Santa Knows If Your Contact Form Uses PHPMailer < 5.2.18

December 25, 2016 by Pedro Umbelino 18 Comments

PHPMailer, one of the most used classes for sending emails from within PHP, has a serious vulnerability in versions less than 5.2.18 (current version). The security researcher [Dawid Golunski] just published a limited advisory stating that PHPMailer suffers from a critical flaw that might lead an attacker to achieve remote code execution in the context of the web server user. PHPMailer is used by several open-source projects, among them are: WordPress, Drupal, 1CRM, SugarCRM, Yii and Joomla. A fix has been issued and PHPMailer is urging all users to upgrade their systems.

To trigger this vulnerability (CVE-2016-10033) it seems that the attacker only has to make the web application send out an email using the vulnerable PHPMailer class. Depending on the application itself, this can be accomplished in different ways, such as contact/feedback forms, registration forms, password email resets and so on.

Upon a quick diff analysis, we found that the vulnerable code seems to lie in the following lines of the class.phpmailer.php:

Continue reading “Santa Knows If Your Contact Form Uses PHPMailer < 5.2.18” →

Bluetooth Speaker With Neopixel Visual Display!

December 25, 2016 by James Hobson 23 Comments

Finding a product that is everything you want isn’t always possible. Making your own that checks off all those boxes can be. [Peter Clough] took the latter route and built a small Bluetooth speaker with an LED visualization display that he calls Magic Box.

A beefy 20W, 4Ohm speaker was screwed to the lid of a wooden box converted to the purpose. [Clough] cut a clear plastic sheet to the dimensions of the box, notching it 2cm from the edge to glue what would become the sound reactive neopixel strip into place — made possible by an electret microphone amplifier. There ended up being plenty of room inside the speaker box to cram an Arduino Pro Mini 3.3V, the RN-52 Bluetooth receiver, and the rest of the components, with an aux cable running out the base of the speaker. As a neat touch, neodymium magnets hold the lid closed.

Continue reading “Bluetooth Speaker With Neopixel Visual Display!” →

Hackaday Links: December 25th, 2016

December 25, 2016 by Brian Benchoff 15 Comments

You should be watching the Doctor Who Christmas special right now. Does anyone know when the Resturant at the End of the Universe spinoff is airing?

We have a contest going on right now. It’s the 1 kB Challenge, a contest that challenges you to do the most with a kilobyte of machine code. The deadline is January 5th, so get cracking.

A few years ago, [Kwabena] created the OpenMV, a Python-powered machine vision module that doesn’t require a separate computer. It’s awesome, and we’re going to have his talk from the Hackaday SuperConference up shortly. Now the OpenMV is getting an upgrade. The upgrades include an ARM Cortex M7, more RAM, more heap for less money. Here’s a link to preorder.

There ain’t no demoscene party like an Amtrak demoscene party because an Amtrak demoscene party lasts ten hours.

E-paper displays are fancy, cool, and low-power. Putting them in a project, however, is difficult. You need to acquire these display modules, and this has usually been a pain. Now Eink has a web shop where you can peruse and purchase epaper display modules and drivers.

[Kris] built a pair of STM32L4 dev boards that are easily programmed in the Arduino IDE. Now he’s putting these boards up on Kickstarter. The prices are reasonable – $15 for the smaller of the pair, and $25 for the bigger one. Remember, kids: ARM is the future, at least until RISC-V takes over.

This is how you do holiday greeting cards.

Didn’t get what you want for Christmas? Don’t worry, Amazon still has A Million Random Digits with 100,000 Normal Deviates in stock. It’s also available on audible dot com. Sometimes we don’t have time to sit down and read a million random digits but with audible dot com, you can listen to a million random digits in audio book format. That’s audible dot com please give us money.

This is the last Hackaday Links post of the year, which means it’s time for one of our most cherished traditions: reviewing our readership in North Korea.

It’s been a banner year for Hackaday in the Democratic People’s Republic of North Korea. The readership has exploded in 2016, with a gain of nearly 300%. To put that in perspective, in 2015 we had thirty-six views from North Korea across every page on Hackaday. In 2016, that number increased to one hundred and forty.

That’s a phenomenal increase and a yearly growth that is unheard of in the publishing industry. We’d like to tip our hat to all our North Korean reader, and we’re looking forward to serving you in 2017.

The First Bug On Mars

December 25, 2016 by Jenny List 18 Comments

Interplanetary probes were a constant in the tech news bulletins of the 1960s and 1970s. The Space Race was at its height, and alongside their manned flights the two superpowers sent unmanned missions throughout the Solar System. By the 1980s and early 1990s the Space Race had cooled down, the bean counters moved in, and aside from the spectacular images of the planets periodically arriving from the Voyager series of craft there were scant pickings for the deep space enthusiast.

The launch in late 1996 of the Mars Pathfinder mission with its Sojourner rover then was exciting news indeed. Before Spirit, the exceptionally long-lived Opportunity, and the relatively huge Curiosity rover (get a sense of scale from our recent tour of JPL), the little Sojourner operated on the surface of the planet for 85 days, and proved the technology for the rovers that followed.

In these days of constant online information we’d see every nuance of the operation as it happened, but those of us watching with interest in 1997 missed one of the mission’s dramas. Pathfinder’s lander suffered what is being written up today as the first bug on Mars. When the lander collected Martian weather data, its computer would crash.

Like many other spacecraft, the lander’s computer system ran the real-time OS VxWorks. Of the threads running on the craft, the weather thread was a low priority, while the more important task of servicing its information bus was a high priority one. The weather task would hog the resources, causing the operating system equivalent of an unholy row in our Martian outpost. A priority inversion bug, and one that had been spotted before launch but assigned a low priority.

You can’t walk up to a computer on another planet and swap out a few disks, so the Pathfinder team had to investigate the problem on their Earthbound replica of the lander. The fix involved executing some C code on an interpreter prompt on the spacecraft itself, something that would give most engineers an extremely anxious moment.

The write-up is an interesting read, it’s a translation from a Russian original that is linked within it. If the work of the JPL scientists and engineers interests you, this talk from the recent Hackaday superconference might be of interest.

[via Hacker News]

Track Wi-Fi Devices In Your Home

December 25, 2016 by Jenny List 31 Comments

How do you audit your home Wi-Fi network? Perhaps you log into your router and have a look at the connected devices. Sometimes you’ll find an unexpected guest, but a bit of detective work will usually lead you to the younger nephew’s game console or that forgotten ESP8266 on your bench.

Wouldn’t it be useful if your router could tell you where all the devices connected to it are? If you are [Zack Scholl], you can do all this and more, for his FIND-LF system logs Wi-Fi probe requests from all Wi-Fi devices within its range even if they are not connected, and triangulates their position from their relative signal strengths across several sniffing receivers. These receivers are a network of Raspberry Pis with their own FIND-LF server, and any probe requests they pick up are forwarded to [Zack]’s FIND server (another of his projects) which does the work of collating the locations of devices.

It’s an impressive piece of work, though with a Raspberry Pi at each receiver it could get a little pricey. [Zack] has done other work in this field aside from the two projects mentioned here, his other work includes an implementation of the [Harry Potter] Marauder’s Map.

This is by no means the only indoor location system we’ve seen over the years. One that uses ESP8266 modules for example, or this commercial product that is similar to the project shown here.

PURE Modules Aim To Make Prototyping Easier

December 25, 2016 by Elliot Williams 15 Comments

[Sashi]’s PURE modules system wants your next wireless microcontroller and sensor module project to be put together using card-edge connectors. But it’s a lot deeper than that — PURE is an entire wireless gadget development ecosystem. Striking a balance between completeness and modularity is very difficult; a wire can carry any imaginable electronic signal, but just handing someone a pile of wires presents them a steep learning curve. PURE is at the other end of the spectrum: everything is specified.

So far, two microcontroller options are available in the system, the nRF52 series and TI’s CC2650. Both of these run the Contiki OS, so it doesn’t matter which of these you choose. Wired data is all transmitted over I2C and connects up via the previously-mentioned card-edge connectors. On the wireless side, data transport is handled through an MQTT broker, using the MQTT-sn variant which is better suited to small radio devices. At the protocol layer everything uses Protocol Buffers, Google’s newest idea for adding some structure to the data.

Continue reading “PURE Modules Aim To Make Prototyping Easier” →

The Tiny SCSI Emulator

December 25, 2016 by Lewin Day 36 Comments

For fans of vintage computers of the 80s and 90s, SCSI can be a real thorn in the side. The stock of functioning hard drives is dwindling, and mysterious termination issues are sure to have you cursing the SCSI voodoo before long. Over the years, this has led to various projects that aim to create new SCSI hardware to fill in where the original equipment is too broken to use, or too rare to find.

[David Kuder]’s tiny SCSI emulator is designed for just this purpose. [David] has combined a Teensy 3.5 with a NCR5380 SCSI interface chip to build his device. With a 120MHz clock and 192K of RAM, the Teensy provides plenty of horsepower to keep up with the SCSI signals, and its DMA features don’t hurt either.

Now, many earlier SCSI emulation or conversion projects have purely focused on storage – such as the SCSI2SD, which emulates a SCSI hard drive using a microSD card for storage. [David]’s pulled that off, maxing out the NCR5380’s throughput with plenty to spare on the SD card end of things. Future work looks to gain more speed through a SCSI controller upgrade.

But that’s not all SCSI’s good for. Back in the wild times that were the 80s, many computers, and particularly the early Macintosh line, were short on expansion options. This led to the development of SCSI Ethernet adapters, which [David] is also trying to emulate by adding a W5100 Ethernet shield to his project. So far the Cabletron EA412 driver [David] is using is causing the Macintosh SE test system to crash after initial setup, but debugging continues.

It’s always great to see projects that aim to keep vintage hardware alive — like this mass repair of six Commodore 64s.