My Note on Solutions.

Thursday, February 19, 2015

Opencart fix, show the shipping method in orders admin page and filter by shippingmethod

it turns that this should be a common feature for opencart admins, basically the operation team would like to see orders with priority shipping method and process those orders first. on 1.5, no way you can see this at once. basically the orders page looks like this by default

image

they actually want to see the UI like this, with shipping method on the overview

image

even more, they want a filter to see all orders with priority shipping selected.

image

To fix this, pretty straight forward. change the orders module/controller/template file, to include shippingmethod in the data query back. and add a filter logic to narrow down records.

I have a patch file, email me if you are interested. click about me on the page to get my email

Wednesday, February 11, 2015

C# merge sorting vs insert sorting

Quick test for a 50K random double array with random order, to soft it using the system libarry  and my own insert sorting/ merge sorting, the time takes to do the soring is quite different.

given a array with size 50K of  double values,

image

if increase to 100K, more time for insertion sorting

image

 

https://github.com/ryandh/CSharpSortingInsertedMerged/blob/master/Program.cs

Friday, February 6, 2015

Jquery , Simple plugin with default options

check this sample fiddler, http://jsfiddle.net/androidyou/dox5x8pp/

basically, we can use the $.extend to assign a default value if options are not assigned.

image

if you put default option,

image

image

Wednesday, January 7, 2015

DNS troubleshooting tools and tips - nslookp

if you are on Windows, dig is not there, you can do most DNS query through nslookup.

to see the DNS cache on your local server,  run “ipconfig /displayDNS”

image

same thing, ipconfig /flushDNS to purge the cache.

to see name server of a giving domain

image

to see all infomration like root server, try nslookup , set all

image

to see mx record of amazon.

image

to see the spf record?

image

what about debug information

image

to see all information

image

to see all the ips of a domain or even this history.

https://www.virustotal.com/en/domain/dl.dropbox.com/information/

image

DNS troubleshooting tools and tips - dig

To see top level Name Servers,  dig –t ns com

image

If we want to see what’s are the name server of Google by asking any top level com servers.

image

now we can ask any nameserver of google, what’s are the ip of www.google.com

image

we can also using host command to get the ip or alias information

image

we can see the alias gmail.google.com

image

if we want to see some debug information. we can put debug there

[~]dig +trace  -t mx  dropbox.com

; <<>> DiG 9.8.3-P1 <<>> +trace -t mx dropbox.com
;; global options: +cmd
.            15634    IN    NS    a.root-servers.net.
.            15634    IN    NS    b.root-servers.net.
.            15634    IN    NS    c.root-servers.net.
.            15634    IN    NS    d.root-servers.net.
.            15634    IN    NS    e.root-servers.net.
.            15634    IN    NS    f.root-servers.net.
.            15634    IN    NS    g.root-servers.net.
.            15634    IN    NS    h.root-servers.net.
.            15634    IN    NS    i.root-servers.net.
.            15634    IN    NS    j.root-servers.net.
.            15634    IN    NS    k.root-servers.net.
.            15634    IN    NS    l.root-servers.net.
.            15634    IN    NS    m.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 29 ms

com.            172800    IN    NS    a.gtld-servers.net.
com.            172800    IN    NS    b.gtld-servers.net.
com.            172800    IN    NS    c.gtld-servers.net.
com.            172800    IN    NS    d.gtld-servers.net.
com.            172800    IN    NS    e.gtld-servers.net.
com.            172800    IN    NS    f.gtld-servers.net.
com.            172800    IN    NS    g.gtld-servers.net.
com.            172800    IN    NS    h.gtld-servers.net.
com.            172800    IN    NS    i.gtld-servers.net.
com.            172800    IN    NS    j.gtld-servers.net.
com.            172800    IN    NS    k.gtld-servers.net.
com.            172800    IN    NS    l.gtld-servers.net.
com.            172800    IN    NS    m.gtld-servers.net.
;; Received 489 bytes from 128.63.2.53#53(128.63.2.53) in 144 ms

dropbox.com.        172800    IN    NS    ns-564.awsdns-06.net.
dropbox.com.        172800    IN    NS    ns-315.awsdns-39.com.
dropbox.com.        172800    IN    NS    ns-1162.awsdns-17.org.
dropbox.com.        172800    IN    NS    ns-1949.awsdns-51.co.uk.
;; Received 198 bytes from 192.52.178.30#53(192.52.178.30) in 167 ms

dropbox.com.        3600    IN    MX    1 aspmx.l.google.com.
dropbox.com.        3600    IN    MX    10 aspmx2.googlemail.com.
dropbox.com.        3600    IN    MX    10 aspmx3.googlemail.com.
dropbox.com.        3600    IN    MX    5 alt1.aspmx.l.google.com.
dropbox.com.        3600    IN    MX    5 alt2.aspmx.l.google.com.
dropbox.com.        172800    IN    NS    ns-1162.awsdns-17.org.
dropbox.com.        172800    IN    NS    ns-1949.awsdns-51.co.uk.
dropbox.com.        172800    IN    NS    ns-315.awsdns-39.com.
dropbox.com.        172800    IN    NS    ns-564.awsdns-06.net.
;; Received 296 bytes from 205.251.194.52#53(205.251.194.52) in 21 ms

image

Wednesday, December 31, 2014

Opencart security, a must-have checklist for webmasters

Just played with the opencart 1.5.6.4, which is a very popular e-commerce solution for SMBs . and If you are tech-savy webmaster, you may know that 1.5.6.4 is pretty safe in terms of code security. before this version, you may have all kinds of issues like XSS, SQL Injection. but 1.5.6.4 is pretty safe though. 

However, code safety doesn’t means operation safety. I will show you what does this mean in 4 examples, you may have those issues already which means your customer’s credit card or sensitive information is leaking now.

Turn off Debugging for both usps and USA epay from the admin console. this is very important. (this is rule number 1)

if you turn on the debugging for usa epay in the following screen, gosh, you need pay attention .

image

if you turn on debug logging, check the system/logs folder, a file called usaepay_server_debug.txt will have all the Live credit card information and customer information.

to be worst, the hacker might just access

http://www.yoursite.com/system/logs/usaepay_server_debug.txt to see all your raw credit card information.

usaepay_server_debug.txt

http://www.yoursite.com/system/logs/error.txt to see all debug information.

Here is one real example that one hacker is pulling this file

image 

risky? though I put a fake information there. if you are not lucky, your customers’s credit card is gone, cross fingers.

 

Rule number 2, put a .htaccess file to block /system/logs access.

this is very obvious, what every issue you have , you may put sensitive information into the logs folder, like stack trace? customer information, error to running a sql statement?

put a .htaccess under system/logs with content “Deny from all”, locked down the access from public access.

this is a easy fix, definitly you should do it.

Rule number 3, check your access logs for POST requests. since most user should be get Only, some hacker might found site voluability and inject some evile scripts like webadmin.php http://cker.name/webadmin/, get is limited by the url length, definitly the hacker will send a post request to inject the blackdoor.

you can write a cron job with python script to do a daily access, and email you daily to double check those special posts, if you see special urls with POST, pay attention.

Rule Number 4, suPHP, if you run suphp as the PHP handler. double check the execution logs

suphp is fast, but it runs with a high privileged user might shoot the gun to yourself. so check the suphp logs to see which php file get executed daily.

here is one pythong script to dump out the files list daily. typicall you should only see index.php and admin/index.php, no other evil php like webadmin.php? images/index.php

image

once you have those 4 rules ready, you should be feel much safer about your website operation security. any more questions, email me and I will get back to your for more details or even do a consultation for you .

 

Thursday, December 25, 2014

Iptables rules , Drop or Reject?

By Default, Pinging is fine to both yahoo.com and Google.com

image

If we turn on the firewall, to Drop icmp to google, and Reject UDP to yahoo.com

image

then ping google by ip which is rejected by firewall policy

image

What about TCP

image

SO, Drop means pretend the port is not open, which is like a implicit denial .

Reject means explicit denial.

 
Locations of visitors to this page