Advisory: AWBS magic_quotes_gpc “Off” SQL Injection and XSS Vulnerabilities
Release Date: 2007-06-10
Last Modified: 2007-07-26
Author: Justin Samuel [http://www.justinsamuel.com]
Application: AWBS < 2.6.0
Severity: Highly Critical
Impact: Disclosure of sensitive information
Cross site scripting
Vendor Status: Vendor released version 2.6.0 to address issue. Testing still needed to verify that issue is corrected.
Vendor: Total Online Solutions, Inc.
App. Website: http://www.awbs.com/
References: http://www.justinsamuel.com/2007/06/10/awbs-magic_quotes_gpc-off-sql-injection-and-xss-vulnerabilities/
————————————————————————–
Description:
Advanced Webhost Billing System (AWBS) contains multiple SQL injection and XSS
vulnerabilities due to a lack of user input validation.
Continue reading ‘Vulnerability: AWBS magic_quotes_gpc “Off” SQL Injection and XSS’
Advisory: AWBS Dedicated Server Info Visible to All Users
Release Date: 2007-06-10
Last Modified: 2007-07-26
Author: Justin Samuel [http://www.justinsamuel.com]
Application: AWBS < 2.6.0
Severity: Less Critical
Impact: Disclosure of sensitive information
Vendor Status: Vendor released version 2.6.0 to address issue. Testing still needed to verify that issue is corrected.
Vendor: Total Online Solutions, Inc.
App. Website: http://www.awbs.com/
References: http://www.justinsamuel.com/2007/06/10/awbs-dedicated-server-info-visible-to-all-users-vulnerability/
————————————————————————–
Description:
Advanced Webhost Billing System (AWBS) allows any user access to the details of
all dedicated servers sold through AWBS.
Continue reading ‘Vulnerability: AWBS Dedicated Server Info Visible to All Users’
#################################################################
Vulnerability discovered by: Justin Samuel (www.justinsamuel.com)
Discovery Date: 2006-07-11
Severity: Less Critical
Impact: Exposure of sensitive information
Product: ModernBill
Affected Versions: 5.0.1
Vendor: ModernGigabyte, LLC (www.moderngigabyte.com)
Product Link: http://www.modernbill.com/
#################################################################
Continue reading ‘Vulnerability: ModernBill Insecure CURL Settings’
php 5.1.4 rpms for rhel 4 have been added to the rpm downloads section. These are based off of the current fedora core 5 rpms with the following changes:
* shared hosting security: removed posix functions [shared hosting security]
* removed pcntl functions [shared hosting security]
* added dummy domxml package [compatibility with other packages that depend on it, such as certain plesk 8 packages]
This build does have cgi compiled with fastcgi support.
Additionally, there is a corresponding php-apc 3.1.0 rpm available in the downloads section for this build of php. Continue reading ‘php 5.1.4 rpms for rhel4 added (with apc)’
i’ve added scponly rpms with chroot enabled for rhel4. get the files here or by apt/yum. this is more useful in a shared hosting environment than the rpms found at DAG and elsewhere that don’t have chroot enabled.
to use this, for example on a plesk box to allow domains to use sftp without having to give them a chroot’ed bash shell, do the following: Continue reading ’scponly rpms with chroot enabled added for rhel4′
This howto is meant to be a quick fix for those moving from one server to two or those with two servers who want to disable recursion. This only works if at least one of your nameservers answers authoritatively for each zone already. I believe it should work for those with more than two servers as long as one of the nameserver listed for any given domain does answer authoritatively. But if you have more servers than two, you should probably looking to setup your dns properly rather than using this quick fix shown here. Continue reading ‘HOWTO: use forwards in bind to only answer queries for domains on your servers (and not be an open dns server)’
I’ve added php-apc rpms for php 5.1.2 on rhel4, using the current stable release of APC (3.0.10). get the files here or by apt/yum. Additional notes: Continue reading ‘php APC rpms added for php 5.1.2 / APC 3.0.10 / rhel 4′
The following commands are all you need to create a self-signed (wildcard, if you want) SSL certificate: Continue reading ‘HOWTO: Create a self-signed (wildcard) SSL certificate’
This howto will show you how to setup an SSL certificate on a Plesk server so that it will be used when people connect through secure pop, smtp and imap. Continue reading ‘HOWTO: Setup SSL certificates for mail services (pop3s, imaps, smtps) on Plesk / Courier-Imap / Qmail’
This HOWTO shows how to use the Plesk command line utilties to backup and restore a single domain. This can be useful, among other reasons, as a way to move a site between servers (though now they have the Migration Manager for that) or as a way to make a final backup of a domain before removing it (though to be safe you should make other backups and have regular periodic backups as well). Continue reading ‘HOWTO: Backup and restore a Plesk domain from the command line’