MyPersonalVPS.com

Project: Joomla!
SubProject: com_user
Severity: Critical
Versions: 1.5.5 and all previous 1.5 releases
Exploit type: Password Reset Forgery
Reported Date: 2008-August-12
Fixed Date: 2008-August-12

Description

A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user (lowest id). Typically, this is an administrator user. Note, that changing the first users username may lessen the impact of this exploit (since the person who changed the password does not know the login associated with the new password). However, the only way to completely rectify the issue is to upgrade to 1.5.6 (or patch the /components/com_user/models/reset.php file).

Affected Installs

All 1.5.x installs prior to and including 1.5.5 are affected.

Solution

Upgrade to latest Joomla! version (1.5.6 or newer) HERE, or patch /components/com_user/models/reset.php with the code below:

After global $mainframe; on line 113 of reset.php, add:

if(strlen($token) != 32) {
$this->setError(JText::_('INVALID_TOKEN'));
return false;
}

Kudos to QT for the alert!

Sent to me by a friend …

For all of us who feel only the deepest love and affection for the way computers have enhanced our lives, read on.

At a recent computer expo (COMDEX), Bill Gates reportedly compared the computer industry with the auto industry and stated:

‘If GM had kept up with technology like the computer industry has, we would all be driving $25.00 cars that got 1,000 miles to the gallon.’

In response to Bill’s comments, General Motors issued a press release stating:

‘If GM had developed technology like Microsoft, we would all be driving cars with the following characteristics (and I just love this part):

1. For no reason whatsoever, your car would crash……..Twice a day.

2. Every time they repainted the lines in the road, you would have to buy a new car.

3. Occasionally your car would die on the freeway for no reason. You would have to pull to the side of the road, close all of the windows, shut off the car, restart it and reopen the windows before you could continue. For some reason you would simply accept this.

4. Occasionally, executing a manoeuvre such as a left turn would cause your car to shut down and refuse to restart, in which case you would have to reinstall the engine.

5. Macintosh would make a car that was powered by the sun, was reliable, five times as fast and twice as easy to drive – but would run on only five percent of the roads.

6. The oil, water temperature and alternator warning lights would all be replaced by a single ‘This Car Has Performed An Illegal Operation’ warning light.

7. The airbag system would ask ‘Are you sure?’ before deploying.

8. Occasionally, for no reason whatsoever, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key and grabbed hold of the radio antenna.

9. Every time a new car was introduced car buyers would have to learn how to drive all over again because none of the controls would operate in the same manner as the old car.

10. You’d have to press the ‘Start’ button to turn the engine off.

Yesterday saw the last ever update to PHP4 – Today it became history, or “end of life” as it’s known in the vernacular.

It’s been a ball, but it will not surprise me to read in months to come of those who suddenly discover that it’s gone and kick up a stink.

You do know that PHP6 is just around the corner …. don’t you?

Recently a new DNS vulnerability has been discovered (Read the story here) which allows a malicious hacker to poison a DNS cache. The ability to poison a cache allows someone to redirect traffic (web,  FTP, mail, etc) away from intended sites to the hacker’s sites, which may host virii, trojans, bot-inserters, etc, so it is important to protect yourself against this type of exploit.

Without going into huge detail here, we all need to take a look at our own ISP’s DNS setup, and also the DNS most of us run on our VPSs and servers. The vulnerability is, as yet, undisclosed, but will be announced at the Black Hat Conference on August 7th. (Read this article). After that, the vulnerability will be out in the wild and hackers will be looking to exploit it as much as possible before everyone has an opportunity to secure their set-ups.

DNS-OARC have provided a web-based tool which you can use to check your home or office ISP’s DNS resolvers for vulnerability. If either of the test results report “POOR” you need to get onto your ISP’s case, right now, and ask them what they’re doing to fix things before the 7th August deadline. Click here to run the test.

You should also check your own VPSs and servers to see if they allow recursive look-ups and, if they do and you have no need for this, turn off recursion.

Anyone who suspects that their own ISP’s DNS is exploitable and that this will not be fixed promptly  might wish to consider one of the free public services like OpenDNS as an alternative.

I just wanted to thank everyone who has forgotten my birthday – At this age, reminders are not appreciated! And a special thanks goes to Svetlana, who has made the day memorable beyond all expectations

I was chatting in one of the forums I lurk in the other day, and the subject of Windows Server and firewall configurations came up. There was also a little side-debate going on about which is better – Command Prompt or GUI. (My personal preference is to use a command prompt where possible, because I find that I can get things done more quickly.)

So, the end result of the conversation was that I posted my little crib sheet that I use to enable and set up the firewall on any new Windows server we bring into service. I find this file one of those useful little tidbits that comes in handy once in a while, so I thought I’d also post it here, if only so that I can find a copy of it easily

Bear in mind that under Windows 2003 server this only affect INBOUND traffic. This will change under the new Windows 2008 Server where the firewall watches traffic both inbound and outbound.


## WINDOWS FIREWALL SETUP VIA COMMAND PROMPT
##
## Port list at http://www.iana.org/assignments/port-numbers
##
## Turn on Enable mode
##
netsh firewall set opmode enable
##
## Set standard open TCP ports
##
netsh firewall set portopening TCP 21 FTP-Server
netsh firewall set portopening TCP 25 SMTP
netsh firewall set portopening TCP 80 HTTP
netsh firewall set portopening TCP 110 POP3
netsh firewall set portopening TCP 143 IMAP4
netsh firewall set portopening TCP 220 IMAP3
netsh firewall set portopening TCP 443 HTTPS
netsh firewall set portopening TCP 465 SMTP-Secure
netsh firewall set portopening TCP 993 IMAP
netsh firewall set portopening TCP 995 POP3-Secure
netsh firewall set portopening TCP 3389 RDP
##
## TCP + UDP for DNS
##
netsh firewall set portopening TCP 53 DNS-TCP
netsh firewall set portopening UDP 53 DNS-UDP
##
## Turn on logging
##
netsh firewall set logging droppedpackets=enable
##
## Logs to c:\windows\pfirewall.log
##


The port list at IANA is a big help getting together your list of ports that you’d like to open. I hope this helps someone!

Some great news came in the form of a newsletter from cPanel this week. cPanel (aka cPanel/WHM) is the most popular control panel used on servers and VPSs everywhere, particularly throughout the shared hosting industry, because of its ease of use, friendly interface, and the fact that, as everyone else uses it, you better have it too

One of the growing concerns recently has been the amount of memory cPanel uses, particularly on VPSs. A growing concern, that is, until the arrival of this newsletter:

cPanel VPS Optimized
-------------------------------
cPanel VPS Optimized is a new version of cPanel / WHM specifically designed to run
on Virtual Private Servers. cPanel VPS Optimized provides the feature rich
functionality of cPanel / WHM while reducing memory usage by up to 60% on VPS
instances.

cPanel VPS Optimized represents a great step forward for cPanel customers. The
reduction in memory usage for each install allows web hosts the ability to host
more domains per virtual machine. This increase enables hosts to provide a more
efficient and eco-friendly server base with fewer physical machines.

The upgrade to cPanel VPS optimized will require no interaction. Once cPanel VPS
Optimized has reached the build tree on your server, automatic updates ( or
manual) will upgrade the current cPanel / WHM installation to a cPanel VPS
Optimized installation. cPanel VPS Optimized is currently only in EDGE builds.

Information about cPanel VPS optimized can be found at:
http://www.cpanel.net/products/cpvps/

TailWatchd
------------------------------

TailWatchd is a new concept in log processing from cPanel. Previously, three
daemons were used to gather information from mail and bandwidth logs
(antirelayd, eximstats and cpbandwd). These daemons have been deprecated and
replaced with a more robust and more lightweight TailWatchd. The move to this
new system will reduce load due to log processing and allows for a more robust
interface with the daemon. This daemon with all three log processing drivers uses
less memory than just eximstats!

Technical information about TailWatchd can be found at:
http://www.cpanel.net/support/articles/tailwatchd.html

Other Updates
--------------------------------
Along with these two new advancements, modifications have been made to the
cPanel / WHM product to reduce cpu and memory usage. We hope that you will find
these advancements a positive step for your operations. There are many more
great steps in the cPanel development path which will enhance your experiences
with cPanel products.

Whilst I don’t entirely agree with cPanel’s views about hosting more domains on VPSs running leaner on memory with this new release, the memory that this frees up will certainly improve performance.

Anyway, I decided to put it to the test and rolled a spare VPS with just 256Mb of memory forward to the EDGE release. (NB: It’s not advisable to do this on a production VPS as EDGE releases can and do have minor bugs still needing to be ironed out).

Having updated to the EDGE release, and with Fantastico and RVSkins also installed, I set about doing some minor tweaks to get the memory usage down below a self-set target of 128Mb. Half an hour or so later, I had it cracked

             total       used       free
Mem:        262144     128676     133468
-/+ buffers/cache:     128676     133468
Swap:            0          0          0
Total:      262144     128676     133468

Left running for 3 or 4 days with 4 small test domains on it, the VPS continued to idle at between 128Mb and 190Mb of memory usage.

All I can say is Go cPanel!

We recently launched a new range of Virtual Private Servers (sometimes know as VPSs or VDSs) which use SLM memory rather than the rather more traditional (dare I say “old fashioned”?) UBC. Of course, that lead to a few people asking us what SLM is, so here’s a little explanation:

SLM is the method of memory management we use within Parallels (previously Virtuozzo) for controlling all aspects of the resources allocated to a VPS. The previous generation of this sort of memory management with Virtuozzo was called UBC or more commonly known as the /proc/user_beancounters file. With the older UBC, there are multiple variables when it comes to setting up memory, thus allowing a host to give you burst memory and the capability to limit certain other variables (such as your kernel memory).

SLM removes all of that, and instead just replaces those 20 or so memory variables with a single value, giving you the most guaranteed level of memory available today with Parallels/Virtuozzo. Most providers today still use the old UBC method of memory management, and have not yet stepped up to the capabilities of SLM.

(Parallels is the new name and branding of SWSoft, a name which many people may be more familiar with).

All of our new 64-bit packages use SLM-guaranteed memory, which means that you are never having to rely on a share of whatever burst memory might be available on the node. Burst memory should never be relied upon, so instead we are providing our customers with a guaranteed environment for their VPSs.

It seems that Hotmail and Yahoo! are at it again. Hotmail used to reject some messages sent from Yahoo! Groups because they exceeded 15 “hops” (the default limit set on Exchange Server to prevent mail loops, which Hotmail refused to reset to a higher, more appropriate level – See here for a brief explanation from Indiana University). This would happen most often in Yahoo! Groups that moderate messages, since the moderation process causes more hops within Yahoo’s system.

So, Yahoo! Groups went ahead and made some changes to the way hops information is presented in Yahoo! Groups mail headers, so that this 15 hops limit should no longer be an issue. These changes should mean far fewer bounced messages to Hotmail members.

Of course, Hotmail fought back – In the last couple of weeks Hotmail has adjusted their filters in a way that is pretty much blocking all “invitations” sent from Yahoo! Groups. And despite Yahoo!’s attempts to get them to stop this blocking, it has yet to be lifted.

And the winners in this? Well, it’s certainly not Hotmail, Yahoo!, or their users. Why, it’s Googlemail, of course!

This is so cool! I don’t make a habit of writing about plugins for individual items of software, but this one stands out as a keeper. Wordpress Automatic Upgrades is a neat little plugin for Wordpress that will automatically upgrade your Wordpress blog to the latest release from Wordpress.

I decided to try it here so, after doing a backup of the site, I went ahead and fired up the plugin. First thing it did? Backed up the site LOL! OK, so I’ll know about that next time, but I have to say that this little plugin saves bandwidth, time and worry, and works exactly as it says on the tin. This is one keeper!