Skip to main content

Posts

How to Authenticate WHMCS Admin Users with PHP

Over the past few days I've been working on a project that involved building an authentication mechanism for a new website which checks user logins against a WHMCS admin database. There are a variety of options for authenticating normal, non-admin WHMCS users: on the easy side of things, you can simply use the WHMCS API's validatelogin() call, or for a more advanced project its possible to implement OAuth within your WHMCS instance . For my project, neither LDAP nor Active Directory were options. I was surprised to find that the WHMCS API did not contain a mechanism for authenticating admin users. I'm somewhat sympathetic given the security implications: WHMCS is a billing application and it should not be used to provide a sortof infrastructure authentication backbone, particularly given the many much more mature options available for this sort of thing. With that said, this project wasn't about looking to turn WHMCS into LDAP ... it was about allowing WHMCS admin t...

Assigning default ownership to all new files in a directory

Getting the hang of Linux file-system permissions can be tricky for beginners. I still have problems every now and again translating symbolic permission notation to octal permission notation and back again. One common scenario which can be complicated to enact in practice is the creation of default permissions for files inside of given directories. Although not a direct translation, in Windows this sort of functionality is usually implemented by selecting the "Allow propagation on child objects" setting when viewing Security Properties for a directory. But how to get this done in Linux? The preferred approach is the use of Access Control Lists using setfacl . Since Linux kernel 2.6, the acl flag is enabled by default with most standard filesystems. There's already several solid explanations for how to use Linux ACLs . But, there are scenarios in which this can be difficult or impossible to implement; using exotic filesystems or older kernels, etc. Or you just might find...

A nasty pair of MySQL exploits grant attackers system root from any database user

Four days ago I received an email from Dawid Golunski through the list illustrating one of the more brutal pair of security vulnerabilities I have seen recently. Here's how it works.     The exploit uses a vulnerability within MariaDB, PerconaDB (and/or XtraDB Cluster) and MySQL to, first, gain access to the 'mysql' system user using any mysql user that has CREATE / INSERT / UPDATE permissions. The first part revolves around a race condition when sql generates temporary files as part of the `REPAIR table` command. Then using the mysql system user the second vulnerability grants the attacker root access to the server using a clever hack that takes advantage of mysql_safe's approach to writing to file based error logs. Below I've provided a list of vulnerable server versions. Just about any server using the more recent (unpatched) stable releases of MySQL or MariaDB through CentOS is vulnerable (Percona isn't part of the st...

I was interviewed by Fox News today

I was asked by Fox News to comment on how Wikileaks might be able to publish documents in spite of a reported shutdown of Julian Assange's internet access within the Ecuadorian embassy . You can read more about Wikileaks' reported IT trouble at the AP .

Dell, how I hate thee (let me count the ways)

A Dell "feature" that appears to be designed to force customers to use only Dell parts reduced the speed of a set of SSDs one of my customers installed on their rack-mountable R900 server by a factor of 1000. Before I get into this, there are some provisos. This server was using Linux kernel 2.6.32. The SSDs involved are Samsung 850 Pro SATA-style solid state disks. SSD is not quite ready for prime time in the 2.6.32 kernel; NVMe support was first added in 3.3, TRIM wasn't available at all until 2.6.33, and a ton of other things we all take for granted like the device mapper are part of the 4.* kernel. Consumer-level Samsung drivers bring their own issues. Despite what the knuckle-heads on Reddit have to say about the topic, the Linux kernel still blacklists queued TRIM functions from every Samsung SSD in the 8** series. As of the latest Github commit as of this writing for kernel 4.8 queued TRIM still doesn't work for these devices. More importantly, the R900 ...

Building a new gaming PC (with some digs about NZXT)

Never let it be said that I do not support the aspirations of today's young people. My contribution to the next generation was helping a local teen build out a high powered gaming PC. It was my first time installing a closed-loop liquid cooling system (the  Kraken x61 ).  Building a gaming rig. Notice how decades of IT work has resulted in a Quasimodo hunch The highlights of the PC included the following:     - Intel i7 6700K CPU     - NZXT  Kraken x61 liquid cooling system     - Nvidia GeForce GTX 1080  graphics card     - ASUS Z170-E motherboard     - NZXT S340 case     - Corsair Vengeance LPX DDR4 RAM     - Samsung EVO 850 SSD     - EVGA Fully Modular GQ 650W power supply During build-out I encountered two issues that weren't the result of my own fumbling, shaky hands. One of these issues I think is forgivable and the other is not. The ASUS 7170-E ...

Pandora account compromise warning message

Here is a copy of the email I was sent by Pandora to inform me that my account was compromised kindof but not really and it was totally not their fault. This is somewhat old news (I received this email July 6th) but the more copies of this online the better, IMO. There are a number of things about this email that irritate me. First of all, the email is so incredibly vague that I have absolutely no idea what happened. Someone, somewhere posted my Pandora username (email address?) on the internet along with, presumably, one of the bazillion passwords associated with it. Who posted this information? Why? Where was it taken from? Was it stolen from one of Pandora's infrastructure providers? If what Pandora implies in the email is true - that the compromise is completely unrelated to Pandora in any way - why are they sending me this email? Does Pandora scour the internet for the email addresses and account names of its many users? If Pandora had no responsibility for this ...