Category Archives: Web

Google Drive may be silently renaming your files

Just a friendly warning. If you try to store copy of standard Apache HTTP Server web root, git repository, some Linux directories, etc in the Google Drive, then do not be surprised when Google silently corrupts the filenames by renaming dot (.) to underscore (_). For me this is happening to nix hidden files (begins with a dot), but some of colleagues remember to happen to regular PDFs as well.

Solution. Upload only archived files to the Google Drive. And preferably encrypted (just in case).

WordPress still insecure by design

Some major WordPress design flaws have led to widespread attacks on our and your servers. The only hope is reasonably long and strong passwords or WordPress security plugins.

The first flaw. By default WordPress have enabled “feature”, when you visit your blog with author query string appended, it nicely reveals your usernames. For example, if you have:

http://blog.example.com

just add

http://blog.example.com/?author=1

and default WordPress installation redirects you to the:

http://blog.example.com/author/admin/

In you need next valid username, change 1 to 2:

http://blog.example.com/?author=2

The second flaw. WordPress have two separate login error messages:

ERROR: Invalid username

and

ERROR: The password you entered for the username admin is incorrect.

So basically, you can check if particular username is valid.

The third flaw. Many users use .htaccess to secure the wp-admin directory, but WordPress coders decided to include public accessible script in the admin folder. So securing admin folder breaks your site in many ways. Of course you can write more advanced .htaccess rules, but it is not excuse for including public script in the admin folder.

Both front-end and back-end Ajax requests use admin-ajax.php

Forth flaw. Allow hackers to iterate hundreds of usernames/passwords in the single web request (system.multicall), and do it via public accessible script, that is not hidden behind wp-admin folder. Just brilliant! By the way, flaw is still not fixed, and even if you have not so popular site, you will still see your log files full of password guessing requests from different IP addresses:

10.20.30.40 - - [13/Oct/2015:17:26:55 -0400] "POST /xmlrpc.php HTTP/1.0" 200 561 "-" "-"

Note, that IP 10.20.30.40 is given as an example.

Read more about this system.multicall thing here: Brute Force Amplification Attacks Against WordPress XMLRPC

The fifth flow (and not the last). If you have some flaws / vulnerabilities, please share them in comments. Of course only publicly known ones. If you have newly discovered flaw, use proper disclosure channels.

How to save / receive jpg image or any binary data in C# Web Api 2

Searched all through the web for a simple way to save / receive binary data or image file using Web Api 2. Solutions range from very complex to complex:

  • using JSON (30% overhead?)
  • BSON (looks nice, but not widely supported – bsonspec.org)
  • Multipart MIME (why multi-part, if we have only one file?)
  • Complex Web Api / MVC controllers encapsulated by enterprise classess, etc.

They all are missing the simplest form — POST binary data, receive binary data… all in one line of code

HttpContext.Current.Request.SaveAs(filename, false);

Yes! That’s it! One line and data from Binary HTTP POST response is saved.

In case you are looking for the simple way to send binary data using the same Web Api, here is a code we are using.

HttpResponseMessage response = new HttpResponseMessage(HttpStatusCode.OK);
byte[] binaryData = File.ReadAllBytes(@"C:\full\path\to\image\photo.jpg");

if (binaryData == null) throw new FileNotFoundException("something bad happened!");
response.Content = new ByteArrayContent(binaryData);
response.Content.Headers.ContentType = new MediaTypeHeaderValue("image/jpeg");
return response;

//if your are using IHttpActionResult, use return ResponseMessage(response);

And as always, your comments are welcome! Registration is not required.