scadblog

Since upgrading my departmental website to Mambo, I’ve seen significantly more hacking attempts.  This should have been expected as I have moved to a known software framework that’s executing a lot more than read calls to service Apache’s GET requests.

Earlier in the year I suffered a minor defacement to the site from a known security vulnerability.  At the time, it could have been much worse.  I quickly applied the appropriate patch and rolled back all of the changes to the system.  Unfortunately I hadn’t learned my lesson about the importance of patching (horrible) and had let two more security patches go by without a second glance.  That left me open to a similar hack but instead of pages defaced, scripts were uploaded.

2 hours of downtime had me with a snapshot of the drive for forensics and a skeleton page returned to service.  If there is one lesson for SCAD and tech support young and old its keep up on your patching.  It makes or breaks a secure system, and it deserves repeating ad naseaum.

I needed to restrict access to the admin interface for one of my web pages. The admin interface is provided by the same php file that provides the user interface so I could not use a simple allow,deny ruleset in Apache. I thought of using a RewriteRule via mod_rewrite but it would only search file and path names as part of a regular expression to identify a string to be re-written.

Only after a little digging did I discover the QUERY_STRING variable valid for a RewriteCond statement. This way you can pass a portion of the query string as a condition as to whether the RewriteRule to follow is applied. Add a conditional statement indicating which remote clients can connect via REMOTE_ADDR and you have all you need. Here is an example drawn from my experience:

RewriteCond %{QUERY_STRING} ^id=admin
RewriteCond %{REMOTE_ADDR} !^128\.112\.
RewriteRule index.php - [F]

(Its also worth noting that you can call the query string for use in the RewriteRule as you would any variable, however its referenced with a preceding % instead of a $.)

I’ve been configuring apache for the past few days and I’ve been tapping in to a number of features. First, I have a number of redirects to other machines that are necessary. In the past I would have created a local account and used some html with a forward embedded to get the users to the new machine. However, Apache’s ProxyPass statement seems better suited to the job, and it involves a lot less clutter. To forward all requests for ~user to another machine entirely I did the following. In httpd.conf or your virtual.conf file add:

ProxyPass /~user/ http://hostname/
ProxyPassReverse /~user http://hostname

This takes all forwards for an address requested with the trailing slash. I found that without the trailing slash though it was unable to redirect properly. It was then time to dive into the rewrite_mod. Adding the following to my conf files:

RewriteRule ^/~([^/]+)$ /~$1/$2 [R]

Automatically rewrote any request for a tilde+user directory and added the trailing slash. Finally, attracted to the power of rewriting URLs, and remembering my recent entry on Apache+Kerberos authentication, I decided to write RewriteRule that actually worked to redirect to https.

RewriteRule ^/~user(.*)$ https://192.168.0.87/~user$1 [L,R]

Princeton OpenCMS is the name of a content management system suitable for academic and departmental use on the Princeton network. The CMS is forked from the code developed by Extrafin, Inc. and licensed under the GPL. This document attempts to outline the installation process of Princeton OpenCMS on a Linux system.

(more…)

The people application as part of the CMS we use offers a convenient and easy way to store all of the data relating to people affiliated with the department and only show the public what we want. However, as part of the UI there is no way to edit what gets displayed in the table that returns people information to visitors of the site. CEE was able to determine where some of the modifications are located in the code (under mod/people in the cms repository).

Table’s Headers: index.mod.php line 133
Phone number truncation: index.mod.php line 103
Order of table data: people.lib.php function get_list line 265

Normal Users do not have rights to create new pages, use the file viewer or create links, nor can they be given access to do so via the Config page unless their access level is raised to Admin.

Admins cannot create a page unless they are also given privileges for the section in which they wish the page to reside.

[addendum]

I just realized I sound a little incoherent in this post. Please note that this is in the CMS category. All hints and tips in this category pertain to the Extrafin-derived CMS software.

Here is some interesting Roxen information that might be worth noting: the Licensing and Features of their CMS, and their own GPL’ed webserver software that it runs on.