Wednesday, December 31, 2014

Opencart security, a must-have checklist for webmasters

Just played with the opencart, which is a very popular e-commerce solution for SMBs . and If you are tech-savy webmaster, you may know that is pretty safe in terms of code security. before this version, you may have all kinds of issues like XSS, SQL Injection. but is pretty safe though. 

However, code safety doesn’t means operation safety. I will show you what does this mean in 4 examples, you may have those issues already which means your customer’s credit card or sensitive information is leaking now.

Turn off Debugging for both usps and USA epay from the admin console. this is very important. (this is rule number 1)

if you turn on the debugging for usa epay in the following screen, gosh, you need pay attention .


if you turn on debug logging, check the system/logs folder, a file called usaepay_server_debug.txt will have all the Live credit card information and customer information.

to be worst, the hacker might just access to see all your raw credit card information.

usaepay_server_debug.txt to see all debug information.

Here is one real example that one hacker is pulling this file


risky? though I put a fake information there. if you are not lucky, your customers’s credit card is gone, cross fingers.


Rule number 2, put a .htaccess file to block /system/logs access.

this is very obvious, what every issue you have , you may put sensitive information into the logs folder, like stack trace? customer information, error to running a sql statement?

put a .htaccess under system/logs with content “Deny from all”, locked down the access from public access.

this is a easy fix, definitly you should do it.

Rule number 3, check your access logs for POST requests. since most user should be get Only, some hacker might found site voluability and inject some evile scripts like webadmin.php, get is limited by the url length, definitly the hacker will send a post request to inject the blackdoor.

you can write a cron job with python script to do a daily access, and email you daily to double check those special posts, if you see special urls with POST, pay attention.

Rule Number 4, suPHP, if you run suphp as the PHP handler. double check the execution logs

suphp is fast, but it runs with a high privileged user might shoot the gun to yourself. so check the suphp logs to see which php file get executed daily.

here is one pythong script to dump out the files list daily. typicall you should only see index.php and admin/index.php, no other evil php like webadmin.php? images/index.php


once you have those 4 rules ready, you should be feel much safer about your website operation security. any more questions, email me and I will get back to your for more details or even do a consultation for you .


Thursday, December 25, 2014

Iptables rules , Drop or Reject?

By Default, Pinging is fine to both and


If we turn on the firewall, to Drop icmp to google, and Reject UDP to


then ping google by ip which is rejected by firewall policy


What about TCP


SO, Drop means pretend the port is not open, which is like a implicit denial .

Reject means explicit denial.

Friday, December 19, 2014

log4net legacy configuration

just got one legacy app with log4net early version bundled, something wrong and there is no way to see the log . here is the trick

if you use refelctor, you can see the assermbly attribute. [assembly: DOMConfigurator(ConfigFileExtension="log4net", Watch=true)]


then for the config file, should you yourexe.exe.log4net, you can tell from the logic


one sample config

<?xml version="1.0" encoding="utf-8"?>
    <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler, log4net" />
    <appender name="FileAppender" type="log4net.Appender.FileAppender">
      <file value="logfile.txt" />
      <appendToFile value="true" />
      <layout type="log4net.Layout.PatternLayout">
        <conversionPattern value="%date: %-5level – %message%newline" />
      <level value="INFO" />
      <appender-ref ref="FileAppender" />


Tuesday, December 16, 2014

Windows azure Mobile service, delete expired data automatically.

It turns out Azure mobile service is way more powerful than you think. I setup a simple mobile service table to hold some incoming logs.

on the table itself, I created one node.js API for insert, basically insert a timestamp in long named dt. (I found this very useful for you to delete the old data , like logs week ago)


then every incoming logs will be applied with the timestamp. now create another scheduler to run  daily and check to delete old logs


and config it to run daily


then in the log you will see the daily run


Tuesday, November 4, 2014

WordPress 4.0 on IIS 7.X, Permalinks dead loop for hybird unicoed urls

Just helped my friend did the migration from LAMP to IIS7, with fastcgi module. all smoothly, and based on the tutorial. on the platform of IIS, you don’t have the .htaccess rule, install a url rewrite2 module instead.

on the root of the web app, put the rewrite rules there , which will intercept all permallinks or friendly url which is neither a folder or file , and redirect them to the index.php to handle. so the code looks like this.


after this, one the wp settings page, you can turn on the friendly url .

now, when you go to some page with url like page-你好 , or post-ヤフオク, basically english and unicode in url combined, you will see server no response issue.


and when you put some page like hello-你好.html, on iis foder, it works. so IIS is fine, something wrong with the PHP to handle the unicode urls.

fix is here, basically , send the correct unicode url to php by the url-rewrite module. replease the request_uri with unicodeurl

here is the updated web.config for the rules.

after the change, all back to normal.

Thursday, October 16, 2014

Keyboard / trackpad non-functional after winclone restore for macbook pro 2014 mid retina

Problem first, I restored one windows 7 using winclone, when I boot back to the new restored windows 7 partition. Gosh, neither keyboard/Trackpad works, tried several external USB keyboard/mouse no lock at all.

then I Googled, found the official faq from winclone, tried the bless tips. No luck. then after 2 hours struggling. Here is the step to make it work.

Boot into Mac, remove the windows partition through the disk utility. Don’t Create a new windows one using the disk utility.

open the Bootcamp Assistant utility, check the all the options. and continue, then it will load the ISO and download the drivers, after that, you get chance to resize the bootcamp partition. Now it’s the time to create the bootcamp partition .

once done, it will reboot and enter the setup process. Stop here, reboot and press option then select the mac partition.

Now it’s safe to recover the bootcamp partition using winclone. after done, here is what I did. not sure which step is important, but this works.

  • go to utility, terminal
    • sudo /usr/sbin/bless –-mount /Volumes/BOOTCAMP –nextonly –legacy –legacydrivehint /dev/disk0
  • in the windows boot time, press any key to cancel the disk check.
  • that’s it, it works now. both keyboard and touchpad. download and install the new driver for windows now 
    • check this table and select the right one/ good luck
  • image

Tuesday, October 14, 2014

Git tips, how to generate patch and apply it

we have one version , for demo. just called file.txt with version1 as the content.


after we change it to version 2 , we can run git diff  and redirect output to a patchfile.

by default, diff put  a/b as the prefix.


then we reset the workspace and try to apply the patch


for some version, you might put patch –p1 to apply the patch , basically means ignore the a/b prefix.

for the generation, we can put –-no-prefix to remove the prefix



for binary file, we can put –-binary option to generate the patch.

and use git apply –binary to apply the patach.

to tell the diff difference summary you can put the –-stat option.

there might be several commits after the last update, you can use format patch to generate one by one if you like



to apply stacks patch


Regular expression tips, match repeatable characters.

Regular expression has a powerful support for submatches (subexpressions). here are some powerful match.

if you user got a sticky keyboard, you may enter something like ‘gooooooooooooooooooooooooooooood’, or ‘happppppppppppy’ how to remote the duplicate o or p.

you can use (.)\1{1,} to match. basically the first group means match any character, \1means this is a subexpression or a variable. {1,} means this have to be repeated for 1+ times.


but if you user got a stick paste key, it mays shows a lot repeated words. like the good example .

we can put (.+)\1{1,} , you can tell it only match 4 good, not five. why? 


because it try to find a repeatable patter , so two good, as a variable, and occur 2 times. , if we have even number of good, it will match all.


what if we want to match all , basically certain word been repeated for 1+ times, we can put a ? in the subexpression, means non-greedy match. so it will just match one word which is not greedy, then repeat for 1+ times.


Wednesday, October 8, 2014

Node.js tips-1, put your configuration in a special .json module, selenium webdriver

if you use node selenium-webdriver to do a basic UI test, here is a quick sample code to open google, enter the keyword and do the serach, then validate the title.


if you check the code here, a lot hard coding, bot the url and title are hardcoded here. to prevent this, we can create a json file, put the configuration there. and save it as a .json file.

then in the json file, put a require module there, and we can use it directly. no parsing needed.

after this, run again, make sure we never break any logic.  can we still improve it?


we have to key in the whole helper method, let’s improve it. create another module called makenameselector.js


now in the test.js , we can promote the selector string to nameselctors.


then no more hardcoding, no more duplicate

Wednesday, September 24, 2014

Node.js tips and modules

Several useful modules and tips for Node.js beginners.

  • Nodemon, monitor the source file change and reload it for you automatically.

typically, we have to stop the node process and restart it when we changed the code, this happened a lot during dev phase. nodemon is the tool to solve this pain.  remember to install it as a global module. (try upgrade node to latest version if installation failed)


  • sleep module. sometimes you want to simulate some CPU intensive operation. or to drain the V8 thread pool, you can try this module

without sleep, this simple code can sever 100 req/s at least. since no pressure on event loop and thraed pool.


by ab testing with 1000 req and 1000 concurrent connections. and Node.js use little CPU.


if we put sleep for each response, it will be super slow. maybe 1request every 2 seconds.


  • express-generator , once you install this global module, you can call the express utility to generate the project layout. like the JADE views, styles, even the stylus support.


  • jshint , the code quality check tools


Sunday, September 21, 2014

Chrome Develop Tools Tips -2

  • using monitorEvents like the Spy++ using in old days to monitor event triggered on an element


  • by pressing CTL+F, you can use element/css/xpath selector to select the right element.



  • in the timeline of network tab, you can sort by the latency that find which site’s DNS sucks (latency)



  • besides javascript breaks, you can setup DOM breaks.


wheneven this is one change, it will break and stop


Chrome Developer Tools Tips - 1

I've been using the Chrome developer tools always, just realized several tips.

  • Console.dir will list all the attributes or methods of an object.


  • we can use to group logs.


  • $ $$ and $x selector, (return 1st object, colelction and by xpath), an example running on homepage.


  • Using inspect method to highlight the dom element get selected


Locations of visitors to this page