You can place the following into your .htaccess to have it return an HTTP 403 if the User Agent is matched.
Tag: Apache
PHP real-time system command output
Throwing some notes here for me to remember on having PHP not buffer the output of a long running process so that it provides realtime output to the browser. I tinkered with SSE options and even AJAX/jQuery, but I finally got this to somewhat work reliably. Note that these notes are tested on PHP 8.1 and Apache 2.4.
.htaccess
This is required to disable buffering at the server level. Make sure to have mod_rewrite enabled.
RewriteRule ^(.*)$ $1 [NS,E=no-gzip:1,E=dont-vary:1]
PHP
<?php
ob_implicit_flush(true);
ob_end_flush();
echo 'Begin', PHP_EOL;
for ($i = 0; $i < 10; $i++) {
echo $i, PHP_EOL;
ob_flush();
flush();
sleep(1);
}
echo 'Done', PHP_EOL;
A command example using passthru
<?php
ob_implicit_flush(true);
ob_end_flush();
echo '<PRE>';
echo 'BEGIN',PHP_EOL;
passthru('ping -c 5 8.8.8.8');
ob_flush();
flush();
echo 'DONE', PHP_EOL;
?>
WordPress TwentyTwenty Theme – Inter font Apache2 error
I’m testing out the development version of TwentyTwenty theme from WordPress on this site.
I noted that calls to /assets/fonts/inter/Inter-upright.var.woff2 were causing some grief for Apache2 (Error 500):
AH00681: Syntax error in type map, no ':' in /var/www/clients/client0/web1/web/wp-content/themes/twentytwenty/assets/fonts/inter/Inter-upright.var.woff2 for header wof2
Cursory Google search indicates that Apache2 is interpreting filenames with .var.* in the name as a Type Map.
To work around this, I’ve set the following in my .htaccess:
RemoveHandler .var
WordPress Unauthorized Password Reset Vulnerability (CVE-2017-8259)
WordPress has a password reset feature that contains a vulnerability which might in some cases allow attackers to get hold of the password reset link without previous authentication.
Such attack could lead to an attacker gaining unauthorized access to a victim’s WordPress account. This affects all versions of WordPress, including the current version, 4.7.4.
Description
The vulnerability stems from WordPress using untrusted data by default when creating a password reset e-mail that is supposed to be delivered only to the e-mail associated with the owner’s account.
This can be observed in the following code snippet that creates a From email header before calling a PHP mail() function:
wp-includes/pluggable.php
if ( !isset( $from_email ) ) {
// Get the site domain and get rid of www.
$sitename = strtolower( $_SERVER['SERVER_NAME'] );
if ( substr( $sitename, 0, 4 ) == 'www.' ) {
$sitename = substr( $sitename, 4 );
}
$from_email = 'wordpress@' . $sitename;
}
3 separate example scenarios (both the ones that require victim interaction and those that do not) include:
- Attacker can perform a prior DoS attack on the victim’s email account/server (e.g by sending multiple large files to exceed user’s disk quota, attacking the DNS server etc) in order to prevent the password reset email from reaching the victim’s account and bounce back to the malicious sender address that is pointed at the attacker (no user interaction required)
- Some autoresponders might attach a copy of the email sent in the body of the auto-replied message (no user interaction required)
- Sending multiple password reset emails to force the user to reply to the message to inquiry explanation for endless password reset emails. The reply containing the password link would then be sent to attacker. (user interaction required)
Workarounds
- If you are using Apache, you can turn on UseCanonicalName (see: https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname)
- I created a simple plugin that you can install in your WordPress installation. It will disable the last password functionality.
Disable Password Reset
Observium nfsen configuration notes
Hacked my way through getting Observium to pick up the nfsen RRD so that I see the Netflow tab in the device in Observium.
Here’s what I did…
Install Prerequisite Software
apt-get install gcc flex librrd-dev make librrdp-perl librrds-perl libsocket6-perl libmailtools-perl mrtg rrdtool
Install nfdump
Download nfdump from SourceForge: https://sourceforge.net/projects/nfdump/files/stable/nfdump-1.6.13/
tar zxvf nfdump-1.6.13.tgz cd nfdump-1.6.13/ ./configure --enable-nfprofile --enable-nftrack make && make install
Install nfsen
Download nfsen from SourceForge: https://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.7/
tar zxvf nfsen-1.3.7.tgz cd nfsen-1.3.7 cp etc/nfsen.conf.dist etc/nfsen.conf
Make configuration changes to nfsen
Modify etc/nfsen.conf
$USER = www-data;
$WWWUSER = www-data;
$WWWGROUP = www-data;
%sources = (
'routername' => { 'port' => '9996', 'col' => '#0000ff', 'type' => 'netflow', 'IP' => '1.2.3.4' },
);
$MAIL_FROM = 'me@domain.com';
$SMTP_SERVER = 'mail.domain.com';
Save the file and then make a directory where nfsen will store data.
mkdir -p /var/nfsen ./install.pl etc/nfsen.conf
Start nfsen
cd /var/nfsen/bin ./nfsen start
Configure to start nfsen automatically at reboot.
ln -s /var/nfsen/bin/nfsen /etc/init.d/nfsen update-rc.d nfsen defaults 20
Configure Apache2
Configure Apache2 so we can access nfsen while still using observium.
Make a directory to store nfsen HTML files
mkdir -p /var/www/html/nfsen
Edit /etc/apache2/conf-enabled/observium.conf and add the following line before the closing </VirtualHost>.
Alias /nfsen /var/www/html/nfsen
Restart Apache2
service apache2 restart
At this point you should be able to access http://yourip/nfsen/nfsen.php
Cannot create graph
If you see that error, check permissions of /var/nfsen and make sure it is accessible by www-data specified in /var/nfsen/etc/nfsen.conf.
Observium Configuration
Note: The %source in /var/nfsen/etc/nfsen.config must match the host you are using in Observium and it is case sensitive.
So I had a hard time with Observium configuration and decided to just hack it up.
I have Observium installed in /opt/observium, so substitute accordingly.
Add the following to /opt/observium/config.php.
$config['nfsen_enable'] = 1; $config['nfsen_rrds'] = /var/nfsen/profiles-stat/live/; $config['nfsen_split_char'] = ; $config['nfsen_suffix'] = ;
Enjoy your graphs.
