Sonar “Close Connection” warning workaround.

Tuesday 2009-10-06

When you use Spring and Ibatis and SQLTemplates, you could have code in your project which looks somewhat like this:

Connection connection = DataSourceUtils.getConnection(getDataSource());
...<do connection stuff here>...
DataSourceUtils.releaseConnection(connection, getDataSource());

Sonar will report that you did not close the connection, while in fact, Spring did that for you. You can not just add a “connection.close()” to the code because the whole point of calling “releaseConnection()” is to have Spring handle all the smart stuff on committing, closing, and returning the connection to the pool if needed.

Read the rest of this entry »


Block Luntbuild 1.5.1 Anonymous Access

Tuesday 2007-11-13

If you are using luntbuild for your continuous integration builds at work, you probably want to remove anonymous user access. In stead of adding that feature to the administrator “Properties” page where I’d expect it, you have to hack the Spring configuration in the webapps directory of luntbuild. Sigh. Here we go:

Read the rest of this entry »


Phrack still in ASCII

Saturday 2007-08-04

It is a long time since I read this stuff, but I stumbled upon a paper discussing the non-executable stack on OSX (a trick to prevent buffer/stack overflow exploits). Ah, the good old days. And with all this markup, it’s good to see that Phrack magazine stuck to their format. It’s still the same as over 20 years ago… Well written articles, focussed on correctness and content, for the coders out there who are not afraid experimenting with some assembly. The amount of (nightly) hours that go into the research and proof of these articles are unbelievable, and it shows. Read the rest of this entry »


The Digital Revolution

Friday 2007-05-04

Nice example of digital revolution and power to the people can be found at http://blog.outer-court.com/archive/2007-05-02-n67.html. Let’s hope manufacturers understand that people don’t want to pay for crippled content.

Digital copies where copyright is removed are actually better than their DRM protected originals, which makes good willing people move to pirated content, like I stated earlier. The important sentence here being “If I buy a DVD, I have to watch a few minutes of copyrights notices and commercials, without being able to skip them. If I rip it, and re-write it, these notices are gone…”.

Viva la Revolution!


Lost Oracle SYS and SYSTEM password?

Tuesday 2007-01-16

If your administration is as good as anybodies, you are bound to loose the not-so-frequently used password for the SYS and SYSTEM users of oracle. Here are a few ways I found to re-set those passwords:

Method 1: SQLPLUS (Tested on AIX Oracle 9.2.0.1.0)

Log into the database server as a user belonging to ‘dba’ [unix ] or ‘ora_dba’ [windows ] group , typically ‘oracle’, or an administrator on your windos machine. You are able to log into Oracle as SYS user, and change the SYSTEM password by doing the following:

$ sqlplus "/ as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Mon Apr 5 15:32:09 2004

Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.

Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production

SQL> show user

USER is "SYS"

SQL> passw system
Changing password for system
New password:
Retype new password:
Password changed
SQL> quit

Next, we need to change the password of SYS:

$ sqlplus "/ as system"
SQL*Plus: Release 9.2.0.1.0 - Production on Mon Apr 5 15:36:45 2004

Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.

SP2-0306: Invalid option.
Usage: CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
where <logon>  ::= <username>[/<password>][@<connect_string>] | /
Enter user-name: system
Enter password:

Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production

SQL> passw sys
Changing password for sys
New password:
Retype new password:
Password changed
SQL> quit

You should now be able to log on the SYS and SYSTEM users, with the passwords you just typed in.

Method 2: Creating pwd file (Tested on Windows Oracle 8.1.7)

  1. Stop the Oracle service of the instance you want to change the passwords of.
  2. Find the PWD###.ora file for this instance, this is usuallly located atC:\oracle\ora81\database\, where ### is the SID of your database.
  3. rename the PWD###.ora file to PWD###.ora.bak for obvious safety reasons.
  4. Create a new pwd file by issuing the command:
    orapwd
    file=C:\oracle\ora81\database\PWD###.ora password=XXXXX
    where ### is the SID and XXXXX is the password you would like to use for the SYS and INTERNAL accounts.
  5. Start the Oracle service for the instance you just fixed. You should be able to get in with the SYS user and change other passwords from there.

Fun at “automatiseringsgids”

Thursday 2006-01-12

Even companies pretending to know about ICT, writing about companies doing it right or wrong, get it (very) wrong sometimes. People who have an account at De Automatiseringsgids know the login screen. But have they also noticed how their username and password are sent to the server in plain text?

Another funny thing a colleque of mine discovered is the really wierd way of displaying error messages. The server returns the error message as part of a redirect. Yes, you’ve read that correctly. No serverside things here guys, must keep memory usage down. No sessions here, move along… A really funny thing you can do is display your own error messages, like so: De automatiseringsgids with weird error

Wie dit leest is gekI think somebody will start playing with this, because you can do a lot more (very bad) things. Should they have it fixed allready when you are reading this, I saved a screenshot for you. You would have got something in the lines of this:

After discussing this wierd construction, we concluded that the programmers wanted to do a “post-by-redirect” construction, where you make the server return a redirect to the browser jsut after a post. This solves the “reload problem” where the browser asks if it can re-post the data for you. Since a redirect is a GET, the browser will just reload the page. Normally you solve this by storing thing in the session on the server and send a session reference to the browser. Combined with HTTPS, this would give you a relatively strong, and still not to expensive protection against scripting and spoofing attacks.

A fine example of what happens if you trust an external company to build your web application, but you “forget” to check that they’ve delivered something that’s up to your standards (or at least the standards you paid for). Have fun playing around with this, and let me know what interesting things you found. (hint: Iframes and javascript can do a lot on this page ;-)


Follow

Get every new post delivered to your Inbox.

Join 30 other followers