Sunday, October 6, 2013

Magento Mcrypt Extension Issue

Last week When I was making one of magento project live I had to shift entire code to production server. Code was running fine except a small issue.
 When I  login on checkout page, after adding items in my cart, it sends me back to cart url with a blank page. Looking at apache logs revealed -
 Call to undefined function mcrypt_module_open() in /var/www/html/domain.com/lib/Varien/Crypt/Mcrypt.php on line 63, referer: http://domain.com/checkout/onepage/index/

Solution -
How to install php mcrypt extension. 
Couldn't find any pre-built packages.

1 .Download Following RPM Packages -
# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/php-mcrypt-5.3.3-1.el6.x86_64.rpm
# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/libmcrypt-2.5.8-9.el6.x86_64.rpm
 
2. Install - 
yum localinstall php-mcrypt-5.3.3-1.el6.x86_64.rpm libmcrypt-2.5.8-9.el6.x86_64.rpm 

Ref -
http://injustfiveminutes.wordpress.com/2012/11/23/install-php-mcrypt-extension-on-rhel-6/


Friday, October 4, 2013

Magento Reset Admin Panel Password

Whenever I try to set up any third party magento code base I keep coming across this issue. Why not reset the password instead of calling the client/vendor to ask for the admin credentials.
We just need to know how magento encrypts the password and stores in db.



take a note it is resetting the password not hacking the password :)
Steps -
1.Choose any two characters eg. XY.
2.Generate MD5 of two characters and your password e.g MD5('XYmypaswd').You can generate MD5 using query SELECT MD5('XYmypaswd');
3.copy this md5,append your two characters at the end of the md5 string followed by ":".so  your string would be MD5 string:XY.
4.Update the row in the database of admin user.

Happy Coding :)

Magento page.xml changes not getting reflected

Recently I was trying to include a small JS snippet in footer. I created another block for this and tried to put in page.xml.



inside footer block I added my custom intercom block -
 <block type="page/html_footer" name="footer" as="footer" template="page/html/footer.phtml">
<block type="page/html_intercom" name="intercom" as="intercom"  template="page/html/intercom.phtml"  />
....
...
</block>

But the changes didn't reflect on frontend. Ohhh did I clean cache ?  Yes I did , twice thrice still no changes on frontend. After struggling for couple of hours I came to know that teh page.xml file was not even getting used. Magento theme (dresscode theme) has created another file local.xml adjacent to page.xml.
I had to do my changes in local.xml file

<default>
  <layout>
....
...

     <reference name="footer">
            <block type="core/template" name="intercom" as="intercom" template="page/html/intercom.phtml"/>
      </reference>

...
....
   </layout>
  </default>

Some times Magento themes create local.xml  in app\design\frontend\default\theme-name\layout\
and uses it in place of page.xml.
Beware of this :)

Mysql Physical Backup

Ever looked in Mysql installation directory ? I recently did.(E:\wamp\bin\mysql\mysql5.5.24\)
found various strange files which can be used as Mysql DB physical backup if you dont have time to run the mysql server and then run mysql dump for all databases.



So what files are of our interest ?
 Base folder-> E:\wamp\bin\mysql\mysql5.5.24\
1. Lets say you have database name test. You can find a directory named test under data folder. In test you can find .FRM, .MYD , .MYI, .TRG, .TRN files for most of the tables. Take backup of all of these files.
2. You will also find ib_logfile0, ib_logfile1, ibdata1 in base folder. For few tables data is stored in these files as well.

Take above mentioned file backup and put in new mysql installation directory and you are good to go.
As written. here -
http://kedar.nitty-witty.com/blog/mysql-related-file-types-and-basic-information

.frm is for table definition
.myd is for table data
.myi is for table indices
.trg, .trn for trigger definitions

Happy backing up :)

Thursday, January 26, 2012

Fashion Photographer




Every time I watch pravin talan shoots, I want to be a fashion photograher :)

PHP Apache configurations

Server Request Response Flow- 
Apache is web server, Its job is to receive the request and send the response. So if I opens a web page mydomain.com/test.html . request goes to server, server checks the mime type(.html in case) , executes the corresponding file and sends the response.
If I open a web page mydomain.com/test.php then also same flow happens. Request goes to server, server checks the mime type(.php), executes the test.php and send the response. But wait a sec, my server doest know how to execute this .php file? Here comes mod_php OR fastCGI. You might have heard about both of them.

Mod_Php - php sits inside the web server and gets loaded just like other modules of apache.
FastCGI- It is not part of web server. It is like a separate application which gets invoked by web server when it receives php mime type requests. Instead of creating a new process for each request, FastCGI uses persistent processes to handle a series of requests. These processes are owned by the FastCGI server, not the web server. FastCgi is a faster version of CGI. It is implemented by mod_fcgid and mod_fastcgi.
setup would be - 
Apache MPM+ mod_fcgid
Apache MPM+ mod_fastcgi

How to set up fastcgi on apache -
https://wiki.archlinux.org/index.php/Apache_and_FastCGI

mod_fastcgi manage processes (not web server processes) through FastCGI Process Manager, fcgi-pm. This process manager is spawned by Apache at server initialization.


CGI Application Flow - CGI is a gateway to handle executable files (known as CGI scripts)
1. Apache got request GET /your_script
2. Your CGI app is loaded, in case of say Perl it's compiled first then  loaded. To compile/translate it, the perl would have to be started. When it starts it loads dynamic libraries, which when loaded are pulling  other dynamic libraries (in most cases).
3. When all is settled with Perl, your script is translated.
4. Now we're ready to execute our script.
5. Your script pulls the data out of environment, does it's job and calls exit.  
6. The memory used by perl is freed, your compiled code is wasted.  the libraries are unloaded and now we're waiting for step 1, just  to make another similar job.

Quite clear that every time CGI app is loaded, lot of depending libraries are loaded to serve one request and on completion of request CGI app is unloaded. Process repeats for any next request. Repeating loading and unloading is time consuming.

FAST CGI Flow - 
1. Apache got request GET /your_script
2. Your CGI app is loaded, in case of say Perl it's compiled first then  loaded. To compile/translate it, the perl would have to be started.  When it starts it loads dynamic libraries, which when loaded, are pulling  other dynamic libraries (in most cases).
3. When all is settled with Perl, your script is translated.
4. Now we're ready to execute our script.
5. Your script pulls the data out of environment, does  it's job and it goes Back to step 4.


Difference Mod_php AND FAST CGI - 
Conceptually it is quite clear that Mod_php is faster as it is bundled with apache and preloaded so web server is able to serve the request in less time. But this comes with High memory usage as these libraries are always pre loaded even when apache is serving static html files. If you dont have memory problem (you do have it on a shared server) then Mod_php is good to go. But as Mod_php is part of apache php config settings changes wont be reflected without restarting apache (unless you do a dynamic mod_php installation).

PHP-FPM (FastCGI Process Manager) - is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites.
Apache worker + mod_fastcgi + php-fpm
when we use mod_fcid or mod_fastcgi each process has its's own OPCode cache but  in PHP-FPM that opcode cache is shared across processes. Php-fpm supports socket connection (for local server when web server and cgi server are on same machine) as well as TCP/IP connection (for remote servers). socket connection is definitely faster.
know more at http://php-fpm.org/about/


APACHE MPM Worker and APACHE MPM PREFORK-
Ever wonder how apache handles requests. It has to start a process to serve a request. To manage simultaneous requests it keeps a pool of processes running and keeps forking/killing them to maintain maximum process limit.  lets understand this in detail-

APACHE MPM Worker - It implements a hybrid multi process multi threaded server. It uses threads to serve requests and able to serve more requests with less resource as compared to process based server (Prefork).
 - based on apache 2.0
 - lower memory consumption and higher performance

How Worker MPM works-
A single control process (the parent) is responsible for launching child processes. Each child process creates a fixed number of server threads as specified in the ThreadsPerChild directive, as well as a listener thread which listens for connections and passes them to a server thread for processing when they arrive.

Apache always tries to maintain a pool of spare or idle server threads, which stand ready to serve incoming requests. In this way, clients do not need to wait for a new threads or processes to be created before their requests can be served. The number of processes that will initially launched is set by the StartServers directive. Then during operation, Apache assesses the total number of idle threads in all processes, and forks or kills processes to keep this number within the boundaries specified by MinSpareThreads and MaxSpareThreads. Since this process is very self-regulating, it is rarely necessary to modify these directives from their default values. The maximum number of clients that may be served simultaneously (i.e., the maximum total number of threads in all processes) is determined by the MaxClients directive. The maximum number of active child processes is determined by the MaxClients directive divided by the ThreadsPerChild directive.

MPM Prefork - It is a non thread server and appropriate for sites that need to avoid threading for compatibility with non-thread-safe libraries.(You might have come across options to download thread-safe/non thread-safe versions of libraries several times.) It isolates each request and handles in  separate process so that a problem with a single request will not affect any other.
 - based on apache 1.3
-  stable and secure
- high memory consumption and low performance

How Prefork works
A single control process is responsible for launching child processes which listen for connections and serve them when they arrive. Apache always tries to maintain several spare or idle server processes, which stand ready to serve incoming requests. In this way, clients do not need to wait for a new child processes to be forked before their requests can be served.

The StartServers, MinSpareServers, MaxSpareServers, and MaxClients regulate how the parent process creates children to serve requests. In general, Apache is very self-regulating, so most sites do not need to adjust these directives from their default values. Sites which need to serve more than 256 simultaneous requests may need to increase MaxClients, while sites with limited memory may need to decrease MaxClients to keep the server from thrashing.


Magento PerformanceTuning -

Magento is highly resource extensive. The web server settings play a big role in fine tuning, reducing the load time for website and increasing the number of requests handled.
Mod_php OR FastCGI - well simple answer - if you dont have memory and resource problems then go for mod_php, it is no doubt faster but eats up lot of resources.
Worker OR Prefork - we are using php so we might have to deal with non thread safe third party libraries. PHP5 is thread-safe, but PHP extensions aren't all thread-safe. And Magento is a PHP application like any other, chances are that you are using some PHP extensions somewhere. So it's considered harmfull to run a PHP application on a worker-mpm. so using Prefork is a better option.



+ Nishant

Wednesday, January 25, 2012

Password hashing And encryption

I happened to write this while I was diging how Magento stores password.
well magento stores hashed password separated by a two character salt in db. A sample looks like -

353dc2ba6108461cf3468184bdd0e174:QP
split = 353dc2ba6108461cf3468184bdd0e174:QP
magentoPass = split[0];
salt = split[1];

##Authenticate user entered manager.
# is used for concatanation
if( md(5) [split[1]#userenteredpasswd])==split[0])
{
    # User Authenticated
}


Now lets understand some cryptography Hashing and encryption.

Password hashing and encryption are two different things. Hashing is one way function while encryption is two way. Reverse encryption (called decryption) is possible but you can not reverse hash and generate your original string back.  You can find another string which has same hash value by brute force methods.

Collision - Hashing generates a fixed length output (called as message digest, checksum) for all input values which makes it possible to have two different strings (S1#S2) but H(S1)=H(S2). That is called collision. Probability of collision depends upon the algorithm and length of hashed output.

Collision



To secure passwords, cryptographic hash algorithms are used(MD5, SHA-1, SHA-2).
But Plain hashing is easily defeated using a dictionary attack, where an attacker just pre-hashes every word in a dictionary (or every combination of characters up to a certain length), then uses this new dictionary to look up hashed passwords. Salting, Key stretching, HMAC can be used to strengthen your hashing, will discuss that later. 

How hash algorithms work - Most algorithms(MD5, SHA-1, SHA-2, SHA-3) are based on Block Ciphers. Input string is divided into fixed length blocks and then padded, encrypted with keys, processed with complex operations (ADD/AND/XOR/ROTATE) sequentially to generate final output. That makes it hard to break. For example computing 40*11 is easy but factorizing 440 and generating 40 and 11 is a bit hard because of multiple possibilities. That is what it makes hard to break.

Salting -  

hash = md5(password + salt);
Instead of directly hashing the input you can add a pinch of salt to make it spicy :)
salt could be any digit random string, which you store along with the hashed value. You can store your passwords in db as hash:salt. For authentications when user enters a password, it's hash is calculated using entered password and salt(from db) and validated against the hash(from db).

Key Stretching - You add the salt and hash it for n times. You have to store that count(n) as well, along with salt.

hash = md5(password + salt); 
for (i = 0; i < 1000; i++) 
   hash = md5(hash + password + salt); 
}


Don't use


hash = md5(hash) 

in the loop, it will only increase the collision probability.

Common Hashing Algorithms-

CRC32 (Cyclic redundancy check) - Very simple hash function.Produces 32 bit long hash value and typically expressed as 8 digit hexadecimal string.
 
MD-5 - MD5 produces 128 bit(16 byte) hash value.  It is typically expressed as 32 digit hexadecimal string(each hexadecimal digit takes 4 bits). This algorithm has been broken and found vulnerable.

SHA-1 - SHA-1 produces 160 bit hash value. It is typically expressed as 40 digit hexadecimal string. It's approximately two-three times slower then MD5 algorithm This algorithm is also broken and found vulnerable.

SHA-2(SHA-512) - SHA-2 produces 512 bit hash value. typically expressed as 128 digit hexadecimal string. This is not yet broken.

HMAC - Unlike the other hashes mentioned above, HMAC (Hashed Message Authentication Code) is a key dependant hash.  HMACs are useful when authentication but not secrecy of a message is required.Current HMAC specification  is defined as

 # used for concatenation

H(key1 ∥ H(key2 ∥ message)). 


The cryptographic strength of the HMAC depends upon the size of the secret key that is used. The most common attack against HMACs is brute force to uncover the secret key. HMACs are substantially less affected by collisions than their underlying hashing algorithms alone. Therefore, HMAC-MD5 does not suffer from the same weaknesses that have been found in MD5.

How does  HMAC work?


Lets Define-
ipad = inner padding: the byte 0x36 repeated the same number of times as the block size
opad = outer padding: the byte 0x5c repeated the same number of times as the block size
text = the message we wish to compute the HMAC over.

The length of the key should be less than or equal to the block size (64 bytes for MD5 and SHA-1), though greater than the size of the message digest (16 bytes for MD5, 20 bytes for SHA-1). If the key length is greater than the block size, a (fixed length) hash of the key should be used.

To compute HMAC over the data 'text' the following steps are performed:

1. the key is appended with zero bytes until it equals the block size in length.
2. the key is XORed with ipad
3.text is appended to the result of 2
4.the hash algorithm is applied to the result of 3
5.the key is XORed with opad
6.the result of 4 is appended to the result of 5
7.the hash algorithm is applied to the result of 6.
 

How to break a Hash -
If you want to find a given plaintext for a certain hash there are two simple methods:
        - Hash each plaintext one by one, until you find the hash.
        - Hash each plaintext one by one, but store each generated hash in a sorted table so that you can  easily look the hash up later without generating the hashes again.
 Simple..  huh? well lets discuss that.

What is Rainbow Table-
Hash Function converts plain text into hashed output which cannot be dehashed. But how abut if there is a mapping table which stores every possible mapping from Hash Value to Plain Text, then you just need to see if your hash value exists in this table or not and you will get the plain text for that hash. That table is known as Rainbow table.  Obviouslly there is no such pre existing table so this is how you use Rainbow table to break a hash -

Inputs-
hash password(to be broken)
input password is 6 digit (numeric)
hash alogorithm used- Md5
Output-
input password


lets say my password is 493823
MD5("493823") -> "222f00dc4b7f9131c89cff641d1a8c50"
I have a Reduction function which takes first 6 numbers from the last generated hash. R("222f00dc4b7f9131c89cff641d1a8c50") -> "222004". 


This input is feed to MD5 and output is feed to Reduction function, and the cycle goes on. It represents a chain from starting input text to ending hash(you can choose to end at any hash). The table only stores the starting plaintext, and the final hash you choose to end with, and so a chain "containing" millions of hashes can be represented with only a single starting plaintext, and a single finishing hash.
Now we can use these chains to break the given hash password and find the input password.
The algorithm is:
  • start-Look for the hash in the list of final hashes, if it is there break out of the loop.
  • If it isn't there reduce the hash into another plaintext, and hash the new plaintext.
  • Goto the start point.
  • If the hash matches one of the final hashes, the chain for which the hash matches the final hash contains the original hash.







+Nishant


References- http://kestas.kuliukas.com/RainbowTables/