Webserver Runs On Android Phone

March 27, 2024 by Bryan Cockfield 36 Comments

Android, the popular mobile phone OS, is essentially just Linux with a nice user interface layer covering it all up. In theory, it should be able to do anything a normal computer running Linux could do. And, since most web servers in the world are running Linux, [PelleMannen] figured his Android phone could run a web server just as well as any other Linux machine and built this webpage that’s currently running on a smartphone, with an additional Reddit post for a little more discussion.

The phone uses Termux (which we’ve written about briefly before) to get to a Bash shell on the Android system. Before that happens, though, some setup needs to take place largely involving installing F-Droid through which Termux can be installed. From there the standard SSH and Apache servers can be installed as if the phone were running a normal Linux The rest of the installation involves tricking the phone into thinking it’s a full-fledged computer including a number of considerations to keep the phone from halting execution when the screen locks and other phone-specific issues.

With everything up and running, [PelleMannen] reports that it runs surprisingly well with the small ARM system outputting almost no heat. Since the project page is being hosted on this phone we can’t guarantee that the link above works, though, and it might get a few too many requests to stay online. We wish it were a little easier to get our pocket-sized computers to behave in similar ways to our regular laptops and PCs (even if they don’t have quite the same amount of power) but if you’re dead-set on repurposing an old phone we’ve also seen them used to great effect in place of a Raspberry Pi.

Run Your Own Server For Fun (and Zero Profit)

March 15, 2022 by Ryan Flowers 126 Comments

It seems there’s a service for everything, but sometimes you simply learn more by doing it yourself. If you haven’t enjoyed the somewhat anachronistic pleasures of running your own server and hosting your own darn website, well, today you’re in luck!

Yes, we’re going to take an old computer of some sort and turn it into a web server for hosting all of your projects at home. You could just as easily use a Raspberry Pi –even a Zero W would work — or really anything that’ll run Linux, but be aware that not all computing platforms are created equally as we’ll discuss shortly.

Yes, we’re going to roll our own in this article series. There are a lot of moving parts, so we’re going to have to cover a lot of material. Don’t worry- it’s not incredibly complicated. And you don’t have to do things the way we say. There’s flexibility at every turn, and you’re encouraged to forge your own path. That’s part of the fun!

Note: For the sake of space we’re going to skip over some of the most basic details such as installing Linux and focus on those that have the greatest impact on the project. This article gives a high level overview of what it takes to host your project website at home. It intentionally glosses over the deeper details and makes some necessary assumptions.

Continue reading “Run Your Own Server For Fun (and Zero Profit)” →

This Week In Security: The Apache Fix Miss, Github (Malicious) Actions, And Shooting The Messenger

October 15, 2021 by Jonathan Bennett 10 Comments

Apache 2.4.50 included a fix for CVE-2021-41773. It has since been discovered that this fix was incomplete, and this version is vulnerable to a permutation of the same vulnerability. 2.4.51 is now available, and should properly fix the vulnerability.

The original exploit used .%2e/ as the magic payload, which is using URL encoding to sneak the extra dot symbol through as part of the path. The new workaround uses .%%32%65/. This looks a bit weird, but makes sense when you decode it. URL encoding uses UTF-8, and so %32 decodes to 2, and %65 to e. Familiar? Yep, it’s just the original vulnerability with a second layer of URL encoding. This has the same requirements as the first iteration, cgi-bin has to be enabled for code execution, and require all denied has to be disabled in the configuration files. Continue reading “This Week In Security: The Apache Fix Miss, Github (Malicious) Actions, And Shooting The Messenger” →

What To Do When The Botnet Comes Knocking

March 21, 2019 by Jonathan Bennett 34 Comments

“It was a cold and windy night, but the breeze of ill omen blowing across the ‘net was colder. The regular trickle of login attempts suddenly became a torrent of IP addresses, all trying to break into the back-end of the Joomla site I host. I poured another cup of joe, it was gonna be a long night.”

Tech noir aside, there was something odd going on. I get an email from that web-site each time there is a failed login. The occasional login attempt isn’t surprising, but this was multiple attempts per minute, all from different IP addresses. Looking at the logs, I got the feeling they were pulling usernames and passwords from one of the various database dumps, probably also randomly seeding information from the Whois database on my domain.

Continue reading “What To Do When The Botnet Comes Knocking” →

Milspec Teardown: AH-64A Apache Data Entry Panel

April 30, 2018 by Tom Nardi 93 Comments

It’s time once again to see how those tax dollars are spent, this time in the form of a “Data Entry Keyboard” manufactured by Hughes Helicopters. This device was built circa 1986 or so, and was used in the AH-64A Apache. Specifically, this panel would have been located by the gunner’s left knee, and served as a general purpose input device for the Apache’s Fire Control System. Eventually the Apache was upgraded with a so-called “glass cockpit”; consolidating various vehicle functions into a handful of multi-purpose digital displays. As such, this particular device became obsolete and was pulled from the active Apache fleet.

The military vehicle aficionados out there may know that while the Apache is currently a product of Boeing, it was originally designed by Hughes Helicopter. In 1984, McDonnell Douglas purchased Hughes Helicopter and took over production of the Apache, and then McDonnell Douglas themselves were merged with Boeing in 1997.

So it’s somewhat interesting that this device bears the name of Hughes Helicopter, as of the time it was manufactured, they would have been known as McDonnell Douglas Helicopter Systems. Presumably they had to work through existing stock of components that already had Hughes branding on them, leaving some transitional examples such as this one.

But you didn’t come here for a history lesson on the American military-industrial complex, you want to know about the hardware itself. So let’s crack it open to see what we can learn about this piece of aviation history.

Continue reading “Milspec Teardown: AH-64A Apache Data Entry Panel” →

OptionsBleed – Apache Bleeds In Uncommon Configuration

September 19, 2017 by Pedro Umbelino 8 Comments

[Hanno Böck] recently uncovered a vulnerability in Apache webserver, affecting Apache HTTP Server 2.2.x through 2.2.34 and 2.4.x through 2.4.27. This bug only affects Apache servers with a certain configuration in .htaccess file. Dubbed Optionsbleed, this vulnerability is a use after free error in Apache HTTP that causes a corrupted Allow header to be replied by the webserver in response to HTTP OPTIONS requests. This can leak pieces of arbitrary memory from the server process that may contain sensitive information. The memory pieces change after multiple requests, so for a vulnerable host an arbitrary number of memory chunks can be leaked.

Unlike the famous Heartbleed bug in the past, Optionsbleed leaks only small chunks of memory and more importantly only affects a small number of hosts by default. Nevertheless, shared hosting environments that allow for .htaccess file changes can be quite sensitive to it, as a rogue .htaccess file from one user can potentially bleed info for the whole server. Scanning the Alexa Top 1 Million revealed 466 hosts with corrupted Allow headers, so it seems the impact is not huge so far.

The bug appears if a webmaster tries to use the “Limit” directive with an invalid HTTP method. We decided to test this behaviour with a simple .htaccess file like this:

Continue reading “OptionsBleed – Apache Bleeds In Uncommon Configuration” →

Bread Online Is A Bread Maker For The Internet Of Things

July 7, 2015 by Rick Osgood 17 Comments

An engineering student at the University of Western Macedonia has just added another appliance to the ever-growing list of Internet enabled things. [Panagiotis] decided to modify an off-the-shelf bread maker to enable remote control via the Internet.

[Panagiotis] had to remove pretty much all of the original control circuitry for this device. The original controller was replaced with an Arduino Uno R3 and an Ethernet shield. The temperature sensor also needed to be replaced, since [Panagiotis] could not find any official documentation describing the specifications of the original. Luckily, the heating element and mixer motor were able to be re-used.

A few holes were drilled into the case to make room for the Ethernet connector as well as a USB connector. Two relays were used to allow the Arduino to switch the heating element and mixer motor on and off. The front panel of the bread maker came with a simple LCD screen and a few control buttons. Rather than let those go to waste, they were also wired into the Arduino.

The Arduino bread maker can be controlled via a web site that runs on a separate server. The website is coded with PHP and runs on Apache. It has a simple interface that allows the user to specify several settings including how much bread is being cooked as well as the desired darkness of the bread. The user can then schedule the bread maker to start. Bread Online also comes with an “offline” mode so that it can be used locally without the need for a computer or web browser. Be sure to check out the video demonstration below. Continue reading “Bread Online Is A Bread Maker For The Internet Of Things” →