Skip to content

GNU bash Environment Variable Command Injection

You can test your server for bash command injection with

[root@ss ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

Update bash with

# yum -y update bash

and you’ll get

[root@ss ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Posted in CentOS.


XSS (Cross-Site Scripting) attack is a type of injection, in which malicious scripts are injected into trusted web sites. Your browser has no way to know that the script should not be trusted, and will execute the script. In this case, the script can access any cookies, session tokens, or other sensitive information which can be passed to the attacker.

The golden rule “Do not trust user input” seems forgotten in some cases. The guy succeeded to inject malicious script via TXT record on his domain and the script is promptly executed when you check his domain via Whois services.

The vulnerable sites:

Some of them are already patched but the taste remains :)

The ycombinator discussion:

The exact TXT content:

comp@comp ~ $ dig txt
; <<>> DiG 9.9.5-3-Ubuntu <<>> txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24931
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 3
; EDNS: version: 0, flags:; udp: 4096
;; ANSWER SECTION:	300	IN	TXT	"google-site-verification=nZUP4BagJAjQZO6AImXyzJZBXBf9s1FbDZr8pzNLTCI"	300	IN	TXT	"<iframe width='420' height='315' src='//' frameborder='0' allowfullscreen></iframe>"	300	IN	TXT	"v=spf1 ?all"	300	IN	TXT	"<script src='//'></script>"
;; ADDITIONAL SECTION:	11832	IN	A	11832	IN	AAAA	2400:cb00:2049:1::adf5:3b74
;; Query time: 81 msec
;; WHEN: Thu Sep 18 23:21:30 CEST 2014
;; MSG SIZE  rcvd: 481

Posted in DNS, Humor.

AN!Cluster Tutorial

Today I found something very interesting (and large)!Cluster_Tutorial_2

p.s. Please do not bother me for the next 30 days :)

Posted in CentOS.

Samsung printer on Linux – rastertosplc – No such file or directory

If you try to install Samsung printer (in my case ML1675) on Ubuntu 14.04 or Mint 17, you’ll may have some problems with missing file – rastertosplc.

If you added printer via web (http://localhost:631/) or via printer wizard, delete installed printer and follow the next instructions

Download drivers from this page:, extract them and install drivers with:

sudo ./

(follow the wizard to complete process)

cd into /usr/lib/cups/filter and check the existence of rastertosplc file.

If this file doesn’t exist add symbolic link to /opt/smfp-common/printer/bin/rastertospl with

sudo ln -s /opt/smfp-common/printer/bin/rastertospl rastertosplc

after you should have something like

bla@bla-178 /usr/lib/cups/filter $ ls -la
lrwxrwxrwx  1 root root     40 Aug 23 13:39 rastertospl -&gt; /opt/smfp-common/printer/bin/rastertospl
lrwxrwxrwx  1 root root     40 Aug 23 13:51 rastertosplc -&gt; /opt/smfp-common/printer/bin/rastertospl

The first file is probably created via install script while the second one is “fix” to “File “/usr/lib/cups/filter/rastertosplc” not available: No such file or directory” problem.

After you did this, add printer via wizard and try to print test page.


Posted in Mint Linux, Tips & Tricks.

100% true…


Posted in Humor.

CentOS server – NFS client/server howto

NFS stands for Network File System and through NFS, a client can read and/or write a remote share on an NFS server (like on local hard disk)

The first step to set up NFS client/server is to install nfs-utils and nfs-utils-lib packages on both systems (server and client)

yum install nfs-utils nfs-utils-lib
chkconfig --levels 235 nfs on 
service nfs start

For example, the server IP is and the client

I’d like to use /test and /var/test directories from the client system. To make them accessible we must “export” them on the server.

From the client system, the NFS share is usually accessed as the user “nobody”. If the directory isn’t owned by nobody, the read/write access from NFS client should be made as root.
In this howto, the /test dir will be used as root while the /var/test will be used as “nobody”. If /var/test directory doesn’t exist, create the dir and change the ownership to the user/group 65534 (nonexistant user/group).

mkdir /var/test
chown 65534:65534 /var/test

The next step (on the server side) is to modify /etc/exports

nano /etc/exports

and add the next lines

/test ,sync,no_root_squash,no_subtree_check)

The no_root_squash parameter means access dir as root (all files copied/created from client will be owned by root).

After you modify /etc/exports, run exportfs -a to make the changes effective.

exportfs -a

The next step (on the client side) is to create the directories where you want to mount the NFS shares

mkdir -p /mnt/test
mkdir -p /mnt/var/test

Mount NFS shares with

mount /mnt/test
mount /mnt/var/test

Verify the settings with:

df -h

The result should be something like

[root@client ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
....    100G  25G   75G  25% /mnt/test
                       100G  25G   75G  25% /mnt/var/test



The result should be something like

[root@client ~]# mount
.... on /mnt/test type nfs (rw,addr= on /mnt/var/test type nfs (rw,addr=

To mount the NFS shares at boot time, add the next lines in /etc/fstab file  /mnt/test   nfs      rw,sync,hard,intr  0     0  /mnt/var/test   nfs      rw,sync,hard,intr  0     0

Don’t forget to check the settings after reboot

Posted in CentOS, Other, Server project, Tips & Tricks.


Posted in Other.

TrueType fonts under Debian

If you’re coming from Windows you’ll probably notice the “difference” between the fonts on Linux and Windows. You probably don’t have true type fonts installed which are commonly used on Windows based systems. They are also known as as “Windows Fonts” or “DejaVu fonts”.

You can easily install the true type fonts under Debian Linux:

# sudo apt-get install ttf-mscorefonts-installer

For Debian Lenny and later versions, free alternatives for the common Microsoft fonts Arial, Courier and Times New Roman are available in ttf-liberation package. You can install this package with:

# sudo apt-get install ttf-liberation

Logout from your current session and login again to reload the fonts.

Posted in Mint Linux.

Mint Linux Cinnamon – Invisible menu text on Netbeans

I noticed one bug with Mint Linux (Cinnamon) and Netbeans menu items that have an ‘active’ state which are completely invisible. Actually the text and the background colors are the same.

Mint 14 Nadia Cinnamon and later versions are affected (LMDE also) with NetBeans 7.3 and later.


The problem lies in the Mint-X GTK theme. To fix this problem, you need to modify /usr/share/themes/Mint-X/gtk-2.0/Styles/menu.rc file and lines

fg[ACTIVE] = @selected_fg_color

should be replaced with:

fg[ACTIVE] = @menu_fg_color

There are two lines (in style “menu” and style “menubar”)


Edit: 7. Aug. 2014.

The notes shown above doesn’t work on Mint 17 and it seems that Marco Moreno solved this problem

According to, you’ll need to change the /usr/share/themes/Mint-X/gtk-2.0/styles/menus.rc file.

Change line 53 from:

fg[ACTIVE] = @base_color


fg[ACTIVE] = @fg_color

Posted in Programming, Tips & Tricks.

Support Bosnia and Serbia

Serbia, Bosnia and Herzegovina, and Croatia have experienced floods of Biblical proportions since last week, the worst that the region has known since they began keeping records 120 years ago.
In Bosnia, more than 1 million people live in the affected areas and my city was affected too (Banja Luka, Republic of Srpska).

Now you know the reason why this blog was offline… The water was 10m from our servers…

Now we’re working together with our friends and we’re trying to rebuild our country. I never asked for donations but now I will

Please support this blog by donating to my country. I don’t need anything but near one million people do.

Donate by PayPal to Representative Office of the Republic of Srpska in Brussels PayPal account.

The link for more information


Posted in Other.