Run Your Own Server For Fun (and Zero Profit)

It seems there’s a service for everything, but sometimes you simply learn more by doing it yourself. If you haven’t enjoyed the somewhat anachronistic pleasures of running your own server and hosting your own darn website, well, today you’re in luck!

Yes, we’re going to take an old computer of some sort and turn it into a web server for hosting all of your projects at home. You could just as easily use a Raspberry Pi –even a Zero W would work — or really anything that’ll run Linux, but be aware that not all computing platforms are created equally as we’ll discuss shortly.

Yes, we’re going to roll our own in this article series. There are a lot of moving parts, so we’re going to have to cover a lot of material. Don’t worry- it’s not incredibly complicated. And you don’t have to do things the way we say. There’s flexibility at every turn, and you’re encouraged to forge your own path. That’s part of the fun!

Note: For the sake of space we’re going to skip over some of the most basic details such as installing Linux and focus on those that have the greatest impact on the project. This article gives a high level overview of what it takes to host your project website at home. It intentionally glosses over the deeper details and makes some necessary assumptions.

Continue reading “Run Your Own Server For Fun (and Zero Profit)”

This Week In Security: The Apache Fix Miss, Github (Malicious) Actions, And Shooting The Messenger

Apache 2.4.50 included a fix for CVE-2021-41773. It has since been discovered that this fix was incomplete, and this version is vulnerable to a permutation of the same vulnerability. 2.4.51 is now available, and should properly fix the vulnerability.

The original exploit used .%2e/ as the magic payload, which is using URL encoding to sneak the extra dot symbol through as part of the path. The new workaround uses .%%32%65/. This looks a bit weird, but makes sense when you decode it. URL encoding uses UTF-8, and so %32 decodes to 2, and %65 to e. Familiar? Yep, it’s just the original vulnerability with a second layer of URL encoding. This has the same requirements as the first iteration, cgi-bin has to be enabled for code execution, and require all denied has to be disabled in the configuration files. Continue reading “This Week In Security: The Apache Fix Miss, Github (Malicious) Actions, And Shooting The Messenger”

What To Do When The Botnet Comes Knocking

“It was a cold and windy night, but the breeze of ill omen blowing across the ‘net was colder. The regular trickle of login attempts suddenly became a torrent of IP addresses, all trying to break into the back-end of the Joomla site I host. I poured another cup of joe, it was gonna be a long night.”

Tech noir aside, there was something odd going on. I get an email from that web-site each time there is a failed login. The occasional login attempt isn’t surprising, but this was multiple attempts per minute, all from different IP addresses. Looking at the logs, I got the feeling they were pulling usernames and passwords from one of the various database dumps, probably also randomly seeding information from the Whois database on my domain.

Continue reading “What To Do When The Botnet Comes Knocking”

Milspec Teardown: AH-64A Apache Data Entry Panel

It’s time once again to see how those tax dollars are spent, this time in the form of a “Data Entry Keyboard” manufactured by Hughes Helicopters. This device was built circa 1986 or so, and was used in the AH-64A Apache. Specifically, this panel would have been located by the gunner’s left knee, and served as a general purpose input device for the Apache’s Fire Control System. Eventually the Apache was upgraded with a so-called “glass cockpit”; consolidating various vehicle functions into a handful of multi-purpose digital displays. As such, this particular device became obsolete and was pulled from the active Apache fleet.

The military vehicle aficionados out there may know that while the Apache is currently a product of Boeing, it was originally designed by Hughes Helicopter. In 1984, McDonnell Douglas purchased Hughes Helicopter and took over production of the Apache, and then McDonnell Douglas themselves were merged with Boeing in 1997.

So it’s somewhat interesting that this device bears the name of Hughes Helicopter, as of the time it was manufactured, they would have been known as McDonnell Douglas Helicopter Systems. Presumably they had to work through existing stock of components that already had Hughes branding on them, leaving some transitional examples such as this one.

But you didn’t come here for a history lesson on the American military-industrial complex, you want to know about the hardware itself. So let’s crack it open to see what we can learn about this piece of aviation history.

Continue reading “Milspec Teardown: AH-64A Apache Data Entry Panel”

OptionsBleed – Apache Bleeds In Uncommon Configuration

[Hanno Böck] recently uncovered a vulnerability in Apache webserver, affecting Apache HTTP Server 2.2.x through 2.2.34 and 2.4.x through 2.4.27. This bug only affects Apache servers with a certain configuration in .htaccess file. Dubbed Optionsbleed, this vulnerability is a use after free error in Apache HTTP that causes a corrupted Allow header to be replied by the webserver in response to HTTP OPTIONS requests. This can leak pieces of arbitrary memory from the server process that may contain sensitive information. The memory pieces change after multiple requests, so for a vulnerable host an arbitrary number of memory chunks can be leaked.

Unlike the famous Heartbleed bug in the past, Optionsbleed leaks only small chunks of memory and more importantly only affects a small number of hosts by default. Nevertheless, shared hosting environments that allow for .htaccess file changes can be quite sensitive to it, as a rogue .htaccess file from one user can potentially bleed info for the whole server. Scanning the Alexa Top 1 Million revealed 466 hosts with corrupted Allow headers, so it seems the impact is not huge so far.

The bug appears if a webmaster tries to use the “Limit” directive with an invalid HTTP method. We decided to test this behaviour with a simple .htaccess file like this:

Continue reading “OptionsBleed – Apache Bleeds In Uncommon Configuration”

Bread Online

Bread Online Is A Bread Maker For The Internet Of Things

An engineering student at the University of Western Macedonia has just added another appliance to the ever-growing list of Internet enabled things. [Panagiotis] decided to modify an off-the-shelf bread maker to enable remote control via the Internet.

[Panagiotis] had to remove pretty much all of the original control circuitry for this device. The original controller was replaced with an Arduino Uno R3 and an Ethernet shield. The temperature sensor also needed to be replaced, since [Panagiotis] could not find any official documentation describing the specifications of the original. Luckily, the heating element and mixer motor were able to be re-used.

A few holes were drilled into the case to make room for the Ethernet connector as well as a USB connector. Two relays were used to allow the Arduino to switch the heating element and mixer motor on and off. The front panel of the bread maker came with a simple LCD screen and a few control buttons. Rather than let those go to waste, they were also wired into the Arduino.

The Arduino bread maker can be controlled via a web site that runs on a separate server. The website is coded with PHP and runs on Apache. It has a simple interface that allows the user to specify several settings including how much bread is being cooked as well as the desired darkness of the bread. The user can then schedule the bread maker to start. Bread Online also comes with an “offline” mode so that it can be used locally without the need for a computer or web browser. Be sure to check out the video demonstration below. Continue reading “Bread Online Is A Bread Maker For The Internet Of Things”

Upgrading A Laminator For Toner Transfer PCBs

If you need a circuit board now, you’re probably looking at a toner transfer process; all you need to make a PCB is a copper clad board, a laser printer, some special paper, and the usual etching chemicals. The quality of these boards is highly dependant on the quality of transferring toner to the copper, and getting the process right is as much an art as it is a science. A clothes iron is the easy way of transferring the toner to the board, but if you’re looking for repeatability, you’ll probably want a laminator.

Laminators, too, also vary in quality. The king of toner transfer laminators is the Apache AL13P. With four heated rollers and a steel chassis, it’s enough to do some serious heating. [mosaicmerc] came up with an amazing mod for his Apache laminator that takes all the guesswork out of the settings, and does it all in one pass for maximum repeatability and PCB quality.

The Apache laminator in question is a beast of a machine that drives four rollers with a synchronous motor and also has a ‘reverse’ button that sends the laminations out the front end of the printer. Stock, a toner transfer PCB would require dozens of passes through the Apache, but [merc]’s mod takes care of everything for you.

The addition that makes this possible is a small board with a PIC12 microcontroller. This microcontroller connects the motor driver board and the display interface together, triggering the reverse button to move the board 5/8″ forward and 1/2″ back, giving the laminator an effective speed reduction of 12:1. This method also has the bonus of not tampering with the motor or control circuitry, and allows for multiple passes in the same run.

With this modification, the Apache AL13P becomes the perfect solution to transferring toner to a piece of copper, with the ability to transfer 10mil traces on 1oz copper. The board also offers some other features like thermal sensor failure shutdown and a cool-down mode that overrides the heater. If you’re looking for an easy way to step up your toner transfer PCBs, you can’t do much better than this mod.