aemp2007

Just finished the second version of the aemp2007 congress web page. This time it looks nice, with some nice CSS menus that I got from here and the javascript image blending system was from here.

FATAL ERROR: Session save path () doesn't exist or is not writable

OK. I decided to work with the DM tools and chamelion widgets for the CALTER mapserver, this way I will not have to program any basic components.

I am still installing all the stuff, but to have chamelion working the PHP moduled needed to re recomplied to support GD and FreeType

./configure --enable-safe-mode --with-mysql --with-pgsql --enable-dbase --with-config-file --enable-static --prefix=/chroot/httpd/usr/local/apache2/php --with-apxs2=/chroot/httpd/usr/local/apache2/bin/apxs --disable-cgi --with-config-file-path=/chroot/httpd/usr/local/apache2/php --with-openssl --with-zlib --with-gd --with-freetype-dir

The maplab tools gave some headaches with Forbidden warnings. The fist time this warning was caused incorrect permissions (nothing like a good 666 or 777 to make things working).

Still it wouldn't work, checking the error logs it was mod_security sending the forbidden, the php was sending an error message and mod_security was blocking it. So the mod_security was reconfigured not to scan replies from the server

Finally the error was FATAL ERROR: Session save path () doesn't exist or is not writable , the maplab uses sessions id to pass data between the programs, so I googled and found the solution in a french website.

The php.ini needs to have session.save_path unquoated and activated to /tmp and /tmp should have rw permission.

2nd CISTI and XSS

Just submmited a 8 page paper for the CISTI (2nd Iberian Conference on Information Systems and Technologies). The paper is called "Security enhancement in a WebGIS application". Basically it describes Chroot, Firewalls (IPtables), Injection prevention of tags/scripts, HTTPS redirection and error message blocking, in a Mapserver system.

Yesterday I was reading on the tech news that 7 out of 10 sites allow XSS attacks (cross-site scripting) were you can for example send SQL tags in the URL (GET) and do some real shit.

Error in Tags

Yesterday I couldn't find the script to download the SRTM in my computer and copy/pasted what I had in here, it seems there was problem. When the script was posted the blog system made a confusion with the STDIN command that is in "<" and ">" this was fixed using special html code for Special Characteres.

Apache compilation (security options)

Some months ago I had to compile the Apache server for the CALTER webGIS and it was a bit tricky because it needed an external module called mod_security and the version 2.0 refused to work (come GCC 4.1 problem if I recall). This is a some how compilation with security on mind

./configure --prefix=/usr/local/apache2 --with-mpm=prefork --disable-charset-lite --disable-include --disable-env --enable-setenvif --disable-autoindex --disable-asis --disable-cgi --disable-negotiation --disable-imap --disable-actions --disable-userdir --disable-alias --disable-so --enable-ssl --enable-modules=acess --enable-module=log_config --enable-module=dir --enable-module=auth --enable-unique_id --enable-usertrack --enable-proxy --enable-proxy-http --with-module=prox y:modules/proxy/modsecurity-apache_1.9.4/apache2/mod_security.c --enable-securi ty --enable-so --enable-rewrite

The setenvif should had been disable, but it in the end was necessary, If I recall it was PHP that was in need.
The mod_security has to be unpacked to the directory /modules/proxy and also the the Apache needs to be compile with the --enable-proxy-http

The modules are all statically linked, initially I wanted everything statically so there was no load modules options but I didn't managed to statically compile PHP in Apache2.

xtmas, new year and classes

Things have been a bit down concerning the blog, due to all the holidays and the GIS classes that I gave in the University of Huelva.

I had to study ArcGIS to give the classes, last time I used anything from ESRI was 4 years ago, the experience was excellent and the students helped a lot ....