BCBus launched on Android Market

Today I’ve launched an application on the Android market. BCBus allows you to access BCTransit’s latest schedules offline with an awesome interface. Future releases will include features like Maps, Route Information, Alarms and Favorites.

BCBus dashboard      bcbus route listing


Why is BCBus better than traditional paper schedules?

  • It helps the enviroment by reducing the amount of paper wasted in paper schedules

  • Its interface allows you to access the information you want faster.

  • Fits in your pocket

  • No need to get a new one every season

  • Multiple schedules in one place, excellent for people who travel a lot inside BC and use the public transportation system.


Learn more about it

BCBus Android Application



bcbus qr code


Android applications for web developers

Although my Nexus One is not neccesarily the best device to work on for web development tasks, I decided to check out the applications already available for Android and it was a nice surprise to find some nice tools.

If you do some web development, you should consider checking out the following apps:

DroidAnalytics (FREE)

This app let you visualize your Google Analytics data. Until Google releases the official Google Analytics application this seems to be the best client out there.


With GDOCS you can manage your documents in your Google Documents account. Gdocs is very useful for sharing documents with specifications, presentations and other resources.

Android CodePad (FREE)

This is a source code viewer with syntax highlighting. It supports all the main languages and it just does the job right.

PHP Manual (FREE)

PHP reference at your fingertips.

RegExpErt (FREE)

Test your regex nightmares before unleashing them into the wild.

MySQL Analyzer ($2.99)

This app lets you manage your MySQL database. The app supports analyzing, profiling and executing queries right on your phone.

Dropbox (FREE)

Syncronize files between all your different devices. Note: I have had some issues with larger files but it seems to work perfectly with files under 10MB

TimeTracker (FREE)

Best free time tracking tool I’ve tried. Useful for billing clients and keeping track of your hours, tasks and projects.


Fully featured FTP/SFTP/FTPS client. Simply the best free FTP/SFTP/FTPS client you can get.

vRecorder (FREE)

I wasn’t sure if I should include this one here but I think its very useful to record a client when you are gathering requirements over the phone. Remember to check your local laws before doing this.


Did I miss a gem? Let me know in the comments.



P != NP

Vinay Deolalikar has presented his attempt to prove P!=NP. Although it hasn’t been accepted by the community it seems like a serious attempt so I’m excited about this. Hopefully this proof won’t be another hoax.


On other news, I don’t have any new material to post since I’ve been pretty busy with school these days but stayed tuned for the upcoming tutorial: Training tesseract to read your favorite captcha


PHP function to anonymize HTTP GET requests using the Tor network

Recovered from my old blog.

function torHttpGet($url, $ref) {  
$torIPPort=""; //tor's ip and port
$agentBrowser = array('Firefox','Safari','Opera','Flock','Internet Explorer','Ephifany','AOL Explorer','Seamonkey','Konqueror','GoogleBot');
$agentOS = array('Windows 2000','Windows NT','Windows XP','Windows Vista','Redhat Linux','Ubuntu','Fedora','FreeBSD','OpenBSD','OS 10.5');

$useragent=$agentBrowser[rand(0,7)].'/'.rand(1,8).'.'.rand(0,9).' (' .$agentOS[rand(0,11)].' '.rand(1,7).'.'.rand(0,9).'; en-US;)';
$curl_obj = curl_init();
curl_setopt($curl_obj, CURLOPT_URL, $url); curl_setopt($curl_obj, CURLOPT_REFERER, $ref);
curl_setopt($curl_obj, CURLOPT_HEADER, TRUE); curl_setopt($curl_obj, CURLOPT_HTTPGET, TRUE);
curl_setopt($curl_obj, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($curl_obj, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($curl_obj, CURLOPT_MAXREDIRS, 3); curl_setopt($curl_obj, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($curl_obj, CURLOPT_TIMEOUT, 10); curl_setopt($curl_obj, CURLOPT_USERAGENT, $useragent);
curl_setopt($curl_obj, CURLOPT_PROXY, $torIPPort); curl_setopt($curl_obj, CURLOPT_CURLOPT_ERRORBUFFER, TRUE); //human readable errors
$page = curl_exec($curl_obj);
$err = curl_error($curl_obj);

if(strlen($err) > 0)
return -1;
return $page;


Watermarking videos with ffmpeg in Ubuntu 9.1

Last week I wanted to automatize watermarking some .flv videos but ffmpeg’s vhook support is deprecated in newer versions including the one in the repositories of Ubuntu 9.1.

Since it took me some time to figure out what packages and compilation flags I needed I wrote this short tutorial about watermarking videos with ffmpeg in Ubuntu 9.1. Including compiling ffmpeg from source to support deprecated vhooks.

Get ffmpeg’s source code

Download and untar ffmpeg 0.5.2 stable. We are using this version because they have removed vhook support from their repositories.


Install the dependencies

Install the following packages:

sudo apt-get install libfreetype6-dev libfaac-dev libfaad-dev
libmp3lame-dev libtheora-dev libx264-dev libxvidcore4-dev libpostproc-dev

Compile ffmpeg from source

cd <ffmpeg's src dir>
./configure --enable-gpl --enable-nonfree --enable-pthreads
--enable-libfaac --enable-libfaad --enable-libmp3lame --enable-libtheora
--enable-libx264 --enable-libxvid --enable-postproc
sudo make install

Watermarking videos with ffmpeg with drawtext.so

ffmpeg -i video.flv -vhook '/usr/local/lib/vhook/drawtext.so 
-f /usr/share/fonts/truetype/msttcorefonts/arial.ttf -x 5 -y 5 -t yourtext'

PHPIDS Component Implementation for CakePHP

I posted a CakePHP component implementation of PHPIDS today. It includes the latest PHPIDS version (0.6.4).


What I like about the component implementation is that you set the actions you want to monitor when you import the component in the corresponding controllers or your main app_controller.php. Something like this:

var $components=array(‘Cakephpids’=>array( ‘protectedActions’=>array(‘login’,’add’,’register’,’display’)));

Putting this in your main app_controller will run the IDS only when the actions login,register and add are executed.


XSS vulnerabilities in Croogo CMS 1.3


Croogo CMS is prone to HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.


Vulnerable Software: 1.3
Full disclosure Date: 2010-06-14
Last Update: 2010-05-10
Critical: Low
Impact: HTML injection
           Session hijack
           Denial of service
           Code execution

Solution Status: Vendor informed and patch submitted to public repository


Croogo is a content management system gaining popularity rapidily in the CAKEPHP community.


Croogo CMS is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.


Attackers can exploit this issue with a web browser sending malicious code through the field ‘name’ located in the user registration form (http://site/users/add) or the field ‘data[Comment][body]’ in the “add a comment” form to comment on a post (http://site/comments/add/).

This time the field ‘data[Comment][body]’ gets sanitized correctly but Tipsy, a Javascript library in charge of creating the tooltips, decodes again the stored sanitized string and it allows html injection in the admin panel.


Upgrade to Croogo 1.3.1 or apply patch Croogo’s public repository


2010/05/08 – Vulnerability discovered
2010/05/08 – Vendor contacted
2010/05/1 2 – Patch submitted to Croogo’s public source code repositories
2010/06/14 – Full disclosure


Croogo CMS – Croogo CMS Official website
Croogo on GitHub – Croogo GitHub
Websec’s advisory permalink – http://websec.ca/advisories/view/ws10-08-croogo_cms_1.3_xss_vulnerabilities