KMP http://www.net24.co.nz/kb/ en-us KnowlageBase RSS Generator PHP not working on subdomains http://www.net24.co.nz/kb/article/AA-00188 Issue

When you create a subdomain in Plesk, such as host.mydomain.co.nz, and try to access a PHP page on this subdomain the following error is displayed:

Forbidden

You do not have permission to access this document.

Web Server at mydomain.co.nz

Solution

The problem occurs because some services are not enabled for the subdomain. Net24 runs PHP under a suexec environment with FastCGI, therefore it is necessary to enable both CGI and FastCGI as well as the PHP option.

You can check these options in Plesk by going to 'mydomain.co.nz > Subdomains', then click on the subdomain to display the Manage subdomain page. The screenshot below shows the options which should be enabled to allow PHP to function correctly.



]]> Tue, 03 Aug 2010 03:49:17 +1200 Understanding email header injection exploits http://www.net24.co.nz/kb/article/AA-00184

Overview

Botnets are constantly scanning the web to locate PHP scripts which are vulnerable to a email header injection exploit. All PHP scripts which send email based on input data, such as when a user supplies a "From" or a "To" address, may be vulnerable. In addition, botnet attempts to inject headers into any other fields it finds on a form such as hidden fields. This article discusses this issue in relation to PHP, but is relevant to all scripting languages.

Discussion

A distributed network of machines are employed to scan PHP-based websites in search of scripts which might be vulnerable to an injection-style security exploit. The exploit, if successful, permits the botnet to send emails to arbitrary destinations. A common target of the botnet is the kind of web-based feedback form which submits an email to a user-provided designated address. The botnet script injects malicious email headers into the form's fields, which are then passed to the mail server. The mail server parses those headers and then, if the attack was successful, it sends an email to the address designated in the maliciously injected headers.

Are My Scripts Vulnerable?

If you have a script that relies on user input for generating an email, then your script is potentially vulnerable to this exploit.

You should review the code for any of your scripts that rely on user input for constructing an email. In addition, you should examine any other fields in your scripts that may NOT rely on user input but which are still used in the generation of an email. Note the two error log snippets below.

In Snippet No. 1, the botnet has tried to manipulate form variables, a hidden form variable ('_submit') and other variables such as the session ID.

array(53) {
  ["HOME"]=> string(1) "/"
  ["PATH"]=> string(29) "/sbin:/bin:/usr/sbin:/usr/bin"
  ["_submit"]=> string(29) "yrfockfsy@example.com"
  ["password"]=> string(29) "yrfockfsy@example.com"
  ["PHPSESSID"]=> string(445) "yrfockfsy@example.com
Content-Type: multipart/mixed; boundary=\"===============1678997057==\"
MIME-Version: 1.0
Subject: 8526bb87
To: yrfockfsy@example.com
bcc: Homeiragtime@aol.com
From: yrfockfsy@example.com

This is a multi-part message in MIME format.

--===============1678997057==
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
fvf
--===============1678997057==--
"


In Snippet No. 2, the botnet has again tried to manipulate form variables, a hidden form variable ('_submit') and other variables such as the session ID but in this case, the submitted values have been changed.

array(53) {
  ["HOME"]=> string(1) "/"
  ["PATH"]=> string(29) "/sbin:/bin:/usr/sbin:/usr/bin"
  ["_submit"]=> string(25) "rfljy@example.com"
  ["password"]=> string(438) "rfljy@example.com
Content-Type: multipart/mixed; boundary=\"===============1104808547==\"
MIME-Version: 1.0
Subject: da79e5ec
To: rfljy@example.com
bcc: Homeiragtime@aol.com
From: rfljy@example.com

This is a multi-part message in MIME format.

--===============1104808547==
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

twjgdcbd
--===============1104808547==--

"
["PHPSESSID"]=> string(25) "rfljy@example.com"


Solution

To prevent an email header injection attack, you need to filter all input data including any other fields on your forms (such as hidden fields) that may be used by your scripts in the creation of an email. The actual filtering implementation is a matter of programming style.

You can prevent the attack by performing a data validation procedure that will not allow a script to run until the unwanted strings have been removed. For example, the following pattern can be used with PHP's preg_match function. If the function returns false, you can prevent the user from proceeding.

Pattern for filtering email addresses:

"/^([a-z0-9._-](\+[a-z0-9])*)+@[a-z0-9.-]+\.[a-z]{2,6}$/i"


Using the pattern for email addresses, you might do the following: 

$emailPattern = "/^([a-z0-9._-](\+[a-z0-9])*)+@[a-z0-9.-]+\.[a-z]{2,6}$/i";
if (!preg_match($emailPattern, $emailFieldToTest))
{
   print 'Please review the email address you entered. There seems to be a problem';
}


Why does this Exploit Work? Is PHP Insecure?

This exploit has nothing to do with the behavior of PHP and, therefore, is not a shortcoming of PHP. The exploit "works" because of the MIME and SMTP standards.

A basic MIME message is broken into two parts; a header and a body. The header and body are separated by a blank line, i.e., \r\n\r\n (although most mail clients will accept UNIX and other line delimiters, like \n\n or even \n\r\n\r). MIME is also multi-part which means that messages can be embedded in other messages. This is done by having the top level header declare a boundary, which is then used to process further header/body pairs.

If someone is able to inject content into this top level header, they can now essentially control the structure of the entire message. This is done by creating their own boundary, thus defining what's a body and what's a header.

The other significant point of weakness that's taken advantage of is the fact that MIME (and subsequently SMTP) can deal with multiple headers of the same name. Meaning, if there is a To: followed by a To: they are interpreted "correctly" with no errors.

Putting it all together, this allows an attacker to define additional recipients for a message, not to mention adding Bcc: and Cc: headers using multiple headers of the same name. In addition the attacker can define body parts to be sent as the content of the message by defining a multi-part message. So even user input intended as content is vulnerable to the injection of a header instruction. That is why all input data must be filtered.

Conclusion

This article examined the specifics of a particular script exploit and is not meant to protect all PHP scripts from all exploits. As often happens, once one security hole has been closed, another one is found. The important lesson is the need to know exactly how your script will behave and, most importantly, exactly what data you expect to receive from the script.

A solid architecture would assure that:

  1. You know what you are sending out
    Keep track of forms you've put on your site and develop a policy for accepting form submittal (for instance time outs, multiple forms per user id, multiple submissions, not accepting forms you don't expect, etc). This can be implemented using tokens.
  2. You know what you should be getting back
    This is crucial. Just because a <select> field contains certain values, don't think you can't get back something totally different such as PHP code, SQL, etc.
    • Know the fields you need to have back to accept the form as valid.
    • Restrict exactly what values you'd accept as input.
    • Always minimize taking data from forms (or any external source) and using it directly in database queries, or other inner and intimate parts of your application.

]]> Fri, 30 Jul 2010 05:16:41 +1200 Unable to delete directory in FTP or Plesk Server Administrator http://www.net24.co.nz/kb/article/AA-00183 Issue

When you try to delete a directory using FTP or the file manager in Plesk Server Administrator you receive an access denied message.

Cause

The issue can occur if the IIS Worker Process has a lock on the directory or files and folders contained within the directory. Until this lock is released it will be impossible to remove the directory.

Solution

The lock can be removed by recycling the IIS Worker Process using Plesk. Once recycled you can then delete the directory using either FTP or the Plesk file manager.

To recycle the Worker Process follow these steps:

  1. Login to Plesk Server Administrator.
  2. Select the domain name you are having the problem with.
  3. Click on the IIS Application Pool button.

  4. Click on the Recycle button.

After a few seconds the page will reload and the Work Process will have been recycled (however no confirmation of this is displayed). At this point you can delete the directory.

]]> Fri, 30 Jul 2010 04:58:39 +1200 Unable to access Plesk Server Administrator http://www.net24.co.nz/kb/article/AA-00182 Issue

When trying to connect to the Plesk Server Administrator you receive a connection failed or timeout error.

Solution

The Plesk Server Administrator listens for SSL connections on port 8443, because this is not a standard web service port some firewalls may block access. To resolve this problem check your computers software firewall and any hardware firewall or security appliances which may sit in front of your computer.


]]> Fri, 30 Jul 2010 04:46:16 +1200 Server Side Includes (SSI) not working under Windows hosting http://www.net24.co.nz/kb/article/AA-00181

Issue

Server Side Includes (SSI) aren't working under a Windows hosting account and .shtml files don't appear to run.

Reason

Net24 does not support server side includes on Windows hosting accounts; there is a history of security problems with SSI on Windows.

Demand for SSI on Windows is usually low because customers requiring Windows hosting will predominantly be using ASP or ASP.NET server side scripting languages and customers will use the include functions of these languages.

For this reason we have chosen not to support SSI on windows and expose the servers to another attack vector.

Solution

The solution is to use ASP virtual includes such as the example below:

<!--#include virtual="/<virtual path>/<filename.ext>"-->

Rename the page extension to .asp as .shmtl will not run on the server.

If you must use server side includes and do not require any Windows hosting technologies such as asp and asp.net then contact us and we will move your account to a Unix hosting plan that does support SSI.


]]> Fri, 30 Jul 2010 04:44:09 +1200 Sending email from your web application http://www.net24.co.nz/kb/article/AA-00180 Issue

What SMTP server should be used to send email from my web application?

Solution

From all shared web hosting servers please use: mx.hosting.isx.net.nz

If you are using Persits AspEmail with ASP/ASP.NET and using the SMTP queuing feature, then it's not necessary to specify an SMTP server; the AspEmail queue processor is configured to relay mail the correct SMTP server.

PHP on both Windows and Unix hosting servers are also configured to send mail using the correct SMTP server; manual configuration is not necessary.


]]> Fri, 30 Jul 2010 04:43:08 +1200 Previewing your web site by editing your hosts file http://www.net24.co.nz/kb/article/AA-00179 Issue

For various reasons it may be necessary to update the Hosts file on your computer to properly resolve a web site by its domain name. The most common reason for this is to allow you to view or publish web content immediately after purchasing a new domain name or transferring an existing domain name to our service.

New and transferred domain names have a delay period that can be anywhere from a few hours to a few days. During this period of time the new or transferred domain information propagates around the internet, and is generally unavailable.

If you need to preview your site immediately and cannot use the Plesk Site Preview feature then you can edit a file on your computer as a temporary work around.

Solution

Windows & Mac contain a file called 'hosts' that will force resolution of your domain name. Edit this file using the following procedure.

Click here for instructions for Windows or Mac instructions.

Windows 

1. Locate the hosts file on your computer

Use Windows explorer to navigate to the following directory:

Windows 95/98/Me c:\windows\hosts

Windows NT/2000 c:\winnt\system32\drivers\etc\hosts

Windows XP Home/Pro c:\windows\system32\drivers\etc\hosts

2. Open the hosts file for editing

Open your hosts file in Notepad. It should look something like this when you open it:



We will start typing on a new line at the bottom of the file. To do so, click your mouse so that the cursor is at the very end of the last line and hit <Enter> to start a new line.

Enter the following two lines of text like this example:

123.123.123.123 yourdomainname.com

123.123.123.123 www.yourdomainname.com

Important Note

You must replace the 123.123.123.123 number with the IP Address of the web server detailed in your Net24 setup email. Replace 'yourdomainname.com' and 'www.yourdomain.com' with the domain name of your web site.

Your Hosts file should looks something like this when you are done.


Close the Hosts file and save it when asked. If your browser is currently open, close it so that the changes take effect. It is not necessary to restart your computer.

Mac OS X 10.2 or later

To find the hosts file in OS X's graphical interface:

  1. Open Finder.
  2. In the Go menu, select "Go to Folder"
  3. Type /etc for the folder name.
  4. In the list of files that appears, you should find hosts. Double click it to open it in a text editor.
  5. As in the earlier examples, the format of the file is: 123.123.123.123 www.yourdomainname.com.

You should now be able to view and publish to your web site using your domain name.


]]> Fri, 30 Jul 2010 04:38:15 +1200 Password protecting directories http://www.net24.co.nz/kb/article/AA-00175 Overview

It may be necessary to password protect a directory or folder on your web site to prevent general public access or to prevent public download of Access databases stored within a folder.

You can easily password protect a directory using the Plesk Server Administrator following the instructions below:

Password Protecting a Directory for Unix Hosting Accounts

  1. Login to the Plesk Server Administrator.
  2. Select the domain name you wish to setup password protected directories for.
  3. Click on the Protected Directories button.
  4. Click Add New Directory button.
  5. Specify the path to the directory that you wish to password protect.
    This can be any directory existing in the site, for example: /admin. If the directory that you would like to protect has not yet been created, specify the path and the directory name and Plesk will create it for you.
  6. Leave the default Directory Location values set to Non-SSL and SSL.
  7. In the Header Text box, type a resource description or a welcoming message that your users will see when they visit the protected area.
  8. Click OK. The directory you specified will be protected.
  9. To add authorised users, click Add New User.
  10. Specify the login name and password that will be used for accessing the protected area. The password should be from 5 to 14 characters in length. Click OK.
  11. To add more authorised users for this protected resource, repeat the steps 9 and 10.

Password Protecting a Directory for Windows Hosting Accounts

  1. Login to the Plesk Server Administrator.
  2. Select the domain name you wish to setup password protected directories for.
  3. Click on the Protected URLs button.
  4. Click Add New Directory button.
  5. Specify the path to the directory that you wish to password protect.
  6. This can be any directory existing in the site, for example: /admin.
  7. In the Realm access text box, type a resource description or a welcoming message that your users will see when they visit the protected area.
  8. Click OK. The directory you specified will be protected.
  9. To add authorised users, click Add New User.
  10. Specify the login name and password that will be used for accessing the protected area. The password should be from 5 to 14 characters in length. Click OK.
  11. To add more authorised users for this protected resource, repeat the steps 9 and 10.

]]> Fri, 30 Jul 2010 03:47:18 +1200 Password protecting a directory with an .htaccess file http://www.net24.co.nz/kb/article/AA-00174 Overview

It may be necessary to password protect a directory or folder on your web site to prevent general public access or to prevent public download of Access databases stored within a folder.

Usually you can easily password protect a directory using the Plesk Server Administrator following the instructions here.

However, in some cases you may like to automate and control access to a directory by using a script to add usernames and passwords to an access list / password file or if you need to protect a directory on a sub domain you will need to use a .htaccess file as the Plesk Protected Directories feature is not available for sub domains.

The .htaccess file method only applies to Unix hosting plans.

Method

Firstly, you will need to know the full path to your document root. This article will help you find this.

Then, in the directory you want to protect with HTTP authentication, create or upload a file named: .htaccess (remember to include the "." before the "htaccess"). Alternatively you can upload a text file called htaccess.txt and rename this once it has been uploaded to .htaccess

The .htaccess file should contain the following 4 lines: 

AuthType Basic
AuthName "Some Description" 
AuthUserFile /[home dir full path]/httpdocs/.htpasswd 
Require valid-user


For example, if your domain was example.com, then the third line would read:

AuthUserFile /usr/local/www/vhosts/example.com/httpdocs/.htpasswd


The third line is the path to your password file.

Next, you need to create the password file itself. In the example above, .htpasswd is the file that will contain your access list. It is a special file that contains usernames and encrypted passwords that only the web server can read.

Since you don't have access to the Unix command line, you'll need to use an online tool to create the encrypted passwords. Try http://www.htaccesstools.com/htpasswd-generator/ and enter a username and password. It will create an output like user:ZHdYGYUr0N8PI.

Next create your htpasswd file, either as .htpasswd or as a htpasswd.txt file. Edit this file and enter the username and password combination. You can enter one per line.

So your htpasswd file will look something like this:

user:ZHdYGYUr0N8PI


Upload this file to the path specified in your .htaccess file. If you have named the file as a txt file, remember to rename after uploading to .htpasswd.

Now when you enter the URL to your protected directory you should be prompted for the login and password.

Hidden files

The .htaccess and .htpasswd files are hidden files. So after uploading, you won't see them under your FTP client. To view them, you can either turn on 'Show Hidden Files' in your FTP client or use the File Manager under the Plesk Server Administrator. The File Manager can also be used to easily edit and rename the files.


]]> Tue, 03 Aug 2010 03:18:33 +1200 WS FTP - Managing your files http://www.net24.co.nz/kb/article/AA-00159

]]> Fri, 30 Jul 2010 02:26:42 +1200