While playing with my iPhone I uncovered a security hole which allows unmasking any password which is persisted and can be edited.
This hack is verified to work on software version 3.0 and 3.0.1. The example below explains how to unmask an email password one character at a time.
1. Navigate to the password field in the email settings.
2. Delete the last masked character
3. Shake the phone for the undo function and select undo
4. Write down the unmasked character iPhone shows when the delete is undone
5. Delete the character again (password is 1 shorter then before)
6. Hit the home button
7. Goto step 1 and repeat until all characters are unmasked
After unmasking all of the password, place it back in so the owner is none the wiser.
Given the above, I would suggest always using the Passcode Lock feature to prevent a 3rd party from unmasking your passwords. Also it would be nice if Apple fixes this in the next software release. (note: they did fix the issue!)
2009/09/05
2009/06/19
Struts2 and Tomcat security on Ubuntu 9.04.
Errors using Struts2 and Tomcat Security on Ubuntu 9.04.
Here is a sample error:
java.security.AccessControlException: access denied (java.io.FilePermission /var/lib/tomcat6/webapps/struts2-mailreader-2.1.6/WEB-INF/database.xml.new write)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
Easy Answer:
Turn off Tomcats security manger. Change TOMCAT6_SECURITY=yes to TOMCAT6_SECURITY=no in /etc/init.d/tomcat6
Long Answer:
http://tomcat.apache.org/tomcat-6.0-doc/securityanager-howto.html
Here is a sample error:
java.security.AccessControlException: access denied (java.io.FilePermission /var/lib/tomcat6/webapps/struts2-mailreader-2.1.6/WEB-INF/database.xml.new write)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
Easy Answer:
Turn off Tomcats security manger. Change TOMCAT6_SECURITY=yes to TOMCAT6_SECURITY=no in /etc/init.d/tomcat6
Long Answer:
http://tomcat.apache.org/tomcat-6.0-doc/securityanager-howto.html
2009/05/12
Installing Apache2 and Tomcat6 on Ubuntu 9.04
I've had quite a few issues getting Apache to Tomcat to work together on Ubuntu. Finally I've figured out the little differences you need to know when using ubuntu apache and tomcat packages.
1) sudo apt-get install apache2 tomcat6 libapache2-mod-jk
2) sudo vim /etc/apache2/workers.properties
and type/past in:
# Define 1 real worker using ajp13
worker.list=worker1
# Set properties for worker1 (ajp13)
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009
3) sudo vim /etc/apache2/apache2.conf
and type/past in:
# Load mod_jk module
# Update this path to match your modules location
LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so
# Declare the module for (remove this line on Apache 2.x)
#AddModule mod_jk.c
# Where to find workers.properties
# Update this path to match your conf directory location (put workers.properties next to httpd.conf)
JkWorkersFile /etc/apache2/workers.properties
# Where to put jk shared memory
# Update this path to match your local state directory or logs directory
JkShmFile /var/log/apache2/mod_jk.shm
# Where to put jk logs
# Update this path to match your logs directory location (put mod_jk.log next to access_log)
JkLogFile /var/log/apache2/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel info
# Select the timestamp log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
6) sudo vim /etc/apache2/sites-enabled/000-default
Delete "DocumentRoot /var/www"
And type in
JkMount / worker1
JkMount /* worker1
note, you can use JkUnMount to define directories you want apache to serve
7) Enable port 8009 on tomcat
sudo vim /etc/tomcat6/server.xml
remove the "<!--" that is a line above and the "-->" that is a line below
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
8) restart tomcat
sudo /etc/init.d/tomcat6 restart
9) restart apache
sudo /etc/init.d/apache2 restart
10) wget localhost
You should see the default tomcat page
1) sudo apt-get install apache2 tomcat6 libapache2-mod-jk
2) sudo vim /etc/apache2/workers.properties
and type/past in:
# Define 1 real worker using ajp13
worker.list=worker1
# Set properties for worker1 (ajp13)
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009
3) sudo vim /etc/apache2/apache2.conf
and type/past in:
# Load mod_jk module
# Update this path to match your modules location
LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so
# Declare the module for
#AddModule mod_jk.c
# Where to find workers.properties
# Update this path to match your conf directory location (put workers.properties next to httpd.conf)
JkWorkersFile /etc/apache2/workers.properties
# Where to put jk shared memory
# Update this path to match your local state directory or logs directory
JkShmFile /var/log/apache2/mod_jk.shm
# Where to put jk logs
# Update this path to match your logs directory location (put mod_jk.log next to access_log)
JkLogFile /var/log/apache2/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel info
# Select the timestamp log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
6) sudo vim /etc/apache2/sites-enabled/000-default
Delete "DocumentRoot /var/www"
And type in
JkMount / worker1
JkMount /* worker1
note, you can use JkUnMount to define directories you want apache to serve
7) Enable port 8009 on tomcat
sudo vim /etc/tomcat6/server.xml
remove the "<!--" that is a line above and the "-->" that is a line below
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
8) restart tomcat
sudo /etc/init.d/tomcat6 restart
9) restart apache
sudo /etc/init.d/apache2 restart
10) wget localhost
You should see the default tomcat page
back but mostly for me
So I'm going to start posting again, however most is likely to be computer stuff for work/fun. I just want to document issues/solution I've had, so others can avoid spending to much time on them.
Subscribe to:
Posts (Atom)