View previous topic :: View next topic |
Author |
Message |
joshua Tux's lil' helper
Joined: 19 Jun 2002 Posts: 134 Location: Wiesbaden
|
Posted: Wed Feb 22, 2006 3:41 am Post subject: Security warning! |
|
|
Don't use VHCS on production systems. For heaven's sake!
I actually do, but I need to get away from this ASAP, because
we've been hacked twice. Whoever wrote a couple of lines in
any programming language can easily find out in no more than
5 minutes that the quality of the VHCS source code is very poor.
I've seen it, it scared me, but lazyness won. At least up to now.
Besides that, the developers (at least one of them) don't seem
to be cooperative at all or even respectful in any way.
Read this:
http://www.rs-labs.com/adv/RS-Labs-Advisory-2006-1.txt
and this:
http://vhcs.net/new/modules/newbb/viewtopic.php?topic_id=4801&forum=1
in any order you like. It scares me, it disappoints me and it once
again makes me think about writing such a software by myself.
If you know any useful alternatives, please tell me.
Hava a nice and secure day ... _________________ Daniel Haus
http://danielhaus.de |
|
Back to top |
|
|
planet-admin Apprentice
Joined: 27 Mar 2004 Posts: 213 Location: Boise, ID
|
Posted: Wed Feb 22, 2006 3:43 am Post subject: |
|
|
The hacks I'm sure were related to the very serious but recently patched vulnerability in login.php?
Michael _________________ Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Web: http://www.GlobalSystemsConsulting.com |
|
Back to top |
|
|
joshua Tux's lil' helper
Joined: 19 Jun 2002 Posts: 134 Location: Wiesbaden
|
Posted: Wed Feb 22, 2006 3:48 am Post subject: |
|
|
planet-admin wrote: | The hacks I'm sure were related to the very serious but recently patched vulnerability in login.php?
Michael |
Seems like, yes. _________________ Daniel Haus
http://danielhaus.de |
|
Back to top |
|
|
planet-admin Apprentice
Joined: 27 Mar 2004 Posts: 213 Location: Boise, ID
|
Posted: Wed Feb 22, 2006 3:49 am Post subject: |
|
|
Sites randomly getting deleted without a user logging in to do it?
Michael _________________ Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Web: http://www.GlobalSystemsConsulting.com |
|
Back to top |
|
|
joshua Tux's lil' helper
Joined: 19 Jun 2002 Posts: 134 Location: Wiesbaden
|
Posted: Wed Feb 22, 2006 3:54 am Post subject: |
|
|
No, luckily it's by far not that bad. I guess it was just a warning,
someone created two admin accounts. Within a couple of minutes
I shut VHCS down and patched it.
Harmless. Still, if I think of what the intruder could have done ... uh. _________________ Daniel Haus
http://danielhaus.de |
|
Back to top |
|
|
planet-admin Apprentice
Joined: 27 Mar 2004 Posts: 213 Location: Boise, ID
|
Posted: Wed Feb 22, 2006 3:56 am Post subject: |
|
|
Agreed, but that's the daily windows users' plight, that they're not even aware of.
I think vhcs2 is quite nifty, it just needs a LOT of modification from any how-to to get it locked down.
Michael _________________ Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Web: http://www.GlobalSystemsConsulting.com |
|
Back to top |
|
|
joshua Tux's lil' helper
Joined: 19 Jun 2002 Posts: 134 Location: Wiesbaden
|
Posted: Wed Feb 22, 2006 4:04 am Post subject: |
|
|
I can't imagine there's anybody, who wants to work with such a mess of code.
And now that I've seen how the development team reacts to such serious
situations I just want to get away from this ...
I do highly appreciate people giving their hard work away for free, but this is
simply embarrassing. _________________ Daniel Haus
http://danielhaus.de |
|
Back to top |
|
|
planet-admin Apprentice
Joined: 27 Mar 2004 Posts: 213 Location: Boise, ID
|
Posted: Wed Feb 22, 2006 4:20 am Post subject: |
|
|
I was impressed with the newest version, 2.4.7, after fighting all day to upgrade, the code seems clean, but there are some issues.
My one and only unsolved issue right now is the protected areas feature.
It writes the password using the digest method, and that would work, except apache doesn't seem to want to use digest, and instead only works with basic (old school DES).
Ideas?
Michael _________________ Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Web: http://www.GlobalSystemsConsulting.com |
|
Back to top |
|
|
joshua Tux's lil' helper
Joined: 19 Jun 2002 Posts: 134 Location: Wiesbaden
|
Posted: Wed Feb 22, 2006 5:02 am Post subject: |
|
|
I'm sorry, Michael, I'm not that far yet. Currently it won't update my domains
and non-admins can't log in. Seems like perl has problems to connect to mysql. _________________ Daniel Haus
http://danielhaus.de |
|
Back to top |
|
|
planet-admin Apprentice
Joined: 27 Mar 2004 Posts: 213 Location: Boise, ID
|
Posted: Wed Feb 22, 2006 5:05 am Post subject: |
|
|
I can probably help you with those issues, as vhcs is woring just about flawlessly on my side.
(after manually editing mysql tables, config files, and the like for the last 8 hours)
Can you be more specific?
Michael _________________ Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Web: http://www.GlobalSystemsConsulting.com |
|
Back to top |
|
|
joshua Tux's lil' helper
Joined: 19 Jun 2002 Posts: 134 Location: Wiesbaden
|
Posted: Wed Feb 22, 2006 5:14 am Post subject: |
|
|
Here's the relevant part of vhcs2-rqst-mngr:
Code: | DBI connect('vhcs2:localhost','vhcs2',...) failed: Access denied for user 'vhcs2'@'localhost' (using password: YES) at /var/www/vhcs2/engine//vhcs2_common_code.pl line 237
DEBUG: push_el() sub_name: doSQL(), msg: ERROR: Unable to connect SQL server !
DEBUG: pop_el() sub_name: doSQL(), msg: ERROR: Unable to connect SQL server !
|
PHP seems to connect fine, because I can login as admin via the web.
And running vhcs2-db-passwd gives me
Code: | Please Enter Your Current Password:
>>> Enterred password does not match. Please try again !
|
_________________ Daniel Haus
http://danielhaus.de |
|
Back to top |
|
|
planet-admin Apprentice
Joined: 27 Mar 2004 Posts: 213 Location: Boise, ID
|
Posted: Wed Feb 22, 2006 5:16 am Post subject: |
|
|
All right, so phpmyadmin works fine for that database, username, and password?
Michael _________________ Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Web: http://www.GlobalSystemsConsulting.com |
|
Back to top |
|
|
joshua Tux's lil' helper
Joined: 19 Jun 2002 Posts: 134 Location: Wiesbaden
|
Posted: Wed Feb 22, 2006 5:23 am Post subject: |
|
|
Yes, it does, it's just the perl, like it seems. Might this have to do with the
new mysql passwords (using 4.1)? I tried remerging all perl-mysql
packages I could find. Still no luck.
EDIT: fixed some typos (twice), it's 6:25 in the morning over here
Last edited by joshua on Wed Feb 22, 2006 5:37 am; edited 1 time in total |
|
Back to top |
|
|
planet-admin Apprentice
Joined: 27 Mar 2004 Posts: 213 Location: Boise, ID
|
Posted: Wed Feb 22, 2006 5:31 am Post subject: |
|
|
In /etc/vhcs2/vhcs2.conf , what does the line
DATABASE_PASSWORD =
say?
(Well, does it say anything at all?)
Michael _________________ Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Web: http://www.GlobalSystemsConsulting.com |
|
Back to top |
|
|
joshua Tux's lil' helper
Joined: 19 Jun 2002 Posts: 134 Location: Wiesbaden
|
Posted: Wed Feb 22, 2006 5:36 am Post subject: |
|
|
It says
Code: | DATABASE_PASSWORD = {11 alphanumeric chars}= |
|
|
Back to top |
|
|
planet-admin Apprentice
Joined: 27 Mar 2004 Posts: 213 Location: Boise, ID
|
Posted: Wed Feb 22, 2006 5:39 am Post subject: |
|
|
OK, so it's actually got a password there.
Try logging into your database from a terminal, using mysql, the database name is vhcs2.
See if that works, because I'd like to track down where the error lies.
Michael _________________ Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Web: http://www.GlobalSystemsConsulting.com |
|
Back to top |
|
|
joshua Tux's lil' helper
Joined: 19 Jun 2002 Posts: 134 Location: Wiesbaden
|
Posted: Wed Feb 22, 2006 5:41 am Post subject: |
|
|
works! |
|
Back to top |
|
|
joshua Tux's lil' helper
Joined: 19 Jun 2002 Posts: 134 Location: Wiesbaden
|
Posted: Wed Feb 22, 2006 3:29 pm Post subject: |
|
|
Strange things happening here. The following script
Code: | use DBI();
$host="localhost";
$base="vhcs2";
$user="vhcs2";
$pass="MySuperSecretPassw0rd";
my $dbh = DBI->connect("DBI:mysql:database=$base;host=$host", $user, $pass, {'RaiseError' => 1});
|
gives
Code: | DBI connect('database=vhcs2;host=localhost','vhcs2',...) failed: Access denied for user 'vhcs2'@'localhost' (using password: YES) at ./test.pl line 10
|
The PHP-equivalent
Code: | <?php
$host="localhost";
$user="vhcs2";
$pass="MySuperSecretPassw0rd";
$h = mysql_connect($host, $user, $pass);
?>
|
says
Code: | Warning: mysql_connect(): Access denied for user 'vhcs2'@'localhost' (using password: YES) in /root/test.php on line 9 |
still works.
I can login over the web through login.php. How's that?
How can vhcs's PHP-files access the database while my
test.php can't? Is there a problem with mysql password
encryption? I'm running mysql-4.1.14 btw.
EDIT:
Stupid idiot as I am, I managed to c&p a hard to see typo into both
of the scripts. DOH! Actually I can connect through DBI and PHP,
but still vhcs2-rqst-mngr can't connect. I'm getting closer. I'm
almost sure my DATABASE_PASSWORD entry in vhcs2.conf is wrong.
Checking it. |
|
Back to top |
|
|
nightcanton Apprentice
Joined: 26 Feb 2003 Posts: 249
|
Posted: Mon Feb 27, 2006 5:58 am Post subject: |
|
|
I'm getting this error any ideas?
Code: | Failed Test Stat Wstat Total Fail Failed List of Failed
-------------------------------------------------------------------------------
t/10dsnlist.t 10 2560 9 17 188.89% 1-9
t/20createdrop.t 10 2560 5 9 180.00% 1-5
t/30insertfetch.t 10 2560 11 21 190.91% 1-11
t/35limit.t 10 2560 113 225 199.12% 1-113
t/40bindparam.t 10 2560 27 53 196.30% 1-27
t/40blobs.t 10 2560 11 21 190.91% 1-11
t/40listfields.t 10 2560 18 35 194.44% 1-18
t/40nulls.t 10 2560 11 21 190.91% 1-11
t/40numrows.t 10 2560 25 49 196.00% 1-25
t/41blobs_prepare.t 10 2560 24 47 195.83% 1-24
t/50chopblanks.t 10 2560 35 69 197.14% 1-35
t/50commit.t 255 65280 30 59 196.67% 1-30
t/ak-dbd.t 255 65280 90 175 194.44% 1 4-90
t/akmisc.t 10 2560 351 701 199.72% 1-351
t/dbdadmin.t 10 2560 21 41 195.24% 1-21
t/insertid.t 255 65280 12 24 200.00% 1-12
t/mysql.t ?? ?? % ??
t/mysql2.t 255 65280 ?? ?? % ??
1 test skipped.
Failed 18/20 test scripts, 10.00% okay. 859/866 subtests failed, 0.81% okay.
make: *** [test_dynamic] Error 255
/usr/bin/make test -- NOT OK
Running make install
make test had returned bad status, won't install without force
|
|
|
Back to top |
|
|
hurricane Tux's lil' helper
Joined: 15 Jul 2004 Posts: 107
|
Posted: Mon Mar 06, 2006 2:50 am Post subject: Re: VHCS2 on Gentoo HowTo |
|
|
taskara wrote: | Update Nov 2005:
Try this newer howto. The one below is too old.
|
I'm sorry, but that guide does not nearly work on gentoo. Not even a bit.
- "dev-perl/libnet" does not exist (anymore), in:
emerge -av postfix apache Authen-DigestMD5 BerkeleyDB bind Class-DBI-mysql expect courier-imap Crypt-Blowfish crypt-cbc cyrus-sasl Date-Calc DateManip DBD-mysql dev-perl/libnet gawk gzip IO-stringy iptables libmcrypt libperl MailTools MD5 MIME-Base64 MIME-tools dev-lang/php mysql Net-DNS Net-Netmask perl procmail proftpd SNMP_Session tar TermReadKey TimeDate vixie-cron
- "http://www.pure-dream.com/filez/vhcs2.conf" has some missing settings, in:
For ~x86 gentoo i use this config: ...
- This are no perl-modules, right? In:
USE="-X" emerge -av lynx ftp gnupg ncftp unzip zip
- "g-cpan.pl" does not exist, in:
g-cpan.pl MIME::Entity MIME::Parser MIME::Base64 Crypt::CBC Crypt::Blowfish Term::ReadPassword
- vhcs does not install correctly. this does NOT work, because vhcs installs to "/tmp/vhcs2-*/":
cd /var/www/localhost/htdocs/vhcs2/engine/setup/ ; ./vhcs2-setup
- even when i use "cd /tmp/vhcs2-*/var/www/vhcs2/engine/setup/ ; ./vhcs2-setup" i get errors about missing perl modules. (because above, "g-cpan.pl" did exist)
- Finally, please try to cut down the use flags and leave some room for people not wantign those flags. (but this is last prio)
So what do i have to do to get it running?
It would be REALLY nice if someone could automatize this into an ebuild!
. |
|
Back to top |
|
|
spottraining n00b
Joined: 30 Jan 2005 Posts: 73 Location: Estonia
|
Posted: Tue Mar 07, 2006 4:14 am Post subject: |
|
|
This Taskara guide is little old, but its still possible to get VHCS work. Its only needed some time and little work.
This libnet - I dont use this and I dont find that its needed
About vhcs.conf - some lines are mising yes. Its missing ETC_SLDAB I think. But you can easly add this.
For Perl modules:
first emerge g-cpan
and then You can using g-cpan install all needed Perl modules - its simple.
Also about instalation patch - when you are looking more this taskara guide, then script and installing first VHCS to tmp folder. After all is done, then you can copy this to right place. _________________ Sorry about bad English - I am learning....
The box said Windows XP or better, so I installed Linux |
|
Back to top |
|
|
Jovana n00b
Joined: 23 Nov 2005 Posts: 53
|
Posted: Tue Mar 07, 2006 1:57 pm Post subject: |
|
|
Someone know how to fix this problem:
I run ./vhcs2-setup.
It start and it asked me a few questions.
I give answer and after this question (I think it's the last one): "Please enter admininistrator email address"
This error appeared: "ERROR: mkdir() returned '0' status !" |
|
Back to top |
|
|
spottraining n00b
Joined: 30 Jan 2005 Posts: 73 Location: Estonia
|
Posted: Tue Mar 07, 2006 2:42 pm Post subject: |
|
|
Jovana wrote: | Someone know how to fix this problem:
I run ./vhcs2-setup.
It start and it asked me a few questions.
I give answer and after this question (I think it's the last one): "Please enter admininistrator email address"
This error appeared: "ERROR: mkdir() returned '0' status !" |
look - have you in tmp folder some vhcs2 folder greated or not? When yes, then delete this. _________________ Sorry about bad English - I am learning....
The box said Windows XP or better, so I installed Linux |
|
Back to top |
|
|
Jovana n00b
Joined: 23 Nov 2005 Posts: 53
|
Posted: Tue Mar 07, 2006 3:01 pm Post subject: |
|
|
I run the setup from the /tmp folder. because after the make install al the stuff are copyed there. |
|
Back to top |
|
|
spottraining n00b
Joined: 30 Jan 2005 Posts: 73 Location: Estonia
|
Posted: Wed Mar 08, 2006 9:09 am Post subject: |
|
|
Jovana wrote: | I run the setup from the /tmp folder. because after the make install al the stuff are copyed there. |
In some reson script canot make some directory. Then its giving this error. Or you dont have premissions - but I think you run this script under root privileges. Look to /var/www/ and when there is folder vhcs2, then delete it. Also in /etc/ is there directory vhcs2? Its can be the solution but I am not sure.
You can try to delite all vhcs2 from /tmp and then make new install and after this try again. _________________ Sorry about bad English - I am learning....
The box said Windows XP or better, so I installed Linux |
|
Back to top |
|
|
|