芳草苑

Tag: security

  • Mybookworld is not safe

    我的 Mybookworld samba service 建有若干用户,各自的目录是凭各自的密码访问。昨天发现,Mybookworld 竟然不再问密码,任由我畅行在各个用户目录。Mybookworld 有一个 ip address 和一个自称的 device name,还有一个路由器指派它的 device name。凭前二者访问仍然正常,只是凭路由器指派的 device name 访问时密码失效。

    我刚开始还以为我上次误点了“记住密码”,运行

    net use * /d

    Mybookworld 还是任由我畅通无阻。奇了怪了,难道 windows 有其他我不知道的地方记住了访问密码?转念一想,不是 windows 的原因,因为我不可能多次为多个用户误点“记住密码”。

    于是重启 Mybookworld,问题依旧。正好有个 firmware 更新,更新后问题还是依旧。没辙了!

    原本准备在 internet 上开放对 Mybookworld 的 ssh 访问,这下打消主意 —— Mybookworld 不够安全,samba 会出这等问题,保不准 ssh 也会出问题。

    别说我是事后诸葛亮,刚拿到 Mybookworld 时,我看了一下它的配置,就觉得它很容易出现安全漏洞。举个例子:用 Mybookworld 自带的 web interface 创建的用户并不是 Linux 用户,这些用户属组全是 root:jewab,使用 root 就是一个非常不好的 bad practice,况且权限控制依赖于 Mybookworld 自带的程序,一点也没用到 Linux 强大的权限控制。开发 Mybookworld 的人水平再高,难道能高到抛弃一套完美的机制自搞一套?

    再举个例子,启用 Mybookworld nfs 服务时可以指定 IP Allowed,但是 /etc/exports 却是这么写的

    /nfs/myname *(rw,all_squash,sync,insecure,anonuid=65534,anongid=65534)

    我非常不理解,nfs 服务明明可以限定 IP,然而 Mybookworld 又不用它,又在自搞一套。可它自搞的一套非常地不稳定,经常发生 allow list 上的用户不许访问。我不知道会不会有 deny list 上的用户反而被允许,那就更糟了。

  • PayPal Spoof

    PayPal Looks Like Phishing
    An email from PayPal: looks like phishing

    I had an email from PayPal a while ago. I believe it was sent by some careless staff of PayPal.

    PayPal always remind people aware of phishing emails. At the bottom of the email, it says – How do I know this is not a spoof email? Spoof or ‘phishing’ emails tend to have generic greetings such as “Dear PayPal member”. Email from PayPal will always address you by your first and last name.

    However, this particular email address me “Dear First Name Last Name”.

  • Email images not showing up in IE8

    I was asked by someone why on his PC images in html emails were not displayed.

    He was using google mail web interface (SSL enabled – Automatically enforce Secure Socket Layer (SSL) connections when your users access Gmail, Calendar, Docs, and Sites) and IE8. I was using the same google mail but Firefox. On my PC the images in html emails could show up. So I thought the problem was with some settings in IE8.

    Following this thought I found it was a setting in IE8: Internet Options -> Security -> Custom Level -> Miscellaneous -> Display mixed content. If it was disabled, IE8 would not http content in a page accessed via https. There should be a prompt before IE8 permanently disable it, but I guess few people can understand this security warning.

    IE8 mixed content security warning
    IE8 mixed content security warning

    This security setting is not only affecting email pages, but email pages are most likely being affected, specially marketing emails. Will we see more eshot programmes embedding img src with https?

  • Bonjour is not virus

    Bonjour bundled with Sarifi
    Bonjour bundled with Sarifi

    不知道 Bonjour 是怎么进入到我的电脑的,我不用Sarifi已经好多年。我不喜欢Apple的东西,装Sarifi只是为了测试,测试完毕重装系统也没再想着把Sarifi装回来。

    第一次注意到 Bonjour 进程的存在着实让我担心了一把,还以为是什么病毒,Google 了一下才知道是 Apple 开发的一个玩意儿才打消了我的顾虑。今天我再次安装Sarifi,里面提到 Bonjour,因为事先跟 Bonjour 有过接触,所以注意到了,拷屏下来告诉初识 Bonjour 的人,Bonjour 是无害的(但我也没意识到 Bonjour 有什么好处)。

  • 轻触米兰

    在有限的天数内游历尽可能的地方,这种旅游思维还是有很多支持者的。我们的旅游团有一个可选的项目就是用一天时间顺访意大利米兰,结果90%的人都选择去。

    我们在报名的时候就选择去米兰,现在想想,倒有些后悔——既然来了瑞士,应该留在瑞士多看几个城市,何必又跑出瑞士去意大利呢?旅游团行程中没安排日内瓦和苏黎世,我们就可以趁今天空档自己去。不过想太多也没用,反正钱已经交了,意大利也没去过。

    还没下车,导游提醒说,米兰扒手多,要我们小心钱物。我们想到上个月在巴黎地铁遭遇女扒手的经历(她们偷窃未遂),旅游中就带着小心,或多或少影响了兴致。一个城市要是不能给游客以安全感,那是整个城市的悲哀。

    米兰在我眼里没有什么可圈可点的,看了一圈,算是来过了。足球场是应该去看看,可是听说去一趟挺费时间,就作罢了;时尚品牌店满地都是,但是这么贵的价格,不符合我的购物理念(我喜欢 Boxing Day 品牌打折时的那种疯狂),所以啥也没买。

  • Solution to chm file error of navigation cancelled or invalid address

    最近我又对 plobe 起了兴趣,找来了一个说明文档竟然是 chm 格式。我这里用了“竟然”,因为 plobe 不是微软的技术,文档编写者却用了微软的 html help。用了微软 html help 也罢了,可它竟然打开后读不了。提示信息是:已取消到该网页的导航,或无效地址。

    我试了很多办法,但都不切中要害:

    • 修改区域和语言为中国和中文
    • 注册文件关联
    • regsvr32 某些控件
    • 从微软网站下载 hhupd.exe 来安装
    • 降低 IE 安全级别

    结果我的电脑搞得一团糟,还是没解决问题。Google 了好久(google 这回不聪明了,把好的答案藏起来了)最后解决问题的方法是:

    在 CHM 文档上右键查看属性 -> 常规 -> 在下面有一个和属性相邻的安全:此文件来自其他计算机,可能被阻止以帮助保护该计算机。 右边有一个解除锁定的按钮。

    单击一下 解除锁定 -> 应用 就可以了!

    BTW, I found this chm file is not worth opening and reading at all. Does it imply whoever compiles documentation in chm for a non-microsoft technology is silly, and whoever tries to open such a chm is silly as well? I must admit I am silly.

  • Controversial safe_mode

    safe_mode 恐怕是 php 里最有争议的环境参数了。要我说,这个参数名取得就不好,争议就难免了。safe_mode 可以设为 on / off,但并不是说 safe_mode = off 就不安全了。很多 ISP 的 shared hosting 环境下 safe_mode 也是 off 的,godaddy deluxe hosting 就是一例。

    光靠 safe_mode = on 是把不住安全关的,反而会限制某些程序的正常运行,比较麻烦。尽管麻烦,尽管我不是 share hosting,但我还是喜欢最大范围内设置 safe_mode = on。

    但是由于我习惯性使用 mod_php,最近才意识到 mod_php with safe_mode = on 在 php upload 时无法解决 “先有蛋或是先有鸡” 的问题,因为 apache 试图操作 user1 的目录。为了允许 apache 操作 user1 的目录,必须在 user1 的目录为 group 或 other 提供 write 权限。同理,为了允许 apache 操作 user2 的目录,必须在 user2 的目录为 group 或 other 提供 write 权限。这样一来,就很难隔离 user1 和 user2 之间相互的文件操作。

    suexec 对 mod_php 无效,看来只有抛弃 mod_php,改投 FastCGI 门下。

    顺便说一下,godaddy shared hosting 把 user1, user2 都归为一组,然后取消 group 读权限,允许 other (apache)读权限,虽然思路很巧妙,但有悖常规思维,通常我会认为 owner 权限 >= group 权限 >= other 权限。godaddy shared hosting 用的就是 FastCGI,不存在“鸡蛋”问题。

  • Samba can share files over internet

    Samba 太强大了,我没想到它可以在公网上共享文件和文件夹,如同在局域网内一样。

    如果给 samba server 一个公网 ip,就可以在 internet 上凭着 \\ip 就访问共享文件和文件夹。有点可怕,因为我原先认为 samba 会区别对待局域网内和局域网外用户,不经过一些特别的设置,samba server 不会让 internet 用户用 \\ip 访问共享文件和文件夹。事实不是这样,至少目前 samba 3.2.8 版不是。

    同理,如果把 WD Mybook World 建为 dmz,它的 public folder 就暴露给所有 internet users 了。

    所以得特别当心,如果想给 samba server internet visible,就不得设置 windows 局域网内共享常见的 guest 无密码访问。

  • Actinic discounts.fil is giving away secrets

    I have many good reasons to dislike Actinic. One of the reasons is – as growing up to an Actinic expert, one can also be an Actinic hacker. In other words, Actinic is not nicely secured by the vendor. If an Actinic user wants enhanced security, he / she will work ten times harder to close the security hole.

    For example, Actinic does not have online database. Actinic keeps most of data offline, but it must have some data at server side, so itstores data in various files. This is a very doubtful approach. Of course all database software have bugs, but could Actinic file-based data do better than mysql, etc?

    Another example, I recently found Actinic stops recognising coupons after an update. During diagnosis, I found discounts.fil under acatalog folder serves as data file for coupon code etc. acatalog/discounts.fil can be accessed by public by default. All promotion secrets are exposed to competitors / customers by analysing this file. Coupon codes are hashed in discounts.fil, and hashing makes all original coupon codes not recognisable. The Actinic perl script does not compare hashed customer input coupon with hashed coupon code in discounts.fil. It compares raw customer input coupon with hashed coupon code in discounts.fil (of course they will not match). This is a bug in Actinic.

    I think closing security hole is out of most Actinic users’ capability. What is the point for an advanced Actinic user working so hard on Actinic?

  • A security leak of Godaddy DNS

    It is not only affecting my account. I think it is a security hole for all Godaddy nameserver users. I explain in dettails –

    I have more than one Godaddy account. I manage my domains in account A, and a deluxe linux share hosting with account B. The nameservers of mydomain.com are set up in account A using xxx.domaincontrol.com. mydomain.com has a wildcard A record pointing to my dedicated server. However, in account B, I can add a domain like sub.mydomain.com. Then when I ping sub.mydomain.com, it will ping out 68.178.254.179 or 72.167.232.13 (share hosting server). That means sub.mydomain.com override the wildcard A record in account A. In theory, other Godaddy share hosting user can also hijack anyname.mydomain.com to point to an ip address of theirs.

    It is very scary, isn’t it? I assume Godaddy did not setup DNS infrastructure correctly.