Ben Maynard's blog about anything » Ben Maynard

Mining passwords from public GitHub repositories

Ben Maynard — Fri, 27 Aug 2010 20:36:59 +0000

I was on GitHub today, and I had a thought about mining database, account and server passwords of public repositories where the developer has forgotten to remove the password from the source code before pushing to the public repository.

I did a simple test using GitHub’s search using certain keywords eg:

It only takes you to go through about 10 pages of search results (“root password” has over 10,000 results) and you can see a few password’s that look like real. GitHub do have an article about remove sensitive data (http://help.github.com/removing-sensitive-data/) but also has a good statement line saying “Once the commit has been pushed you should consider the data to be compromised. Period.” which is very true but it seems there are alot of developers out there that our committing there passwords. I wonder how many hackers have prowled through GitHub looking for passwords and in result successfully been able to pull of an attack.

However, the best search term is “gmail password” (http://github.com/search?type=Code&language=&q=gmail+password&repo=&langOverride=&x=0&y=0&start_value=1) which as you can see, the first result looks like a real gmail password. I haven’t tested any of these passwords but I’m sure there is plenty of real passwords that developers have committed.

So remember, DON’T COMMIT YOUR PASSWORDS!

iniReader – Simple C++ configuration file parser

Ben Maynard — Fri, 27 Aug 2010 19:41:58 +0000

I have created a very simple C++ class that will parse a configuration file and return the value of the request key. You can get the code from http://github.com/bmaynard/iniReader.

I created this class for my CPUHog application (http://github.com/bmaynard/CPUHog) which records CPU and memory usage of applications running so you can find out which processes where hogging your CPU time.

Please feel free to leave feedback if you have any suggestions or problems. I do plan on make the class more powerful as its very simple at the moment.

The most craziest captcha….EVER!

Ben Maynard — Sat, 14 Aug 2010 01:13:32 +0000

I have been meaning to blog about this for over a year now, but check out the captcha on this website: http://linksave.in/register.

That is one way on how NOT to do captcha, but very interesting and I wonder how spam bots go with it.

NFS Manager

Ben Maynard — Wed, 11 Aug 2010 03:42:24 +0000

I have been playing around with python and django the last coupon of weeks and I have created a NFS Manager module. You can grab the source code from: http://github.com/bmaynard/NFSManager

It is fairly basic at the moment and I havn’t implement all the options available for NFS but you can manage several servers from one place . To use the module, you create new servers, then setup the shared directories and clients. After you have set everything up you can go to the server list and push the changes across from the action drop down.

If you have any comments or suggestions then please leave a comment, I would like to try and make the module more powerful.

Pwnie Awards

Ben Maynard — Sat, 24 Jul 2010 04:55:48 +0000

I was reading my twitter feed and I read that the nominations for the pwnie 2010 awards had been announced, so I go and check it out and to my surprise I noticed my blog post about the OpenCart CSRF issue had been nominated for a pwnie award under Lamest Vendor Response! Never when writing the blog post did I think it would ever get so big which did at once stage crash my server.

The winners are announced at the BlackHat USA 2010 conference in Las Vagas which is the event ontop of my to go to list……..now where is my free ticket?

Installing PHP extensions on Mac OS X under xampp

Ben Maynard — Sun, 30 May 2010 18:11:55 +0000

The other day I installed xampp on a mac os x running snow leopard but I was having an issue installing any extra extensions like xdebug and apc. I found out it was because it was compiling the extensions in 64bit but xampp is compiled in 32bit and I did the following to fix the issue:

Download and extract the source
Run phpize

Adding the following parameters to configure:

./configure MACOSX_DEPLOYMENT_TARGET=10.6 CFLAGS="-arch i386 -g -Os -pipe -no-cpp-precomp" CCFLAGS="-arch i386 -g -Os -pipe" CXXFLAGS="-arch i386 -g -Os -pipe" LDFLAGS="-arch i386 -bind_at_load"

make (and make install if required)
done

If that doesnt work, try adding:

--with-php-config=/Applications/XAMPP/xamppfiles/bin/php-config-5.3.1

to the configure command.

I hope that will help some people out there, because it was driving me insane!

I got reddited

Ben Maynard — Sun, 30 May 2010 18:00:24 +0000

Last week my post got posted on reddit and was on the homepage for over 24 hours which I as totally not expecting and the end results was my blog being down for a large amount of time over those couple of days. I had to set my DNS records to 127.0.0.1 as all I had at the time to fix the issue was my phone and since I receive free hosting from my old company (WebClick – http://www.webclick.com.au) the last thing I wanted to do was crash their servers.

I have now installed wp-supercache so hopefully if it every happens again, my blog will handle it 10x better.

OpenCart Secured Issue

Ben Maynard — Mon, 29 Mar 2010 02:05:12 +0000

I have been meaning to post this early but there is a problem now with the secure patch for OpenCart that means my release no longer works. As of 1.4.1, the developer made a change to how all the links are made, well rather than running the links through a function which can re-write the URL (which my patch added a random token too). The change he made was to make every URL static therefore I am no longer able to add the token to every URL automatically, but to add the token manually to every link which I am deciding against doing from a pure maintenance level (and a nightmare to upgrade).

The only reason why I could see the developer to make this change is to kill the development of my patch. I now have a few options and would love to hear any feedback on which path to take.

1. Revert back to 1.4.0 and no longer do anymore upgrades.
2. Delete the project so it no longer exists.
3. For someone else to takeover who has the time to do any maintenance required (which I don’t have).

Personally I think the developer of OpenCart has lost the plot and I believe people should look at other options that have a more dynamic development process, and a team who knows what they are doing.

Update: I have since deleted the repo’s on GitHub as the code no longer works and I am unable to fix all the security issues.

OpenCart Secured Upgraded to 1.4.1

Ben Maynard — Tue, 09 Mar 2010 00:36:25 +0000

Quick blog post, just letting everyone know I have update OpenCart Secured to version 1.4.1. If you notice any problems please let me know.

You can grab it here: http://github.com/bmaynard/OpenCart-Secured

Update: I have now upgraded the repository to 1.4.2

Update 2: I have now upgraded the repository to 1.4.4

OpenCart Secured

Ben Maynard — Sat, 13 Feb 2010 17:39:38 +0000

Following my last blog post about the security issues with OpenCart, I have released a secured version of OpenCart which current contain the following security fixes:

CSRF Protection
Local File Injection
Disabled ability to view source code in template files (htaccess.txt must be renamed to .htaccess)

You can download a copy from: http://github.com/bmaynard/OpenCart-Secured

If you find any bugs or issues then please report them and I will try and fix them.