What back doors?Quote:
Originally Posted by cutetiggy
These files are not microsoft executables they are straight forward and require a little logic and understanding, the only back doors are ones you make and forget to close. :):
Printable View
What back doors?Quote:
Originally Posted by cutetiggy
These files are not microsoft executables they are straight forward and require a little logic and understanding, the only back doors are ones you make and forget to close. :):
I'm not the one doing it so it annoys my developer but there are a hell of alot of people doing it. I can't show you because I really don't have the expertise to go into arguments. Some backdoors into the servers are quite complex and the last server files he looked at was made for iWeb which they made tones of mistakes in. Which is why I shall be making better server files that are easier and have less problems.Quote:
Originally Posted by argonaut
the shear irony, that iweb is written by WanMei themselves..
meh what problems...i don't get any of these so called problems...well if you happen to find the time to back up these claims of server vulnerability with hard proof so we can review it, then that would be nice..other than that i take such claims of back doors with a pinch of salt and a raised eyebrow, anywho as far as iweb or pwAdmin goes...if you have that open to the WAN then that is your own fault/decision.
If you mean re-writing pwAdmin or iweb so that it is more secure against SQL injection or simply adding protection from sql injection for plugins ...sure, but again why have it open to the world?
http://forum.ragezone.com/f755/pwadm...en-wan-797189/
Your developer is spawing a bunch of bullshit.Quote:
Originally Posted by cutetiggy
There are two scenarios :
a) Your gameserver hosts your website. If you do it right, you will have 3 ports open : HTTP/GLINKD/VPN
b) Your gameserver is solo and your webserver represents a seperate entity. You will have 2 ports open : VPN and GLINKD.
HTTP is a text based protocol with no protocol level vulernabilities. Since everybody seems to use apache around here, turn of directory listing and configure correct handling of PHP files (let a fastcgi instance handle it, for example).
GLINKD uses custom protocol and has no exploits. It's code is so simplistic that there is simply no room for exploits, what it does is simply represent a gateway from LAN -> WAN. It's a traffic relay (with some extras).
VPN is used to create a secure environment (a.k.a LAN) under which you can then access server as if it where in your LAN, disabling any outside access to any vulnerable services.
VPN uses RSA PKI auth with possibly PSK, and paired with a block cipher for speed after key negotiation.
Now, please let your mighty dev friend tell me where there are vulnerabilities on a properly configured server?
you forget somehting. everyone can use any ultra mega super security options with firewall, antivir, ddos protection and so policies but those things never give protection against USER'S (and nab roots) IDIOTISM!
You would be surprised how many people leave ports in the 10xxx range open
i only use iptables to hold flood and protect myserver :D:Quote:
Originally Posted by Hycker
rest of it, my ISP will handle it.
Forum software often allows uploads. Same server has a forum. By setting chmod 777 /etc/hosts you have created a backdoor next time the security patches update.Quote:
Originally Posted by Psytrac
Plain text HTTP is HACKABLE when you have chmod 777 directories - because of the PUT command in the specification.
Nothing important should be world writable ever, and I prefer nothing at all be world writable and simply use write access as necessary on groups because this is more secure. Remember a user can be a member of multiple groups as well.
I can keep going about the atrocious security most of your packages have. One of my favorites so far was an extra user in the mysql database. If I ever want to build a botnet, I'll start hunting for private shard PWI Servers.
I too am working on a tutorial with good security practices. The extra security is giving me a bit of a headache since Java does not log errors. (Missed another hard coded directory setting based off everything written to /.) Everything is intended to run as a user, with user level permissions for mysql, the perfect world server running from /home/pwuser/, etc. I run drupal web servers on the same 8 xeon processor machine, I'm not handing the whole thing over to PW.
I know I'm new here but claiming there are no back doors in most of these server implementations is flat out wrong.
Please do elaborate how :Quote:
Originally Posted by RorschachRev
a) You plan to upload code which changes/adds a hosts file entry, seeing that any modern forum software uses file tokens for sanitizing download links
b) This entry compromises system security
b) How this "created a backdoor" in a system as I have described it further up
HTTP isn't "HACKABLE", it is a protocol. Apache, nginx, lighttpd, litespeed, etc, all have the 1.1 extensions of HTTP disabled by default. Nobody in 21. century uses them anymore.Quote:
Originally Posted by RorschachRev
I agree with this.Quote:
Originally Posted by RorschachRev
You are assuming that because the default packages have potential security audits, that we are all retarded and can't close them? Well... you could be correct, since 98% of this forum thinks development is copying files from forum directly to server. For the rest of us, please don't assume this. As for the extra user, yes, of course you'd want an extra user with less privaleges than root, please don't tell me you use your root mysql accounts for everything. Or did you mean something else?Quote:
Originally Posted by RorschachRev
Also, unless the server owner is retarded and has his mysql open on WAN, you'd need a way to talk to it from localhost, meaning you already have a way to execute remote code on the system, in which case Mysql access would be interesting, but not mandatory. Point is, mysql access, even on root, doesn't help you much in rooting a box.
Cool, but noobs don't read.Quote:
Originally Posted by RorschachRev
Uhm yes, yes it does.Quote:
Originally Posted by RorschachRev
Yeah, linux 101.Quote:
Originally Posted by RorschachRev
No, the implementation itself is correct, it's the way people use said implementations... I beg to differ ;).Quote:
Originally Posted by RorschachRev
Pretty sure this is why you Chmod it to 0755 and NOT 0777 o.o.....
Most forums don't get these sorts of things right. Sometimes the upload button is sanitized, but a XSS can pick another URL to download the file from since most PHP scripts don't determine between local and remote resources.Quote:
Originally Posted by Swoosh91
The best hacks are protocol hacks. Understanding HTTP PUT - W3C Blog Apache basically says the script needs to be really good at #1 restricting itself to the web root and #2 the file permissions need to block writing. To make this more complicated, REST API uses PUT/DELETE in the HTTP specification. The original claim was that HTTP itself in text mode was unhackable. Well that's not true, there is also that HTTP 1.1 extension for the websocket protocol, but the browsers are supposed to come up with a security extension beyond the spec to avoid that nasty poisoning attack. "Text only" and "simple" is no defense for total security, it is a false sense of security.Quote:
HTTP isn't "HACKABLE", it is a protocol. Apache, nginx, lighttpd, litespeed, etc, all have the 1.1 extensions of HTTP disabled by default. Nobody in 21. century uses them anymore.
I mean the package set the guy up as a GM, set him up with the maximum allowed gold in the database, and set him with an extra user that you didn't configure. After I removed the 3rd backdoor I got to thinking, being a noob and not understanding all this stuff I might close 7 backdoors and miss 3 more. I went looking for a 1.4.5 then 1.4.6 package with better security.Quote:
As for the extra user, yes, of course you'd want an extra user with less privaleges than root, please don't tell me you use your root mysql accounts for everything. Or did you mean something else?
phpmyadmin works on a local socket, even the /tmp/mysql.sock configuration. You use that user/pass to log in via phpmyadmin. There are tons of ways of leveraging a mysql user account up to mysql root.Quote:
Also, unless the server owner is retarded and has his mysql open on WAN, you'd need a way to talk to it from localhost, meaning you already have a way to execute remote code on the system, in which case Mysql access would be interesting, but not mandatory. Point is, mysql access, even on root, doesn't help you much in rooting a box.
Any installation that has chmod 777 is not correct. At all. It is lazy. An installer script should keep the permissions the same, only use whoami and groups commands and chown chgrp as needed.Quote:
No, the implementation itself is correct, it's the way people use said implementations... I beg to differ ;).
Again I want to beat down this "simple is secure" concept. If you don't call *any* libraries at all and only read never write data, that might be an excuse. Neither is true in this case. Most of the time app writers will assume that if the script has file permission to write the script is allowed to write. This isn't a security hole in and of itself because nothing should be running as root, and nothing should be world writable.
I'm used to python that will tell me if a library or resource fails to load. These execution scripts aren't checking to see if the folder exists before setting it as the base directory for the script export CLASSPATH=.:/usr/lib/jvm/java-6-sun-1.6.0.26/lib/dt.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/lib/tools.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/lib/mysql-connector-java-3.0.16-ga-bin.jarwell none of those places existed, and the directions specifically said to install openjdk-6-jre. The libraries called by the script don't exist and I get a silent fail. It prints *some* errors, which is deceptive when it can't load the necessary libraries that are required. Java is a bitch, you will never convince me otherwise. .Net and Python are also middleware and don't suffer any of the problems that Java has despite being bytecode languages as well. For example, python can read low level data, and Java can't. It can also call CTypes. It also tells me when a library is missing. Having a fake PATH is one thing but needing libraries from the PATH and not being able to find them is a different one.
I am not going to be explicit with directions how to hack for 2 reasons. #1 I'd be too tempted to root a bunch of PW Servers over the weekend. #2 So would other people.
Im confuse With This Person Who Make This Threa
That It Really I Think
First We All Noob , Me Too
So Dont Kill Noob With This Thread If They Post Help Thread , And Before Already People Post The Tutorial And Release
Just Say Search Or Help Him Just Give Clue
If U Give Full Answer It Same u Give Them Eat
So They Cant Grow UP With Self
Bad Attitude
By The Way , For Security Your Server Maybe This Good For Learn
1) Change Your Port Access Like As , pwAdmin , SSH
2) Rename Your iWeb And PwAdmin
3) rename Your phpmyadmin
4) Make iptable ... For Reject DDOS Hacking Or Send Packet
Maybe Just That
Listen to Me ...
This is Function of Chmod
chmod 777 is All People can Do Anything
chmod 755 is Just Grup And user can Do Anything Here, This Setting is Public Setting For Programs Usually User use That
chmod 700 is This is For Private File Just Own Can Use This , User And Grup cant Use this. This setting are private for own
For security reasons i run separate Mysql Server on a dedicated machine, the GameServers on separate dedicated machines, and the WebServer on a separated dedicated machine, and all these behind a hardware firewall that has open only the necessary ports and nothing more.
To access any of them you must be in LAN or VPN from outside.
Sick...