A small python program for performing the Jury stability test. It is analogous to the Routh-Hurwitz program presented here, but for discrete rather than continuous time systems. As for the Routh-Hurwitz program, this script can accept algebraic expressions for the coefficients of the characteristic polynomial.
https://dl.dropbox.com/u/1614464/routhHurwitz/jury.py
Wednesday, December 5, 2012
Tuesday, December 4, 2012
A server side RSS aggregator, forked from Stephen Minutillo's "Feed on Feeds"
I started this project because I was looking for a simple alternative to google reader, that I could run on a cheap shared php host. Strangely enough, there wasn't a lot of choice; I initially considered TinyTinyRSS, but didn't really like it. I also came across Feed on Feeds (fof), by Steven Minutillo, which seemed to be exactly what I wanted - a lightweight and simple php feed aggregator.
Unfortunately, development on fof appears to have stalled (there have only been 5 or so code commits since 2009). Since the code base for the project was so small, I decided to fork it and add a few features/bugfixes. However, once I started looking at the code, it soon became apparent that the security of the software was severely lacking.
There were all sorts of nasties lurking in this code, which I've now fixed, including
This project was an excellent lesson in how difficult it can be to add security features to insecurely designed software. The only reason doing so was feasible in this case is that the code-base was so small! It was also a good excuse to learn about all sorts of different attacks and how to prevent them. Although it was pretty tedious hardening the code, it ended up being a pretty valuable experience.
For the future, I plan to add the following features
The forked code can be downloaded here:
https://dl.dropbox.com/u/1614464/fof/fof-1.0.1.tar.gz
In the absence of a proper change log, here's the subversion commit log (so you can see what has been changed):
https://dl.dropbox.com/u/1614464/fof/svn_log_1.0.1.txt
I really should move this project (as in the code hosting and bug tracking) onto some kind of hosted service (right now I'm doing all the bug-tracking etc on my local machine). Maybe I'll do that sometime in the future too.
Unfortunately, development on fof appears to have stalled (there have only been 5 or so code commits since 2009). Since the code base for the project was so small, I decided to fork it and add a few features/bugfixes. However, once I started looking at the code, it soon became apparent that the security of the software was severely lacking.
There were all sorts of nasties lurking in this code, which I've now fixed, including
- An arbitrary code execution vulnerability (user data passed directly to create_function)
- Numerous privilege checking problems (for example, any user could change another users password, or uninstall the software)
- A vulnerability allowing an attacker to read and write arbitrary data to the database
- a poorly designed and insecure login system (used the hash of the users password as a token)
- password hashes were stored unsalted
- logging system leaked data - logs were publicly viewable, and contained sensitive information (session ids, etc)
- no CSRF prevention
- two open redirect vulnerabilities
- about 30 XSS vulnerabilities
This project was an excellent lesson in how difficult it can be to add security features to insecurely designed software. The only reason doing so was feasible in this case is that the code-base was so small! It was also a good excuse to learn about all sorts of different attacks and how to prevent them. Although it was pretty tedious hardening the code, it ended up being a pretty valuable experience.
For the future, I plan to add the following features
- rewrite the database layer to use PDO (and hence support databases other than mysql), or else use some kind of ORM
- allow new users to register accounts
- add a RESTful api, and possibly also create a new user interface
- perform a lot of code clean up and refactoring. Optimise the javascript parts of the code.
The forked code can be downloaded here:
https://dl.dropbox.com/u/1614464/fof/fof-1.0.1.tar.gz
In the absence of a proper change log, here's the subversion commit log (so you can see what has been changed):
https://dl.dropbox.com/u/1614464/fof/svn_log_1.0.1.txt
I really should move this project (as in the code hosting and bug tracking) onto some kind of hosted service (right now I'm doing all the bug-tracking etc on my local machine). Maybe I'll do that sometime in the future too.
Subscribe to:
Posts (Atom)