Emanuele Gentili blog

TA-DA!

I’m pleased to announce that Rapache 0.6 is out in Debian Sid too, thanks to Martin Pitt for upload sponsoring.

Accepted rapache 0.6-1 (source all)

    * To: debian-devel-changes@lists.debian.org
    * Subject: Accepted rapache 0.6-1 (source all)
    * From: Emanuele Gentili
    * Date: Sat, 23 Aug 2008 14:49:46 +0000
    * Message-id:
    * Sender: Mark Hymers 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 11 Aug 2008 02:28:21 +0200
Source: rapache
Binary: rapache
Architecture: source all
Version: 0.6-1
Distribution: unstable
Urgency: low
Maintainer: Emanuele Gentili
Changed-By: Emanuele Gentili
Description:
 rapache    - apache2 graphical configuration tool
Changes:
 rapache (0.6-1) unstable; urgency=low
 .
   * Initial release.
Checksums-Sha1:
 aa418868d9d69d2dc1672a3a0129ab9f96f39b65 1071 rapache_0.6-1.dsc
 07015cd6807e8b93f1a39066a51697715e744812 68540 rapache_0.6.orig.tar.gz
 83704f5c5d30cf6310777b9ab32595d30664612b 1651 rapache_0.6-1.diff.gz
 57dca6c547fba57232aeb2ea461ab576b900376b 59240 rapache_0.6-1_all.deb
Checksums-Sha256:
 7f401234822d6e43ff92a0b4cc99fd4b29a9030e96c50adc5054d9aa25a063dd 1071 rapache_0.6-1.dsc
 7b7190bfdabad4f10835ab5fc4cf1c62ec5ca94241e59abbe8af4c839804c315 68540 rapache_0.6.orig.tar.gz
 630d1e5e2227a4f7523cfe6eea07a33aa289e712f45a19a877c281a365aa8252 1651 rapache_0.6-1.diff.gz
 4eb1a10aa5dbd08a81bcaf65ed0407d56f4f0cd93f94c93f45cf6b66827d4966 59240 rapache_0.6-1_all.deb
Files:
 e15179beddb0833389357e5cd558578f 1071 web extra rapache_0.6-1.dsc
 cd72b51351a12354878052d543272060 68540 web extra rapache_0.6.orig.tar.gz
 cf2b24d1ebab1dce78a2479f04656995 1651 web extra rapache_0.6-1.diff.gz
 c470117d2e70278d0d43d14febc7d544 59240 web extra rapache_0.6-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkif56YACgkQDecnbV4Fd/JqlACaAvt2DzYqUgM/pFEYOfIj0kr5
HgkAoLqumd0N2uB+zO41ChmXX4f606Af
=Eilw
-----END PGP SIGNATURE-----

Accepted:
rapache_0.6-1.diff.gz
  to pool/main/r/rapache/rapache_0.6-1.diff.gz
rapache_0.6-1.dsc
  to pool/main/r/rapache/rapache_0.6-1.dsc
rapache_0.6-1_all.deb
  to pool/main/r/rapache/rapache_0.6-1_all.deb
rapache_0.6.orig.tar.gz
  to pool/main/r/rapache/rapache_0.6.orig.tar.gz

Now it`s official, Anthony Ferrara shared this information in this post.

Here available staff team page, I’m working prevalently in auditing ad bugfixes.

About The Name:

In wild land firefighting, the term “Strike Team” is used to describe a collection of similar resources, which used for a specific purpose (http://en.wikipedia.org/wiki/Strike_Team). The JSST is called a strike team because it’s a collection of developers and security experts tasked with improving and managing security for Joomla.

Goals

1. Investigate and respond to reported core vulnerabilities.
2. Execute code reviews prior to release to identify new vulnerabilities.
3. Provide public presence regarding security issues.
4. Help the community understand Joomla security.

Security Announcement Policy

• Verified vulnerabilities will only be publicly announced AFTER a release is issued which fixes the vulnerability.
• All announcements will contain as much information as possible, but will NOT contain step-by-step instructions for the vulnerability.

Public Responses Policy

Articles are written about Joomla all the time. In many circumstances, these articles (even from reputable sources) contain a significant amount of misinformation.

• The JSST will assess and address articles written about security issues.
  • If the article contains valid information about a vulnerability not yet fixed, we will ask the publisher to suspend the article until we can fix the issue.
  • If the article contains invalid information, we will note what is invalid, and ask the publisher to either fix or remove the article.
• The JSST will be available to answer questions/validate any Joomla security-related articles on the publisher’s request.

Security Release Policy

• Critical and high-level vulnerabilities trigger an immediate release cycle.
• Moderate vulnerabilities may trigger a release cycle depending on the specific issue.
• Low and very low vulnerabilities (and moderates which do not trigger a release cycle) will be included with the next scheduled maintenance release.
• All security releases will be accompanied by one (or more) appropriate security announcements.

Vulnerability Threat Levels

There are two main details that contribute to a vulnerabilities priority or “threat level”:

Impact

• Critical - “0-day” attacks, and attacks where site control is compromised (allows attacker to take control over site).
• High - SQL injection attacks, remote file include attacks, and other attack vectors where site data is compromised.
• Moderate - XSS attacks, write ACL violations (editing or creating of content where not allowed).
• Low - read ACL violations (reading of content where not allowed).

Severity

• Critical - VERY easy to perform. Relies on no outside information (TRUE 0-day attack).
• High - Moderately easy to perform. May rely on readily available outside information.
• Moderate - Not easy to perform. May rely on sensitive information.
• Low - Difficult to perform. Relies on sensitive information or requires special circumstances to perform.

* NOTE: The descriptions are just generic guidelines. Each vulnerability will be assessed for damage potential and will be ranked accordingly.

Supported Versions

• All currently developed and supported versions of Joomla will be actively monitored by the JSST.
• Currently active versions include:
  • Joomla 1.0.x
  • Joomla 1.5.x

How to Help

• If you find a possible vulnerability, report it to the JSST FIRST. You can contact the team via the contact form in the Security Center.
• If you find a reported vulnerability (reported elsewhere), contact the JSST ASAP (include where you saw the report).
• You can provide patches for any issues that you find (e-mail the team for more information on how to submit a patch).
• Join the team! Due to the sensitive nature of the team, we restrict who joins. But if you think you’d be a good fit, contact the team via the contact form in the Security Center.

Great news today!

SAN FRANCISCO, Calif. – August 18, 2008 – The Linux Foundation, the nonprofit organization dedicated to accelerating the growth of Linux, today announced that Canonical has become a member of the Foundation.

Here available the official announcement.

For several years I decided to reject the possibility of managing a hosting outside, mainly for security reasons.

Why pay an external hosting if we can not completely manage?
Where are the guarantees on server configuration and arrangements related to security?

It is true, there are virtual servers and dedicated servers, but who makes him to spend unnecessary money for a pseudo machine that can not always manage how we want?

So I decided to use an old Pentium 3 with Ubuntu Server (encrypted disks) and other serious side arrangements kernel and demons going to transfer logs on the external device.

The device that you can see in the picture, copy every few minutes some log files (which I set), analyzes at them independently and sends them both to paper Printer and via email to me (if they conform to the warning rules that I set).

A true server-safe!

Tools:

* Apache2 and Mod_Security
* GRSEC
* Chroots
* Open SSH Server (only with key login)
* Snort
* Knockd
* dm-crypt
and other stuff wrote by me.

Nice news, Joomla people keep out the official fix, go to apply it if you are vulnerable.

--- components/com_user/models/reset.php        2008-08-13 01:19:01.000000000 +0200
+++ new/components/com_user/models/reset.php    2008-08-13 01:20:16.000000000 +0200
@@ -112,6 +112,11 @@
        {
                global $mainframe;

+       if(strlen($token) != 32) {
+       $this->setError(JText::_('INVALID_TOKEN'));
+       return false;
+       }
+
                $db     = &JFactory::getDBO();
                $db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token));

if you like download it, click here.

Happy defending!

UPDATE:
Joomla Advisory is available here

Hello folks,

New hight security issue was found in Joomla 1.5.x that allow remote admin password change.

This vulnerability affect more important website same nasa, university and istitution website, the fix isnt out (I’m writing it) but we can apply provisional fix for keep out stupid crackers.

How to check if my website is vulnerable:

The proof of concept is very simple, follow this steps:

0×01) open your browser and go to url:

http:www.target.com/index.php?option=com_user&view=reset&layout=confirm

(switch www.target.com with your website, and remember to add path if you have ex. /joomla/)

0×02) Write into text input box the char ‘ and Click OK.
(if you see this text input box you are vulnerable)

0×03) Now you are able to write in the new text input the new password for admin.

0×04) go to url http://www.target.com/administrator/ and try to login.

How to apply provisional fix:

This isnt a real fix, but with it you can keep out stupid crackers, follow this steps if you result vulnerable.

0×01) Login in admin panel and go to user management panel.

0×02) create a new SuperAdmin user and logout to admin panel.

0×03) Login in admin panel with new user, and go to user management panel.

0×04) remove all privileges to old admin (switch privilege to registred user) and disable this user.

Vulnerable code:

/components/com_user/controller.php
Line : 379-399

	function confirmreset()
	{
		// Check for request forgeries
		JRequest::checkToken() or die( 'Invalid Token' );

		// Get the input
		$token = JRequest::getVar('token', null, 'post', 'alnum');

		// Get the model
		$model = &$this->getModel('Reset');

		// Verify the token
		if ($model->confirmReset($token) === false)
		{
			$message = JText::sprintf('PASSWORD_RESET_CONFIRMATION_FAILED', $model->getError());
			$this->setRedirect('index.php?option=com_user&view=reset&layout=confirm', $message);
			return false;
		}

		$this->setRedirect('index.php?option=com_user&view=reset&layout=complete');
	}

/components/com_user/models/reset.php

Line: 111-130 	

	function confirmReset($token)
	{
		global $mainframe;

		$db	= &JFactory::getDBO();
		$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token)); 

		// Verify the token
		if (!($id = $db->loadResult()))
		{
			$this->setError(JText::_('INVALID_TOKEN'));
			return false;
		}

		// Push the token and user id into the session
		$mainframe->setUserState($this->_namespace.'token',	$token);
		$mainframe->setUserState($this->_namespace.'id',	$id);

		return true;
	}

Security Fix:
I’m working to write it, i will release it shortly.

Hello people, new UTU version is out.

Go to add your “Name Surname” and Launchpad id for show icon in the list inked to your launchpad profile.

Actual list is available here

New UTU version permit now to see dapper, feisty, gutsy and hardy Top Uploaders list too.

See new panel, click here!

thanks to Scott Kitterman for suggestions on features to be included, now available.

I’m pleased to annunce that people.ubuntu.com will be free for Ubuntu Members, and not only Canonical people.

In recent days after having discussed the matter with Matt Zimmerman (Ubuntu Technical Board), I was advised to raise the issue directly to Mark Shuttleworth and James Troupt.

My first email:

Hello Mark, Hello James.

I talked with Matt Zimmerman (and him say to me that the right road is
ask to you) about the possibility to open access from people.ubuntu.com
to ubuntu-dev members [1]; I talked to Matt about the last decision [2],
but i think that the decision is surmountable via mod_security, SELinux
(or grsecurity) and ssh pubblic key authorization for login.

Debian use people.debian.org/~${id}, gentoo too (i worked in gentoo
development and we used same method).

Its very important give the possibility to all ubuntu developers to use
this space for add ubuntu stuff and tools. For example: UTU [3], ubuntu
docs, debdiffs, dev scripts, google-custom (to optimize the search
results) and other stuff.

I think that is very important give this possibility to all ubuntu
developers and not only Canonical people.

trusting in your answer

Cheers,

Emanuele

[1] https://launchpad.net/~ubuntu-dev/+mugshots (nice faces :-P)
[2] https://wiki.ubuntu.com/MeetingLogs/Technical-2006-10-10
[3] http://thc.emanuele-gentili.com/utu.php
--
Emanuele Gentili 	    | https://edge.launchpad.net/~emgent
emgent@ubuntu.com           | Ubuntu Security Developer
emgent@windowmaker.info     | Window Maker Developer

Key fingerprint: F4B7 0793 069A 217E BB9F 8925 E0AC 34C2 2201 1E9A
gpg --keyserver keyserver.ubuntu.com --recv-keys 22011E9A

After it, very fast reply:

James, Matt and I discussed this and agreed:

 - it's inappropriate to have something called "people.ubuntu.com" which is
   only accessible to Canonical folks
 - we can safely offer SFTP-based web page hosting for ubuntu members, using
   existing LP-hosted SSH key access

So, James will take responsibility for bringing up this capability for Ubuntu members,
and figure out how to grandfather the existing Canonical folks' content.

Thanks, Emanuale, for raising this!

Mark

Very good news, Thanks Mark, James and Matt this will be a new resource for Ubuntu Developers!

hello folks,

short post for a big news:

Rapache is available on Ubuntu Hardy Backports!

 * Trying to backport rapache...
  - <rapache_0.6-0ubuntu1.dsc: downloading from librarian>
  - <rapache_0.6-0ubuntu1.diff.gz: downloading from librarian>
  - <rapache_0.6.orig.tar.gz: downloading from librarian>
I: Extracting rapache_0.6-0ubuntu1.dsc ...  done.
I: Building backport of rapache-0.6 as 0.6-0ubuntu1~hardy1 ...  done.

** Changed in: hardy-backports
       Status: In Progress => Fix Released

thanks to Scott Kitterman for Hardy Heron backports ACK and Martin Pitt for archive-admin work.

Accepted:
 OK: rapache_0.6.orig.tar.gz
 OK: rapache_0.6-0ubuntu1.diff.gz
 OK: rapache_0.6-0ubuntu1.dsc
     -> Component: universe Section: web

Hey people, rapache 0.6 is finally in Universe!

Thanks to Steve Langasek for the NEW package upload.

For those who doesn’t know Rapache (ra-pa-che), n. 1. a python + GTK tool that uses the SSH protocol (one day, still local right now) to manage and configure apache2 and all of its modules. GPL`d, Its goal is to provide the user with a simple interface to facilitate the work to those who want to set up a web-server in a few clicks. 2. Rapacious bird (italian: rapace).

Same rapache version is available for Ubuntu Hardy Heron via Rapache-Developers PPA.

For install it (on Ubuntu Hardy Heron) please add this repository in /etc/apt/sources.lists:

deb http://ppa.launchpad.net/rapache-devel/ubuntu hardy main
deb-src http://ppa.launchpad.net/rapache-devel/ubuntu hardy main

Now update and install rapache

apt-get update
apt-get install rapache

Other thanks to Martin Pitt and Luca Falavigna for some important suggest.

Rapache 0.6 main window.

Rapache 0.6 Apache2 Modules.

Rapache 0.6 Apache2 Modules editor.

If you like this project please join rapache-user team in launchpad, open group that encloses the rapache community.

Feel free to test it and report bug here and.. if you’re interested in the project, just checkout the Launchpad Page, or drop to say “hello” in #rapache-devel on freenode.