Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
VHCS2 on Gentoo HowTo
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
joshua
Tux's lil' helper
Tux's lil' helper


Joined: 19 Jun 2002
Posts: 134
Location: Wiesbaden

PostPosted: Wed Feb 22, 2006 3:41 am    Post subject: Security warning! Reply with quote

Don't use VHCS on production systems. For heaven's sake!
I actually do, but I need to get away from this ASAP, because
we've been hacked twice. Whoever wrote a couple of lines in
any programming language can easily find out in no more than
5 minutes that the quality of the VHCS source code is very poor.
I've seen it, it scared me, but lazyness won. At least up to now.
Besides that, the developers (at least one of them) don't seem
to be cooperative at all or even respectful in any way.

Read this:
http://www.rs-labs.com/adv/RS-Labs-Advisory-2006-1.txt

and this:
http://vhcs.net/new/modules/newbb/viewtopic.php?topic_id=4801&forum=1

in any order you like. It scares me, it disappoints me and it once
again makes me think about writing such a software by myself.

If you know any useful alternatives, please tell me.

Hava a nice and secure day ...
_________________
Daniel Haus
http://danielhaus.de
Back to top
View user's profile Send private message
planet-admin
Apprentice
Apprentice


Joined: 27 Mar 2004
Posts: 212
Location: Boise, ID

PostPosted: Wed Feb 22, 2006 3:43 am    Post subject: Reply with quote

The hacks I'm sure were related to the very serious but recently patched vulnerability in login.php?

Michael
_________________
Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Web: http://www.GlobalSystemsConsulting.com
Back to top
View user's profile Send private message
joshua
Tux's lil' helper
Tux's lil' helper


Joined: 19 Jun 2002
Posts: 134
Location: Wiesbaden

PostPosted: Wed Feb 22, 2006 3:48 am    Post subject: Reply with quote

planet-admin wrote:
The hacks I'm sure were related to the very serious but recently patched vulnerability in login.php?

Michael


Seems like, yes.
_________________
Daniel Haus
http://danielhaus.de
Back to top
View user's profile Send private message
planet-admin
Apprentice
Apprentice


Joined: 27 Mar 2004
Posts: 212
Location: Boise, ID

PostPosted: Wed Feb 22, 2006 3:49 am    Post subject: Reply with quote

Sites randomly getting deleted without a user logging in to do it?

Michael
_________________
Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Web: http://www.GlobalSystemsConsulting.com
Back to top
View user's profile Send private message
joshua
Tux's lil' helper
Tux's lil' helper


Joined: 19 Jun 2002
Posts: 134
Location: Wiesbaden

PostPosted: Wed Feb 22, 2006 3:54 am    Post subject: Reply with quote

No, luckily it's by far not that bad. I guess it was just a warning,
someone created two admin accounts. Within a couple of minutes
I shut VHCS down and patched it.

Harmless. Still, if I think of what the intruder could have done ... uh.
_________________
Daniel Haus
http://danielhaus.de
Back to top
View user's profile Send private message
planet-admin
Apprentice
Apprentice


Joined: 27 Mar 2004
Posts: 212
Location: Boise, ID

PostPosted: Wed Feb 22, 2006 3:56 am    Post subject: Reply with quote

Agreed, but that's the daily windows users' plight, that they're not even aware of.

I think vhcs2 is quite nifty, it just needs a LOT of modification from any how-to to get it locked down.

Michael
_________________
Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Web: http://www.GlobalSystemsConsulting.com
Back to top
View user's profile Send private message
joshua
Tux's lil' helper
Tux's lil' helper


Joined: 19 Jun 2002
Posts: 134
Location: Wiesbaden

PostPosted: Wed Feb 22, 2006 4:04 am    Post subject: Reply with quote

I can't imagine there's anybody, who wants to work with such a mess of code.

And now that I've seen how the development team reacts to such serious
situations I just want to get away from this ...

I do highly appreciate people giving their hard work away for free, but this is
simply embarrassing.
_________________
Daniel Haus
http://danielhaus.de
Back to top
View user's profile Send private message
planet-admin
Apprentice
Apprentice


Joined: 27 Mar 2004
Posts: 212
Location: Boise, ID

PostPosted: Wed Feb 22, 2006 4:20 am    Post subject: Reply with quote

I was impressed with the newest version, 2.4.7, after fighting all day to upgrade, the code seems clean, but there are some issues.

My one and only unsolved issue right now is the protected areas feature.

It writes the password using the digest method, and that would work, except apache doesn't seem to want to use digest, and instead only works with basic (old school DES).

Ideas?

Michael
_________________
Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Web: http://www.GlobalSystemsConsulting.com
Back to top
View user's profile Send private message
joshua
Tux's lil' helper
Tux's lil' helper


Joined: 19 Jun 2002
Posts: 134
Location: Wiesbaden

PostPosted: Wed Feb 22, 2006 5:02 am    Post subject: Reply with quote

I'm sorry, Michael, I'm not that far yet. Currently it won't update my domains
and non-admins can't log in. Seems like perl has problems to connect to mysql.
_________________
Daniel Haus
http://danielhaus.de
Back to top
View user's profile Send private message
planet-admin
Apprentice
Apprentice


Joined: 27 Mar 2004
Posts: 212
Location: Boise, ID

PostPosted: Wed Feb 22, 2006 5:05 am    Post subject: Reply with quote

I can probably help you with those issues, as vhcs is woring just about flawlessly on my side.
(after manually editing mysql tables, config files, and the like for the last 8 hours)

Can you be more specific?

Michael
_________________
Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Web: http://www.GlobalSystemsConsulting.com
Back to top
View user's profile Send private message
joshua
Tux's lil' helper
Tux's lil' helper


Joined: 19 Jun 2002
Posts: 134
Location: Wiesbaden

PostPosted: Wed Feb 22, 2006 5:14 am    Post subject: Reply with quote

Here's the relevant part of vhcs2-rqst-mngr:
Code:
DBI connect('vhcs2:localhost','vhcs2',...) failed: Access denied for user 'vhcs2'@'localhost' (using password: YES) at /var/www/vhcs2/engine//vhcs2_common_code.pl line 237
DEBUG: push_el() sub_name: doSQL(), msg: ERROR: Unable to connect SQL server !
DEBUG: pop_el() sub_name: doSQL(), msg: ERROR: Unable to connect SQL server !


PHP seems to connect fine, because I can login as admin via the web.
And running vhcs2-db-passwd gives me

Code:
Please Enter Your Current Password:
>>> Enterred password does not match. Please try again !

_________________
Daniel Haus
http://danielhaus.de
Back to top
View user's profile Send private message
planet-admin
Apprentice
Apprentice


Joined: 27 Mar 2004
Posts: 212
Location: Boise, ID

PostPosted: Wed Feb 22, 2006 5:16 am    Post subject: Reply with quote

All right, so phpmyadmin works fine for that database, username, and password?

Michael
_________________
Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Web: http://www.GlobalSystemsConsulting.com
Back to top
View user's profile Send private message
joshua
Tux's lil' helper
Tux's lil' helper


Joined: 19 Jun 2002
Posts: 134
Location: Wiesbaden

PostPosted: Wed Feb 22, 2006 5:23 am    Post subject: Reply with quote

Yes, it does, it's just the perl, like it seems. Might this have to do with the
new mysql passwords (using 4.1)? I tried remerging all perl-mysql
packages I could find. Still no luck.

EDIT: fixed some typos (twice), it's 6:25 in the morning over here


Last edited by joshua on Wed Feb 22, 2006 5:37 am; edited 1 time in total
Back to top
View user's profile Send private message
planet-admin
Apprentice
Apprentice


Joined: 27 Mar 2004
Posts: 212
Location: Boise, ID

PostPosted: Wed Feb 22, 2006 5:31 am    Post subject: Reply with quote

In /etc/vhcs2/vhcs2.conf , what does the line
DATABASE_PASSWORD =

say?

(Well, does it say anything at all?)

Michael
_________________
Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Web: http://www.GlobalSystemsConsulting.com
Back to top
View user's profile Send private message
joshua
Tux's lil' helper
Tux's lil' helper


Joined: 19 Jun 2002
Posts: 134
Location: Wiesbaden

PostPosted: Wed Feb 22, 2006 5:36 am    Post subject: Reply with quote

It says
Code:
DATABASE_PASSWORD = {11 alphanumeric chars}=
Back to top
View user's profile Send private message
planet-admin
Apprentice
Apprentice


Joined: 27 Mar 2004
Posts: 212
Location: Boise, ID

PostPosted: Wed Feb 22, 2006 5:39 am    Post subject: Reply with quote

OK, so it's actually got a password there.

Try logging into your database from a terminal, using mysql, the database name is vhcs2.

See if that works, because I'd like to track down where the error lies.

Michael
_________________
Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Web: http://www.GlobalSystemsConsulting.com
Back to top
View user's profile Send private message
joshua
Tux's lil' helper
Tux's lil' helper


Joined: 19 Jun 2002
Posts: 134
Location: Wiesbaden

PostPosted: Wed Feb 22, 2006 5:41 am    Post subject: Reply with quote

works!
Back to top
View user's profile Send private message
joshua
Tux's lil' helper
Tux's lil' helper


Joined: 19 Jun 2002
Posts: 134
Location: Wiesbaden

PostPosted: Wed Feb 22, 2006 3:29 pm    Post subject: Reply with quote

Strange things happening here. The following script
Code:
use DBI();

$host="localhost";
$base="vhcs2";
$user="vhcs2";
$pass="MySuperSecretPassw0rd";

my $dbh = DBI->connect("DBI:mysql:database=$base;host=$host", $user, $pass, {'RaiseError' => 1});


gives
Code:
DBI connect('database=vhcs2;host=localhost','vhcs2',...) failed: Access denied for user 'vhcs2'@'localhost' (using password: YES) at ./test.pl line 10


The PHP-equivalent
Code:
<?php

$host="localhost";
$user="vhcs2";
$pass="MySuperSecretPassw0rd";

$h = mysql_connect($host, $user, $pass);
?>


says
Code:
Warning: mysql_connect(): Access denied for user 'vhcs2'@'localhost' (using password: YES) in /root/test.php on line 9


Code:
mysql -u vhcs2 -p

still works.

I can login over the web through login.php. How's that?
How can vhcs's PHP-files access the database while my
test.php can't? Is there a problem with mysql password
encryption? I'm running mysql-4.1.14 btw.

EDIT:
Stupid idiot as I am, I managed to c&p a hard to see typo into both
of the scripts. DOH! Actually I can connect through DBI and PHP,
but still vhcs2-rqst-mngr can't connect. I'm getting closer. I'm
almost sure my DATABASE_PASSWORD entry in vhcs2.conf is wrong.
Checking it.
Back to top
View user's profile Send private message
nightcanton
Apprentice
Apprentice


Joined: 26 Feb 2003
Posts: 249

PostPosted: Mon Feb 27, 2006 5:58 am    Post subject: Reply with quote

I'm getting this error any ideas?

Code:
Failed Test         Stat Wstat Total Fail  Failed  List of Failed
-------------------------------------------------------------------------------
t/10dsnlist.t         10  2560     9   17 188.89%  1-9
t/20createdrop.t      10  2560     5    9 180.00%  1-5
t/30insertfetch.t     10  2560    11   21 190.91%  1-11
t/35limit.t           10  2560   113  225 199.12%  1-113
t/40bindparam.t       10  2560    27   53 196.30%  1-27
t/40blobs.t           10  2560    11   21 190.91%  1-11
t/40listfields.t      10  2560    18   35 194.44%  1-18
t/40nulls.t           10  2560    11   21 190.91%  1-11
t/40numrows.t         10  2560    25   49 196.00%  1-25
t/41blobs_prepare.t   10  2560    24   47 195.83%  1-24
t/50chopblanks.t      10  2560    35   69 197.14%  1-35
t/50commit.t         255 65280    30   59 196.67%  1-30
t/ak-dbd.t           255 65280    90  175 194.44%  1 4-90
t/akmisc.t            10  2560   351  701 199.72%  1-351
t/dbdadmin.t          10  2560    21   41 195.24%  1-21
t/insertid.t         255 65280    12   24 200.00%  1-12
t/mysql.t                         ??   ??       %  ??
t/mysql2.t           255 65280    ??   ??       %  ??
1 test skipped.
Failed 18/20 test scripts, 10.00% okay. 859/866 subtests failed, 0.81% okay.
make: *** [test_dynamic] Error 255
  /usr/bin/make test -- NOT OK
Running make install
  make test had returned bad status, won't install without force
Back to top
View user's profile Send private message
hurricane
Tux's lil' helper
Tux's lil' helper


Joined: 15 Jul 2004
Posts: 100

PostPosted: Mon Mar 06, 2006 2:50 am    Post subject: Re: VHCS2 on Gentoo HowTo Reply with quote

taskara wrote:
Update Nov 2005:
Try this newer howto. The one below is too old.


I'm sorry, but that guide does not nearly work on gentoo. Not even a bit.

- "dev-perl/libnet" does not exist (anymore), in:
emerge -av postfix apache Authen-DigestMD5 BerkeleyDB bind Class-DBI-mysql expect courier-imap Crypt-Blowfish crypt-cbc cyrus-sasl Date-Calc DateManip DBD-mysql dev-perl/libnet gawk gzip IO-stringy iptables libmcrypt libperl MailTools MD5 MIME-Base64 MIME-tools dev-lang/php mysql Net-DNS Net-Netmask perl procmail proftpd SNMP_Session tar TermReadKey TimeDate vixie-cron

- "http://www.pure-dream.com/filez/vhcs2.conf" has some missing settings, in:
For ~x86 gentoo i use this config: ...

- This are no perl-modules, right? In:
USE="-X" emerge -av lynx ftp gnupg ncftp unzip zip

- "g-cpan.pl" does not exist, in:
g-cpan.pl MIME::Entity MIME::Parser MIME::Base64 Crypt::CBC Crypt::Blowfish Term::ReadPassword

- vhcs does not install correctly. this does NOT work, because vhcs installs to "/tmp/vhcs2-*/":
cd /var/www/localhost/htdocs/vhcs2/engine/setup/ ; ./vhcs2-setup

- even when i use "cd /tmp/vhcs2-*/var/www/vhcs2/engine/setup/ ; ./vhcs2-setup" i get errors about missing perl modules. (because above, "g-cpan.pl" did exist)

- Finally, please try to cut down the use flags and leave some room for people not wantign those flags. (but this is last prio)

So what do i have to do to get it running?

It would be REALLY nice if someone could automatize this into an ebuild!


.
Back to top
View user's profile Send private message
spottraining
n00b
n00b


Joined: 30 Jan 2005
Posts: 73
Location: Estonia

PostPosted: Tue Mar 07, 2006 4:14 am    Post subject: Reply with quote

This Taskara guide is little old, but its still possible to get VHCS work. Its only needed some time and little work.

This libnet - I dont use this and I dont find that its needed
About vhcs.conf - some lines are mising yes. Its missing ETC_SLDAB I think. But you can easly add this.

For Perl modules:
first emerge g-cpan
and then You can using g-cpan install all needed Perl modules - its simple.

Also about instalation patch - when you are looking more this taskara guide, then script and installing first VHCS to tmp folder. After all is done, then you can copy this to right place.
_________________
Sorry about bad English - I am learning....

The box said Windows XP or better, so I installed Linux
Back to top
View user's profile Send private message
Jovana
n00b
n00b


Joined: 23 Nov 2005
Posts: 53

PostPosted: Tue Mar 07, 2006 1:57 pm    Post subject: Reply with quote

Someone know how to fix this problem:

I run ./vhcs2-setup.
It start and it asked me a few questions.
I give answer and after this question (I think it's the last one): "Please enter admininistrator email address"
This error appeared: "ERROR: mkdir() returned '0' status !"
Back to top
View user's profile Send private message
spottraining
n00b
n00b


Joined: 30 Jan 2005
Posts: 73
Location: Estonia

PostPosted: Tue Mar 07, 2006 2:42 pm    Post subject: Reply with quote

Jovana wrote:
Someone know how to fix this problem:

I run ./vhcs2-setup.
It start and it asked me a few questions.
I give answer and after this question (I think it's the last one): "Please enter admininistrator email address"
This error appeared: "ERROR: mkdir() returned '0' status !"

look - have you in tmp folder some vhcs2 folder greated or not? When yes, then delete this.
_________________
Sorry about bad English - I am learning....

The box said Windows XP or better, so I installed Linux
Back to top
View user's profile Send private message
Jovana
n00b
n00b


Joined: 23 Nov 2005
Posts: 53

PostPosted: Tue Mar 07, 2006 3:01 pm    Post subject: Reply with quote

I run the setup from the /tmp folder. because after the make install al the stuff are copyed there.
Back to top
View user's profile Send private message
spottraining
n00b
n00b


Joined: 30 Jan 2005
Posts: 73
Location: Estonia

PostPosted: Wed Mar 08, 2006 9:09 am    Post subject: Reply with quote

Jovana wrote:
I run the setup from the /tmp folder. because after the make install al the stuff are copyed there.


In some reson script canot make some directory. Then its giving this error. Or you dont have premissions - but I think you run this script under root privileges. Look to /var/www/ and when there is folder vhcs2, then delete it. Also in /etc/ is there directory vhcs2? Its can be the solution but I am not sure.

You can try to delite all vhcs2 from /tmp and then make new install and after this try again.
_________________
Sorry about bad English - I am learning....

The box said Windows XP or better, so I installed Linux
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5  Next
Page 4 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum