a clear background to the logo, title, tagline group, so the background image shows through very good. The behavior of the site: As you scroll down further, the 2nd image of the page comes into view, and it’s completely displayed when the 1st image of the page has scrolled off the screen and the menu is now at the top. Continue scrolling and the text of the next section scrolls up, covering over the 2nd image. 

    but wait: However, this text has a white ( at least in my personal case) background and the image does NOT show through.

    Why is this so: This is the same behavior for the remaining image/text pairs. 

    What is aimed: What I want to know how to do is make the background on those text sections clear, like in the topmost section of the whole page. I’ve seen how their color can be changed, but not how it can be made to be transparent.


    well i have read lots of postings here - but i found no answer untill now-... 


    Any help would be greatly appreciated.

  3. hi there  currently planing the creation of a subomain on apache

     

    can i do the following in a internal net  vHosts with vhost

    with the apache module  "mod_proxy"
     

    Code:

    NameVirtualHost *:80
    
    <VirtualHost *:80>
    ServerName server01.network
    DocumentRoot /home/webmaster/htdocs
    </VirtualHost>
    
    <VirtualHost *:80>
    ServerName subdom.server01.network
    ProxyPass / http://127.0.0.1:10000/
    ProxyPassReverse / http://127.0.0.1:10000/
    </VirtualHost>
    
    LoadModule proxy_module                  /usr/lib/apache2-prefork/mod_proxy.so
    LoadModule proxy_http_module             /usr/lib/apache2-prefork/mod_proxy_http.so

     

    whilst sudbomain is running on  Port 10000 ,,,,

    any ideas  !?

  4. hello dear community, good day,

     

    I've been having an issue trying to parse text in a span cass with DOM. Here is my code example. try to extract some lines out of a webpage - with following technique: with the Extraction of values of attributes of elements with DOMDocument. Here is what i have gathered and learned:

     

    $remote = "http://website.com/"; $doc = new DOMDocument(); @$doc->loadHTMLFile($remote); $xpath = new DOMXpath($doc); $node = $xpath->query('//span[@class="user"]'); echo $node;
    
    

     

    and this returns the following

     

    error -> "Catchable fatal error: Object of class DOMNodeList could not be converted to string". 

     

    And now - with this i need help.

     

    What I am trying to do is parse the user name between this tag;

     

    <div class="widget plugin-meta"> <h3 class="screen-reader-text">Meta</h3>

     

    see more below:Here the concrete example view-source: https://wordpress.org/plugins/participants-database/ and https://wordpress.org/plugins/participants-database/

     

    goal  i need the following data:

     

    Version: Last updated: Active installations: Tested up:

     

    view-source: https://wordpress.org/plugins/participants-database/

     

    Proceedings; i checked the source of the webpage. i tried to find out whether the texte is related to some kind of pattern.i have looked closely and found that all of them have

    class=”widget plugin-meta”

    . Well - This will make extracting them, a piece of cake. I tried with the code below helps to filter html elements based on values of attributes.

    but unfortunatley this ends up in a bad result; i need a helping hand and need to know how to parse the above mentioned data


    Again; the goal: i need the following data:

    Quote


    Version:

    Last updated:

    Active installations:

    Tested up:

     

     

    Any idea for the starting-point!?  I love to hear from you.

     

  5. dear community

     

    What if I want to forward example.net to example.net

    What does the visitor see?

    As a site?

    What does the adress bar display?

    Is it possible to do a forwarding that shows the domain name example.com in the adress bar, and that it shows the content of example.net?

     

    Which solutions do fit here:

    can i use  Apache-directives!?

     

    Look forward to hear from you

  6. hi there - 

     

    many thanks dear requinix - great to hear from you. 

    the above mentioned example is only a little (and trivial) one - see below the more realistic one. 

     

    
    +-------------------------+                        +------------------------------------------+    |  vvloremipsumcallemadridlor           |
    | loremipsumcallemadridlor|                        |      loremipsumcallema                   |    +---------------------------------------+
    +----------+--------------+                        +------------------------------------------+
               |
             +-+--------------------+                        +--------------------------------------+
             | loremipsumcallemad   |                        |    Bloremipsumcallema                |
             |                      |                        |                                      |
             +----------------------+                        +--------------------------------------+
               +-------------------------------+                +------------------------------------------+
               |   loremipsumcallemadridl      |                |     loremipsumcallemadridlor             |
               |                               |                |                                          |
               +-------------------------------+                +------------------------------------------+
                   +-----------------------------------+
                   |  loremipsumcallemadridlor	   |
                   |                                   |
                   +-----------------------------------+
    
        +----------------------------------+
        |loremipsumcallemadridlo           |
        |                                  |
        +----------------------------------+
        +------------------------------------+
        | loremipsumcallemadrid              |
        |                                    |
        +------------------------------------+

     

    so - again how to achieve a extension of such a ascii-art example!? 

     

    love to hear from you 

     

     

  7. 1 hour ago, requinix said:

    Yes and potentially yes.

    hello dear Requinix 

     

    many thanks for the quick reply glad to hear from you .

     

    well - i encountered this on a site which is a beta-beta-beta site: but i am willing to fulfill all the GDPR-things. So i have to take care of the correct way and that Transportencryption (https) is  working propperly.

    And i am pretty sure requinix that you are right - in every sight!  

    I can say that I can't imagine there are many users that would willingly enter any account credentials on an unencrypted page at this point in time.
    btw: as for some fixes in that sort of thing: can we fix the https (there are free certificates one can use like zerossl.com/free-ssl/ for example) and furthermore - what about to look into a simple free gdpr/cookie consent script like eg here www.freeprivacypolicy.com/cookie-consent/ above all: i will make sure that the GDBR authorities will be able to go even on my small website that for any reason - if they are interested in GDBR-Things. like

    - logging user data (like requiring visitors to login,

    - or any kind of cookie tracking).

    Above all: many thanks dear requinix for the reply.  I will take care - and above all - i will set up the whole server new.. so that all of these things will be correct. 

     

    regards ;)

     

  8. dear community, 

    i have creaed the ascii-data with the the tool here http://asciiflow.com/ - well so far so good. 

    what if i  want to add a block in the row ( just on the fly ) in notepad, Is this possible!?  Can this be done with Notepad!? 

     

    +-------------+ +-------------+ +--------------- +-----------------+  +----------------+ +----------------+
    
    |             | |             | |               | |                 |  |                | |                |
    
    |             | |             | |               | |                 |  |                | |                |
    
    |             | |             | |               | |                 |  |                | |                |
    
    +-------------+ +-------------+ +---------------+ +-----------------+  +----------------+ +----------------+
    
    	[/CODE]
    
    
    
    +-------------+ +-------------+ +--------------- +-----------------+  +----------------+ +----------------+
    
    |             | |             | |               | |                 |  |                | |                |
    
    |             | |             | |               | |                 |  |                | |                |
    
    |             | |             | |               | |                 |  |                | |                |
    
    +-------------+ +-------------+ +---------------+ +-----------------+  +----------------+ +----------------+
    
    	[/CODE]
    
    
    

    look forward to hear from you 

     

    regards 

  9. hello dear experts good day dear PHP-Freaks

     


    the question today is: VScode vs VScodium on Debian - which one to use!? i want to work with VSCode on Debian  - now i have heard that there also a alternative Kit exists.
    vscodium - i want to configure this to  work with Python and MicroPython - and of course also with PHP. 

     

     

    what do you say - can we install this on Debian too - without any hassle?

    We have covered Visual Studio Code before so you must know how much of an awesome code editor it is. 


    While VS Code is open source freeware, its source code is only available on Microsoft’s official GitHub repo and its downloads are licensed under a closed source license which contains telemetry so you’ll be happy with the app we have for you today. VSCodium is a tracking-free, free and open source build of Microsoft’s Visual Studio Code created so that developers will not have to build VS Code from source which contains telemetry/trackers. This fit is accomplished by using special scripts to clone the vscode repo, build it from source, and then upload the resulting binaries to VSCodium’s GitHub releases free of telemetry passes. With that being said, VSCodium is a replica of Visual Studio Code and thus, works in the same way with all the features  and support present in its parent project. Except for the app icon – that’s different.

    Features in VSCodium
    Free to use
    Cross-Platform: Available on Windows, GNU/Linux, and Mac.
    Open source with source code available on GitHub.
    Native support for several languages.
    Additional functionality using extensions.
    IntelliSense and smart code completion.
    An advanced and robust built-in debugger.
    Native support for Git.

    cf: https://www.fossmint.com/vscodium-clone-of-visual-studio-code-for-linux/

    so the question is: VScode vs VScodium on Debian - which one to use!?

    what do you say!? 

    love to hear from you

     

     

  10. hello dear experts,


    i have - installed MX-Linux on a notebook. 
     

    the question of the day:  how to actualize all tize all the installed packages in the MX-Paket-installer!? at once!?


    - installed approx 4000 Packgages
    - 190 of them could be actualized

    question: how can we do a update /& actualization of all of them - at once:

    in other words: how to actualize all tize all the installed packages in the MX-Paket-installer!?


    love to hear from you

  11. hi dear Barand 

     

    as allways - i am happy to hear from you - okay why Pyhton is interesting to me.  I guess that there are many many ideas & things to mention here.  I like Python for its cristal clear structure and the options of doing rapid prototyping. 

     

    For the web  - i love PHP and MySQL 

    but for things like programming Microcontroller like ESP8266 and ESP32 ... i love using  MicroPython. 

     

    to reccommend the pthon-forum - this is a good idea . thanks for that. 

    Above all: i am very very glad to be here - since this site has got such a broad variety of topics that are covered

    in other words: here a broad range of topics were discussed and we re able to exchange ideas, tipps and knowledge in so many fields. This is a extraordinary place. 

    i am really happy to be here. 

     

    keep up the great work - it rocks - and a specal thanks to you dear Barand for all your engagement and your encouraging in so many ways and times .. 

     

    i am so glad to be here. 

     

    regards 

    Dil_bert;)

  12. hi @ all - good day dear friends, 

     

    well - here some more findings: ideas and tipps for the setup of VSCode on MXlinux. 

    some additional ideas regarding the powerful editor  VSCode that i want to make ready to run with Python -(and MicroPython)

    why do we need a virtual environment in the Python development with VSCode


    how to make Python work well in the VSCode-editor.

    VS Code it is a powerful multi-language editor that is pretty similar to Atom and also to Sublime Text. To make it work with Python we have to enter some settings: we should make sure that python and pip work from our command line, before we start the installation-process. This has got a great impact on the following steps: In fact it will make the setup in editor and stuff like the setting and configurinig of the very important virtual environment alot easier.

     

    here i rely on a great thread - found on the pyhon-developer-page: https://python-forum.io/Thread-VS-Code-from-start?highlight=VSCode

    many thanks @snippsat: for the great hints he gave to us all

     


    Python 3.6/3.7 and pip installation under Windows

    C:\code
    λ python -V
    Python 3.7.0
     
    C:\code
    λ pip -V
    pip 18.0 from c:\python37\lib\site-packages\pip (python 3.7)
    Linux if python3 point to Python 3 use that in setup later.
    	

    We need that because with a a virtual environment  we are able to Start VS Code literally from any folder on the whole machine,

    eg for a virtual environment
    With code . from command line in any folder will open files in that folder in VS Code.
    Example with virtual environment that build into Python venv

     

    # Make
    E:\div_code
    λ python -m venv my_env
     
    # cd in
    E:\div_code
    λ cd my_env
     
    # Activate
    E:\div_code\my_env
    λ E:\div_code\my_env\Scripts\Activate
     
    # Test pip
    (my_env) E:\div_code\my_env
    λ pip -V
    pip 10.0.1 from e:\div_code\my_env\lib\site-packages\pip (python 3.7
     
    # Install required package 
    (my_env) E:\div_code\my_env
    λ pip install requests
    Collecting requests
    


     

    to start the VS-Code: 

    # Start VS Code
    (my_env) E:\div_code\my_env
    λ code .

    so now we have a setting that is very powerful: 

    it automatically find Python interpreter in virtual environment.
    So if we push run button it will use Python version in the so called virtual environment.

     

    again': here i rely on a great thread - found on the pyhon-developer-page: https://python-forum.io/Thread-VS-Code-from-start?highlight=VSCode

     

    one question: this was a setup and configuration-text that is based on windows

    Well i want to run VSCode in MX-Linux - which is debian based. Guess that i can give it a try 
    and i can install VSCode on the MX-Linux. 


    conclusio; i will give it a try and come back here and report all the findings.


    regards dil_bert

  13. hello again;)

     

    hello dear phpfreaks - again me - dil_bert: 

    there were many options to rin VSCode under Linux. But what about the very intersting MX-Linux!?

    i would love to hear from you - what are your experiences and what were your steps. 
    Which extensions do you use - and how do you manage to prepare VSCode to  work with

    a. PYthon 
    b. MicroPython

    here we need certain plugins and extensions - here we have to set up the environment. 

    How do we do that!?

  14. Installing the Visual Studio Code on Linux - how to do that!?


    the well known open source code editor Visual Studio Code is becoming more and more well known.


    the question is: how to install Visual Studio Code in Ubuntu and  - even more interesting in many other Linux distributions. Ubuntu is not the only Linux-system it is only a very very little part of the linux world. by releasing Visual Studio Code for all major desktop platforms that includes Linux as well the Coding Community was enlighted and yes: they are very happy.. The Visual Code became more and more famous - and during the time one of the best open source code editors.

    To sume up: The feature it provides are useful not only to web developers but for other languages too.

    I am not going to list the features of Visual Studio Code here. 
    Zhe question is: how to install Visual Studio Code on Ubuntu and other Linux distributions.


    the idea 1. Install Visual Studio Code in Linux using Snap
    visual Studio Code is available as a Snap package. theUbuntu users can find it in the Software Center itself and install it in a couple of clicks.

    Visual Studio Code in Ubuntu Software Center  - but again: ubuntu is not the only linux - only one of many many distributions.  The Idea of using snap is somewhat strange. Snap packaging means you can install it in any Linux distribution that supports Snap packages. Make sure to enable Snap support on your Linux distribution. if we are on a certain linux-system then we can then install VS Code using this command:

    sudo snap install code --classic

    idea 2. Using the .deb/.rpm installation files:  the good thing: the developer of the VSCode provides packages to install Visual Studio Code in Linux. 
    To go this way seems to be pretty easy: 

    Just head over to the download page of Visual Studio Code and you’ll find the .deb and .rpm files (for Fedora systems)
     options under Linux. But what about the very intersting MX-Linux!?

  15. On 10/3/2019 at 2:19 PM, Barand said:

     

     

    Alternatively you can use the "@@" prefix for system variables E.G.

    
    mysql> select user(), @@hostname, @@port;
    
    +----------------+-----------------+--------+
    | user()         | @@hostname      | @@port |
    +----------------+-----------------+--------+
    | root@localhost | DESKTOP-DCGAC4S |   3306 |
    +----------------+-----------------+--------+

     

    hello dear Baraqnd 

     

    many many thanks for the quick answer - and the idea - that sounds very interesting. 

     

    regards


  16. If we want to know the hostname of the Mysql-database - then we can use this following query in the terminal resp. the
    MySQL Command line-terminal: 

    we can run the following command in the terminal: 

    
    SHOW VARIABLES WHERE Variable_name = 'hostname';
    mysql> SHOW VARIABLES WHERE Variable_name = 'hostname';
    +-------------------+-------+
    | Variable_name     | Value |
    +-------------------+-------+
    | hostname          | Dell  |
    +-------------------+-------+
    11 row in set (0.00 sec)


     

    It will give us all the hostname-data for mysql.

    and furthermore : if we want to get more - if we want to know the username of our Mysql then we can run more commands to get these data;

    We can run this query on MySQL Command line client --

    select user();   
    
    
    mysql> select user();
    +----------------+
    | user()         |
    +----------------+
    | root@localhost |
    +----------------+
    1 row in set (0.00 sec)

     

     

    It will give us the username for mysql.

    but if we want to get more data the n eg - if we want to know the port number of the local host on which Mysql is running 
    we can find out thhis with the following command,. 

    SHOW VARIABLES WHERE Variable_name = 'port';
    mysql> SHOW VARIABLES WHERE Variable_name = 'port';
    +---------------+-------+
    | Variable_name | Value |
    +---------------+-------+
    | port          | 3306  |
    +---------------+-------+
    1 row in set (0.00 sec)
    

     

    this command is very vers intersting: It will give us the port number on which MySQL is running.

     

    but i have some questions - If a installation attempt can't find my socket file, or if we have multiple MySQL servers running on our computer, 
    we must enter the location of the socket file. 

    this means wee have to see Where are the MySQL's Files? for common socket file locations.

    sometimes we can try using localhost instead of 127.0.0.1. MySQL treats the hostname localhost specially.
     

    well the question is - where do i need to add the socketpath - and where do i need to enter #"localhost" - or  127.0.0.1.

     

    love to hear from you


  17. here some more findings: : the folks / and user that face the same issue with the mentioned survey script as i do - they have posted some ideas and findings - food for thought: 


    cf: https://www.limesurvey.org/forum/installation-a-update-issues/108028-cdbconnection-failed-to-open-the-db-connection-sqlstate-hy000-2002

    klaus said: I run LimeSurvey on Linux for a few years now. After a reboot, probably an update, lime does not start anymore. I get the error 

    CDbConnection failed to open the DB connection: SQLSTATE[HY000] [2002] No such file or directory


    Following my research I looked for the connectionstring in the config.php and found:

    'connectionString' => 'mysql:unix_socket=/usr/local/LimeSurvey/var/LimeSurvey_mysqld.sock;dbname=limesurvey;',


    So I looked for the

    /usr/local/LimeSurvey/var/LimeSurvey_mysqld.sock 


    file but it was not there. Further research results: change the connectionString to:


    ...change the connectionString to:

    'connectionString' => 'mysql:host=127.0.0.1;unix_socket=/usr/local/LimeSurvey/var/LimeSurvey_mysqld.sock;dbname=limesurvey;', 


    and this following idea:

    Try
    'connectionString' =>'mysql:host=localhost;port=3306;dbname=limesurvey;',

    Are you sure DB still active mysql are on the same server?

    I was able to fix it. The error showed that /tmp/mysql.sock was missing so I created a symbolic link with this command.

    ln -s /usr/local/lib/mysql.sock /tmp/mysql.sock

    see the tread for more infos: https://www.limesurvey.org/forum/installation-a-update-issues/108028-cdbconnection-failed-to-open-the-db-connection-sqlstate-hy000-2002

    conclusio: do you think that i have to do some corrections in the paths and the paths to socket!?


    i try to figure out what goes on here ...

    any idea how to check things !? Look forward to hear from you 

  18. again me-  here some more infos: 

    running a server  and yes mysql is installed. 

    running PHP Version 5.6.39
    mysqlnd 5.0.11-dev - 20120503 

    mysqli.default_host    localhost    localhost
    mysqli.default_port    3306    3306
    mysqli.default_pw    no value    no value
    mysqli.default_socket    /var/run/mysql/mysql.sock    /var/run/mysql/mysql.sock

    hmmm - i currently wonder why it does not work


    any idea how to check things !? Look forward to hear from you +


    regards 

  19. good day dear php-experts,

     

    todays issue: could  not connect to the db: reason : SQLSTATE[HY000] [2002] No such file or directory

     

    while i try to install a script on a server i get back the following error 

     

    cannot connect to the db :: just try again  
    
    reason: SQLSTATE[HY000] [2002] No such file or directory

    i tried it several times - but without any success;:  i googled the error 

    https://stackoverflow.com/questions/29695450/pdoexception-sqlstatehy000-2002-no-such-file-or-directory

    Quick test (run in shell):

    
    php -r "new PDO('mysql:hostname=localhost;dbname=test', 'username', 'password');"
    SQLSTATE[HY000] [2002] No such file or directory means php cannot find the mysql.default_socket file. Fix it by modifying php.ini file. 
    On Mac it is mysql.default_socket = /tmp/mysql.sock (See PHP - MySQL connection not working: 2002 No such file or directory)
    SQLSTATE[HY000] [1044] Access denied for user 'username'@'localhost' CONGRATULATION! You have the correct mysql.default_socket 
    setting now. Fix your dbname/username/password.
    Also see Error on creating connection to PDO in PHP

     

    and the following ideas: 

    You need to change host from localhost to 127.0.0.1
    Laravel 4: In your app/config/database.php try changing host from localhost to 127.0.0.1
    Laravel 5: In the .env file, change DB_HOST from localhost to 127.0.0.1
    Source: PDOException SQLSTATE[HY000] [2002] No such file or directory
    shareeditflag
     

    see more here

    https://stackoverflow.com/questions/29695450/pdoexception-sqlstatehy000-2002-no-such-file-or-directory

     

    well all the trials faied so far

  20. hi there finally installed the ide and now it is running 

    downloaded the firmware for micropython from the micropython site. 

    tried to flash it - bit this is not possible.  see the images that i have attached...

    well  -  run on MX-Linux - but at the moment i have not glue what is going on here... 

     

    love to hear from you 

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.