Running Out of Inodes With PHP Sessions

By Tyler on

As I found out, a little known “feature” of PHP is that a custom location can be set for session files that isn’t automatically cleared by a cron job. If the PHP application is crappy enough cough cough, it won’t clear them on its own but blindly trust PHP’s garbage collection to do so, which is often times disabled by default – at least on Debian systems. After a while these session files pile up until all inodes are used up and the application fails. Read more about this here and here.

Here’s how to solve it:

Create a shell script, clearTempFiles.sh.

find /var/www -type f -name "sess_*" -delete

Make it executable:

chmod +x clearTempFiles.sh

Create a cronjob. In this example, clearTempFile.sh is set to run every Sunday at 4AM.

0 4 * * 0 /home/yourname/clearTempFiles.sh

After running this script once, my inode usage dropped from nearly 100% to 20% and over 100k inodes were freed. Alternatively, you could set the session.gc_probability in php.ini.

iMacros for Chrome - Enumerate Form

By Tyler on

This iMacro takes the current loop number, zerofills it, inserts the value into a text box, and then submits the form. It could be useful in testing for enumeration vulnerabilities. Requires iMacros for Chrome.

TAG POS=1 TYPE=INPUT:TEXT FORM=ID:form_id ATTR=ID:input_text_id CONTENT=EVAL("('0000' + {{!LOOP}} ).slice(-4);")
TAG POS=1 TYPE=INPUT:SUBMIT FORM=ID:form_id ATTR=ID:input_submit_id
WAIT SECONDS=1

If zerofilling isn’t necessary, replace the text after CONTENT= with {{!LOOP}}.

Ansible Git Module - Private Key Not Found

By Tyler on

Ansible’s git module fails when given a relative path for key_file. The realpath jinga2 filter solves this problem.

- name: Deploy using Git over SSH
  git: repo=ssh://git@example.com/foo.git
       dest=/bar
       version=master
       key_file={{ "ssh_keys/id_rsa" | realpath }}
       accept_hostkey=true
       force=yes