When we run your PERL scripts in browser, we may get “500 Internal Server Error” when something goes wrong.
There would be many reasons for this but Out of many check one thing which we can do very quickly is to check if your PERL script contains errors.
To do it login to server where PERL script running and execute command:
To check syntax
/path/to/perl -wc /path/to/script.cgi
To runtime script
/path/to/perl -w /path/to/script.cgi
Monday, June 22, 2009
Friday, April 3, 2009
Web Application Security
Web application layers
Top 10 Reason :
– Never trust input from a user
– Malicious user can tamper with anything and try to:
Types of attacks:
– Insecure ID (guess IDs)
– Forced browsing past access control checks
– File permissions (OS permission + web server permission)
– Client side caching
Authentication and Session Management
– Two main issues, credential management and session hijacking
– Flawed credential management functions:
Web applications need to keep track of users
HTTP does not offer session management
Web application must take care of this by session IDs stored in either:
How is your session ID being generated?
– Time based?
– Sequential?
How do you protect it?
– Integrity with hash?
– Encryption?
– Encode it with easily reversible scheme?
– Timeouts for length of session ID?
Buffer overflows
– Corrupt execution stack of web application
– Cause application to execute arbitrary code
– Very common problem
– Keep your apps and OS patched!
Improper error handling
– Debug messages that can help attacker gain information that can be leveraged into a compromise
– Turn your debug off!
– Personalize error messages to ensure no information is given
Insecure configuration management
– 90%* of breakins can be stopped by properly configuring your web server!
– Don’t do default installations!
Insecure configuration management: Default directories
Dot dot sequence (../../) directory traversal:
– /../../winnt/system32/cmd.exe?/c dir +
Unicode directory traversal
– /..%5c..%5cwinnt/system32/cmd.exe?/c dir +
– /cgi-bin/..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c +dir
Unicode %5c..%5c=\..\
Unicode %c1%c1..%c1%c1=\..\
How to stop Web application attacks
- Data :Original data: Text, images, files
- Database : Access, SQL Server, MySQL, ORACLE
- Code : Perl, php, servelet, jsp, asp
- Webserver : Apache, IIS, Websphere, Weblogic, Netscape Enterprise
- User interface Code : Html, Forms, Javascript, Coldfusion
- Browser
- Input
Top 10 Reason :
- – Unvalidated input
- – Broken access control
- – Broken authentication and session management
- – Cross site scripting
- – Buffer overflows
- – Injection flaws
- – Improper error handling
- – Insecure storage
- – Denial of service
- – Insecure configuration management
– Never trust input from a user
– Malicious user can tamper with anything and try to:
- Cause errors to occur and give up info
- Buffer overflow
- Modify parameters
- Modifying URL
- SQL Injection
- Cross Site Scripting
- Session hijacking with cookie modification
Types of attacks:
– Insecure ID (guess IDs)
– Forced browsing past access control checks
- “/client” is checked for access control
- “/client/client1/data” is not
- If someone guesses the full URL….
– File permissions (OS permission + web server permission)
– Client side caching
Authentication and Session Management
– Two main issues, credential management and session hijacking
– Flawed credential management functions:
- Password changes (expiry, etc)
- Forgot my password
Web applications need to keep track of users
HTTP does not offer session management
Web application must take care of this by session IDs stored in either:
- – Cookies
- – Embedded in the URL
- – Embedded in dynamic web page
How is your session ID being generated?
– Time based?
– Sequential?
How do you protect it?
– Integrity with hash?
– Encryption?
– Encode it with easily reversible scheme?
– Timeouts for length of session ID?
Buffer overflows
– Corrupt execution stack of web application
– Cause application to execute arbitrary code
– Very common problem
– Keep your apps and OS patched!
Improper error handling
– Debug messages that can help attacker gain information that can be leveraged into a compromise
– Turn your debug off!
– Personalize error messages to ensure no information is given
Insecure configuration management
– 90%* of breakins can be stopped by properly configuring your web server!
– Don’t do default installations!
Insecure configuration management: Default directories
Dot dot sequence (../../) directory traversal:
– /../../winnt/system32/cmd.exe?/c dir +
Unicode directory traversal
– /..%5c..%5cwinnt/system32/cmd.exe?/c dir +
– /cgi-bin/..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c +dir
Unicode %5c..%5c=\..\
Unicode %c1%c1..%c1%c1=\..\
How to stop Web application attacks
- – Error message customization
- – Restricted access to sensitive information
- – Patch Web servers
- – Remove the sensitive page from Google
- – Regularly perform application test
- – Deploy a web application firewall
- – Deploy IPS that will analyze application level
Thursday, April 2, 2009
xgettext options and examples
SYNOPSIS
xgettext - extract gettext strings from source
xgettext [OPTION] [INPUTFILE]
DESCRIPTION
• Extract translatable strings from given input files.
• Mandatory arguments to long options are mandatory for short options too. Similarly for optional arguments.
Input files location:
INPUTFILE ...
input files
• -f, --files-from=FILE
get list of input files from FILE
• -D, --directory=DIRECTORY
add DIRECTORY to list for input files search
If input file is -, standard input is read.
Output files location:
• -d, --default-domain=NAME
use NAME.po for output (instead of messages.po)
• -o, --output=FILE
write output to specified file
• -p, --output-dir=DIR
output files will be placed in directory DIR
If output file is -, output is written to standard output.
Choice of input file language:
• -L, --language=NAME
recognise the specified language (C, C++, ObjectiveC, PO, Shell, Python, Lisp, EmacsLisp, librep, Scheme, Smalltalk, Java, JavaProperties, C#, awk, YCP, Tcl, Perl, PHP, GCC-source, NXStringTable, RST, Glade)
• -C, --c++ shorthand for --language=C++
By default the language is guessed depending on the input file name extension.
Input file interpretation:
• --from-code=NAME
encoding of input files (except for Python, Tcl, Glade)
By default the input files are assumed to be in ASCII.
Operation mode:
• -j, --join-existing
join messages with existing file
• -x, --exclude-file=FILE.po
entries from FILE.po are not extracted
• -c, --add-comments[=TAG]
place comment block with TAG (or those preceding keyword lines) in output file
Language specific options:
• -a, --extract-all
extract all strings (only languages C, C++, ObjectiveC, Shell, Python, Lisp, EmacsLisp, librep, Scheme, Java, C#, awk, Tcl, Perl, PHP, GCC-source, Glade)
• -k, --keyword[=WORD]
additional keyword to be looked for (without WORD means not to use default keywords)
(only languages C, C++, ObjectiveC, Shell, Python, Lisp, EmacsLisp, librep, Scheme, Java, C#, awk, Tcl, Perl, PHP, GCC-source, Glade)
• --flag=WORD:ARG:FLAG
additional flag for strings inside the argument number ARG of keyword WORD
(only languages C, C++, ObjectiveC, Shell, Python, Lisp, EmacsLisp, librep, Scheme, Java, C#, awk, YCP, Tcl, Perl, PHP, GCC-source)
• -T, --trigraphs
understand ANSI C trigraphs for input (only languages C, C++, ObjectiveC)
• --qt recognize Qt format strings (only language C++)
• --kde recognize KDE 4 format strings (only language C++)
• --boost recognize Boost format strings (only language C++)
• --debug more detailed formatstring recognition result
Output details:
• -e, --no-escape
do not use C escapes in output (default)
• -E, --escape
use C escapes in output, no extended chars
• --force-po
write PO file even if empty
• -i, --indent
write the .po file using indented style
• --no-location
do not write ’#: filename:line’ lines
• -n, --add-location
generate ’#: filename:line’ lines (default)
• --strict
write out strict Uniforum conforming .po file
• --properties-output
write out a Java .properties file
• --stringtable-output
write out a NeXTstep/GNUstep .strings file
• -w, --width=NUMBER
set output page width
• --no-wrap do not break long message lines, longer than the output page width, into several lines
• -s, --sort-output
generate sorted output
• -F, --sort-by-file
sort output by file location
• --omit-header
don’t write header with ‘msgid ""’ entry
• --copyright-holder=STRING
set copyright holder in output
• --foreign-user
omit FSF copyright in output for foreign user
• --package-name=PACKAGE
set package name in output
• --package-version=VERSION
set package version in output
• --msgid-bugs-address=EMAIL@ADDRESS
set report address for msgid bugs
• -m, --msgstr-prefix[=STRING]
use STRING or "" as prefix for msgstr entries
• -M, --msgstr-suffix[=STRING]
use STRING or "" as suffix for msgstr entries
Informative output:
• -h, --help display this help and exit
• -V, --version
output version information and exit
Examples:
• xgettext -o myapp.po -p ./locale --force-po --from-code=UTF-8 --keyword --keyword=__ --keyword=gettext -L PHP *.php
• xgettext –a abc.php // specific file
• xgettext –a *.php // All file
xgettext - extract gettext strings from source
xgettext [OPTION] [INPUTFILE]
DESCRIPTION
• Extract translatable strings from given input files.
• Mandatory arguments to long options are mandatory for short options too. Similarly for optional arguments.
Input files location:
INPUTFILE ...
input files
• -f, --files-from=FILE
get list of input files from FILE
• -D, --directory=DIRECTORY
add DIRECTORY to list for input files search
If input file is -, standard input is read.
Output files location:
• -d, --default-domain=NAME
use NAME.po for output (instead of messages.po)
• -o, --output=FILE
write output to specified file
• -p, --output-dir=DIR
output files will be placed in directory DIR
If output file is -, output is written to standard output.
Choice of input file language:
• -L, --language=NAME
recognise the specified language (C, C++, ObjectiveC, PO, Shell, Python, Lisp, EmacsLisp, librep, Scheme, Smalltalk, Java, JavaProperties, C#, awk, YCP, Tcl, Perl, PHP, GCC-source, NXStringTable, RST, Glade)
• -C, --c++ shorthand for --language=C++
By default the language is guessed depending on the input file name extension.
Input file interpretation:
• --from-code=NAME
encoding of input files (except for Python, Tcl, Glade)
By default the input files are assumed to be in ASCII.
Operation mode:
• -j, --join-existing
join messages with existing file
• -x, --exclude-file=FILE.po
entries from FILE.po are not extracted
• -c, --add-comments[=TAG]
place comment block with TAG (or those preceding keyword lines) in output file
Language specific options:
• -a, --extract-all
extract all strings (only languages C, C++, ObjectiveC, Shell, Python, Lisp, EmacsLisp, librep, Scheme, Java, C#, awk, Tcl, Perl, PHP, GCC-source, Glade)
• -k, --keyword[=WORD]
additional keyword to be looked for (without WORD means not to use default keywords)
(only languages C, C++, ObjectiveC, Shell, Python, Lisp, EmacsLisp, librep, Scheme, Java, C#, awk, Tcl, Perl, PHP, GCC-source, Glade)
• --flag=WORD:ARG:FLAG
additional flag for strings inside the argument number ARG of keyword WORD
(only languages C, C++, ObjectiveC, Shell, Python, Lisp, EmacsLisp, librep, Scheme, Java, C#, awk, YCP, Tcl, Perl, PHP, GCC-source)
• -T, --trigraphs
understand ANSI C trigraphs for input (only languages C, C++, ObjectiveC)
• --qt recognize Qt format strings (only language C++)
• --kde recognize KDE 4 format strings (only language C++)
• --boost recognize Boost format strings (only language C++)
• --debug more detailed formatstring recognition result
Output details:
• -e, --no-escape
do not use C escapes in output (default)
• -E, --escape
use C escapes in output, no extended chars
• --force-po
write PO file even if empty
• -i, --indent
write the .po file using indented style
• --no-location
do not write ’#: filename:line’ lines
• -n, --add-location
generate ’#: filename:line’ lines (default)
• --strict
write out strict Uniforum conforming .po file
• --properties-output
write out a Java .properties file
• --stringtable-output
write out a NeXTstep/GNUstep .strings file
• -w, --width=NUMBER
set output page width
• --no-wrap do not break long message lines, longer than the output page width, into several lines
• -s, --sort-output
generate sorted output
• -F, --sort-by-file
sort output by file location
• --omit-header
don’t write header with ‘msgid ""’ entry
• --copyright-holder=STRING
set copyright holder in output
• --foreign-user
omit FSF copyright in output for foreign user
• --package-name=PACKAGE
set package name in output
• --package-version=VERSION
set package version in output
• --msgid-bugs-address=EMAIL@ADDRESS
set report address for msgid bugs
• -m, --msgstr-prefix[=STRING]
use STRING or "" as prefix for msgstr entries
• -M, --msgstr-suffix[=STRING]
use STRING or "" as suffix for msgstr entries
Informative output:
• -h, --help display this help and exit
• -V, --version
output version information and exit
Examples:
• xgettext -o myapp.po -p ./locale --force-po --from-code=UTF-8 --keyword --keyword=__ --keyword=gettext -L PHP *.php
• xgettext –a abc.php // specific file
• xgettext –a *.php // All file
refrence: http://www.gsp.com/cgi-bin/man.cgi?section=1&topic=xgettext
Internationalization PHP web sites using Smarty and gettext
What do we need?
This is really easy step you jest need to put text you want to translate between {t}{/t},
example:
{t}translate this{/t}
OR
{t 1=$customers 2=$orders}There are %1 customers waiting for %2 orders.{/t}
The {t} block should be registered in the smarty. So the following code should be added while creating new smarty class.
require('Smarty.class.php');
require('smarty-gettext.php');
$this -> Smarty();
$this->register_block('t', 'smarty_translate');
smarty_translate is the method in the smarty gettext plugin which handles the translation.
Step II: Prepare input files for gettext
To do this you will need a tsmarty2c.php file from Smarty gettex plugin, and use it in console, here is an example:
php tsmarty2c.php PATH_TO_YOUR_TEMPLATE_DIR/template.tpl > template.c
php.exe is present in the installation path of PHP(C:\wamp\bin\php\php5.2.9) and it is a CLI(Command line interpreter) file. It will parse the tsmarty2c.php and generate the C file in the specified path.
Repeat this step for every file,
Step III: Prepare a .po file
To create a .po file you will need to use xgettext utility, for every .c file you created in the step II. Here is an example how to use it:
$ xgettext -o dictionary.po --join-existing --omit-header --no-location template.c
This file has two parts: header, and dictionary part, which you will need to edit.
msgid "translate this"
msgstr "here goes your translation"
Step IV: Convert .po file to .mo using msgfmt utility.
After translating everything, you will need to create the .mo file, here is example
$ msgfmt -o dictionary.mo dictionary.po
Step V: Prepare directory structure.
Gettext library has requires that files are stored in appropriate directory structure, here is an example:
/locale
/pl_PL
/LC_MESSAGES
smartybook.po
smartybook.mo
Step VI: Finale!
The final step is to tell your application to use translation that you have prepared. Below is an example of the PHP code you can use:
$language_code = 'pl_PL';
putenv("LANG=$language_code");
setlocale(LC_ALL, $language_code);
$domain = 'dictionary';
bindtextdomain($domain, './locale');
bind_textdomain_codeset( $domain, 'UTF-8');
textdomain($domain);
Need to set proper path to 'local' directory, used by a bindtextdomain function
- Gettext extention enabled in your PHP installation.
- Smarty gettext plugin, you can download it from sourceforge: http://sourceforge.net/projects/smarty-gettext/
This is really easy step you jest need to put text you want to translate between {t}{/t},
example:
{t}translate this{/t}
OR
{t 1=$customers 2=$orders}There are %1 customers waiting for %2 orders.{/t}
The {t} block should be registered in the smarty. So the following code should be added while creating new smarty class.
require('Smarty.class.php');
require('smarty-gettext.php');
$this -> Smarty();
$this->register_block('t', 'smarty_translate');
smarty_translate is the method in the smarty gettext plugin which handles the translation.
Step II: Prepare input files for gettext
To do this you will need a tsmarty2c.php file from Smarty gettex plugin, and use it in console, here is an example:
php tsmarty2c.php PATH_TO_YOUR_TEMPLATE_DIR/template.tpl > template.c
php.exe is present in the installation path of PHP(C:\wamp\bin\php\php5.2.9) and it is a CLI(Command line interpreter) file. It will parse the tsmarty2c.php and generate the C file in the specified path.
Repeat this step for every file,
Step III: Prepare a .po file
To create a .po file you will need to use xgettext utility, for every .c file you created in the step II. Here is an example how to use it:
$ xgettext -o dictionary.po --join-existing --omit-header --no-location template.c
This file has two parts: header, and dictionary part, which you will need to edit.
msgid "translate this"
msgstr "here goes your translation"
Step IV: Convert .po file to .mo using msgfmt utility.
After translating everything, you will need to create the .mo file, here is example
$ msgfmt -o dictionary.mo dictionary.po
Step V: Prepare directory structure.
Gettext library has requires that files are stored in appropriate directory structure, here is an example:
/locale
/pl_PL
/LC_MESSAGES
smartybook.po
smartybook.mo
Step VI: Finale!
The final step is to tell your application to use translation that you have prepared. Below is an example of the PHP code you can use:
$language_code = 'pl_PL';
putenv("LANG=$language_code");
setlocale(LC_ALL, $language_code);
$domain = 'dictionary';
bindtextdomain($domain, './locale');
bind_textdomain_codeset( $domain, 'UTF-8');
textdomain($domain);
Need to set proper path to 'local' directory, used by a bindtextdomain function
Internationalization, Localization & Globalization
Internationalization (i18n)
Internationalization is the process of planning, designing and implementing a “culturally and technically” neutral product, which can easily be localized for various cultures.
Internationalization needs to be addressed in the earliest product planning stages.
i18n stands for the word “Internationalization” The number 18, represents the number of letters found between the “i” and the “n” in the word “Internationalization”.
Localization (l10n)
Localization involves taking a product and making it linguistically and culturally appropriate to the target locale (country/region and language) where it will be used and sold.
It is the adaptation of a system for a particular locale.
This includes localizing
Globalization (g11n)
Globalization addresses the business issues associated with taking a product global.
In the globalization of high-tech products this involves integrating localization throughout a company, after proper internationalization and product design, as well as marketing, sales, and support in the world market.
Globalization in the broadest sense encompasses both internationalization and localization, as well as putting into place the requisite materials, financial, and personnel resources in a global market to support your product or service on a local level.
so, g11n = i18n + l10n, :)
Reference :
http://teck.in/internationalization-localization.html
Internationalization is the process of planning, designing and implementing a “culturally and technically” neutral product, which can easily be localized for various cultures.
Internationalization needs to be addressed in the earliest product planning stages.
i18n stands for the word “Internationalization” The number 18, represents the number of letters found between the “i” and the “n” in the word “Internationalization”.
Localization (l10n)
Localization involves taking a product and making it linguistically and culturally appropriate to the target locale (country/region and language) where it will be used and sold.
It is the adaptation of a system for a particular locale.
This includes localizing
- Measurements (inches to centimeters),
- Degrees (Fahrenheit to Celsius),
- Currencies (US dollar to Indian Rupees),
- Date formats (mm/dd/yyyy to dd/mm/yyyy),
- Regional spelling (color to colour),
- Number format (comma or period to separate thousands)
Globalization (g11n)
Globalization addresses the business issues associated with taking a product global.
In the globalization of high-tech products this involves integrating localization throughout a company, after proper internationalization and product design, as well as marketing, sales, and support in the world market.
Globalization in the broadest sense encompasses both internationalization and localization, as well as putting into place the requisite materials, financial, and personnel resources in a global market to support your product or service on a local level.
so, g11n = i18n + l10n, :)
Reference :
http://teck.in/internationalization-localization.html
Subscribe to:
Posts (Atom)