ImageMagick Remote Command Execution Vulnerability

The vulnerability is very simple to exploit, an attacker only needs a image uploader tool that leverages ImageMagick. During our research we found many popular web applications and SaaS products vulnerable to it (people love gravatars), and we have been contacting them privately to get things patched. Unfortunately, even with all the media attention, not everyone is aware of this issue.

Source: ImageMagick Remote Command Execution Vulnerability – Sucuri Blog

Update FromImageMagick Is On Fire — CVE-2016–3714

If you use ImageMagick or an affected library, we recommend you mitigate the known vulnerabilities by doing at least one of these two things (but preferably both!):

  1. Verify that all image files begin with the expected “magic bytes” corresponding to the image file types you support before sending them to ImageMagick for processing. (see FAQ for more info)

  2. Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in “/etc/ImageMagick”. The below policy.xml example will disable the coders EPHEMERAL, URL, MVG, and MSL.

My ImageMagick policy file is in /usr/lib64/ImageMagick-6.6.4/config/policy.xml  Click the link to get the exact rules to add.  I use ImageMagick with Gallery software but only admin has access to uploading images so this bug doesn’t matter for my use case.

The Basics of Web Application Security

Security is a massive topic, even if we reduce the scope to only browser-based web applications. These articles will be closer to a “best-of” than a comprehensive catalog of everything you need to know, but we hope it will provide a directed first step for developers who are trying to ramp up fast.

Source: The Basics of Web Application Security

Outages

I’m migrating this web server to a more modern Fedora from Fedora 14 and there have been problems.  Had to ditch the new MariaDB for community mysql because the former cannot read in a common SQL file describing this simple WordPress database without marking it corrupt.  See:

MySQL to MariaDB migration: handling privilege table differences when using mysqldump

Community mysql works well and all databases read in like SQL should.  There have been memory leak problems bringing down services at random times which might be an OS problem or httpd problem so I’m getting ready to rebuild on a modern CentOS distro which should be more stable.  I don’t feel like debugging this since it should just work when installed.  The latest crash was SELinux which activated itself after a reboot and it doesn’t like anything running on its system.

The Fedora 14 VM has been rock solid since 2010 and I’ll still use it as a backup.  I wanted to create a VM in VirtualBox and Fedora 14 is too old to build from scratch.  This modern Fedora seems very unreliable.

tl;dr This site will be under construction and may fall over every now and then.

HTTP is obsolete. It’s time for the distributed, permanent web

IPFS is still in the alpha stages of development, so we’re calling this an experiment for now. It hasn’t replaced our existing site storage (yet). Like with any complex new technology, there’s a lot of improvements to make. But IPFS isn’t vaporware, it works right now. You can try it out on your own computer, and already can use it to help us serve and persist Neocities sites.

Source: HTTP is obsolete. It’s time for the distributed, permanent web

Weather.com Moves to Drupal

When the new Weather.com launches it will be the highest trafficked Drupal site in existence with over 1 billion page views per month.

via Mediacurrent | Weather.com Moves to Drupal.

On the technical side, our approach was to increase cache efficiency by utilizing Javascript and Edge Side Includes (ESI) for client side rendering as well as optimizing calls made to their content delivery network (CDN), Akamai.

 

Top Open-Source Static Site Generators

The typical CMS driven website works by building each page on-demand, fetching content from a database and running it through a template engine. This means each page is assembled from templates and content on each request to the server.

For most sites this is completely unnecessary overhead and only ads complexity, performance problems and security issues. After all, by far the most websites only change when the content authors or their design team makes changes.

A Static Site Generator takes a different approach and generate all the pages of the website once when there’s actually changes to the site. This means there’s no moving parts in the deployed website. Caching gets much easier, performance goes up and static sites are far more secure.

via Top Open-Source Static Site Generators – StaticGen.

Web app open source alternatives

You can replace a number of popular web apps with solid open source alternatives. If you want to embrace your inner geek, you can even run many of them on your own web server. Or, you can use hosted versions of those apps which will only set you back a few dollars a month.

Let’s take a look at 5 open source alternatives to some popular web apps.

via Web app open source alternatives | Opensource.com.

I have been pleased with Owncloud which he lists as one of the five.  Its install was straightforward and it works allowing for easy file sync with my android tablet using their app as a client and their software on a specified server.

Here’s another one of the five I hadn’t heard before which prompted me to repost this article here:

ownStaGram is a self hosted replacement for Instagram. All you need is a web server that runs PHP and mySQL, and you can install it in a few minutes. From there, you can upload photos from your computer to your instance of ownStaGram. Or, you can use the Android app (which includes several of those hackneyed Instagram-like filters).

I will give ownStaGram a try and post my thoughts soon.

Update:  I ran ownStaGram on a Fedora 19 build running php 5.5 and a warning message popped up about a deprecated mysql connect method.  This is clearly a problem that hasn’t been fixed in quite awhile.  Tried to download their app from Google Play but couldn’t find it.  Some of the comments on the web version of Google Play suggested it was a buggy app which may be why it got pulled.

ownStaGram is a good concept.  I’d love to be able to snap a pic and have it automatically upload onto my local “cloud” device connected only to the local wifi.

Eight Ways to Blacklist with Apache’s mod_rewrite

With the imminent release of the next series of (4G) blacklist articles here at Perishable Press, now is the perfect time to examine eight of the most commonly employed blacklisting methods achieved with Apache’s incredible rewrite module, mod_rewrite. In addition to facilitating site security, the techniques presented in this article will improve your understanding of the different rewrite methods available with mod_rewrite.

via Eight Ways to Blacklist with Apache\’s mod_rewrite | Perishable Press.

The Tiny Box That Lets You Take Your Data Back From Google

For open source developer Johannes Ernst, what the world really needs is a simple device that anyone can use to take their data back from the wilds of the internet. So he designed the Indie Box, a personal web server preloaded with open source software that lets you run your own web services from your home network–and run them with relative ease. Any system administrator will tell you that setting up a server is just the first step. Maintaining it is the other big problem. Indie Box seeks to simplify both, with an option to fully automate all updates and maintenance tasks, from operating system patches to routine database migrations.

via Out in the Open: The Tiny Box That Lets You Take Your Data Back From Google | Enterprise | WIRED.

A completely assembled device costs $500.

This is just a linux box with standard server packages installed and probably a customized management system.  Running your own web server does not take your data back from Google unless you run your own search engine.   The main type of data Google retains for its customers is email.  Running your own email server does keep your personal information from Google.  However, from the article:

For now, it won’t include an e-mail server since spam filters make it so hard to run one from home.