Month: April 2008

More Thought on numbers used once(i.e. nonce)

Although I still believe what I wrote in which I said that the use of wp_nonce in the last steps of the WordPress Automatic Upgrade plugin is an unnecessary precaution, I am puzzled why it did not work.  According to Mark’s post on nonces, it sounds like in theory this "number use once" should still be valid if you are forced to log in again.  Here is what he wrote.

They are unique to the WordPress install, to the WordPress user, to the action, to the object of the action, and to the time of the action (24 hour window). That means that if any of these things changes, the nonce is invalid.

I guess that if we work through the logic, the only thing I can see that has changed is that the user has logged in again. I must conclude that it is identifying the user by something other than the username. Hmm… This is a puzzle.

WordPress › WordPress Automatic upgrade « WordPress Plugins

I have been using this plugin for almost a year. When it works it is great! When I upgraded to WordPress 2.5 I started having a problem with the final two steps, reactivating the plugins and going to the final page. Before I could activate the plugins I had to upgrade the data base. Then I had to log back in to the blog. At this point the automatic plugin was lost and gave me a screen with "Are you sure you want to do this?" All the plugin could do at this point was to clean up the installation. I had to manually activate my plugins.

Today I figured out that if I remove the wp_nonce stuff at the end of the line I could get the automatic upgrade plugin to continue. Wp_nonce is a security feature. I think it is primarily used with forms but it can be used with links. About the only source on this function is the Writing Secure WordPress Plugins post by David Kierznowski. I think when I have to log back into WordPress, wp_nonce thinks I am breaking in and slams the door shut. From a plugin design standpoint I am not sure there is a need for this type of security at this point since all I want to do is activate my plugins and get my log report. I guess I will comment out lines 392-394 so the plugin will work.

WordPress › WordPress Automatic upgrade « WordPress Plugins

Cutline 1.3 Released | Cutline Theme for WordPress

I upgraded to WordPress 2.5.1 today and my old theme broke. I have been looking at Cutline for some time but I have not been motivated enough to commit the time.  Today I had the motivation. I am really pleased that I had it ready to go in about thirty minutes.

Cutline 1.3 Released | Cutline Theme for WordPress

WordPress 2.5 Secret_Key Vulnerability

Wow, I did not know about this security feature in 2.5.  I did not have the ‘SECRET_KEY’ defined since my WordPress sites were upgrades. Since I prefer to follow the Secure WordPress recommendations and missed that section in the paper, I added a random key to all of my sites. The key does not cause any ill effects. Read the original post, WordPress 2.5 Secret_Key Vulnerability, for more details.

Expanding a RAID1 array with bigger disk drives

Problem: You have an existing RAID1 array and now you need more disk space. You have purchased two identical 300 GB disk drives to replace the existing 147 GB disk drives. What is the quickest way to replace the disk drives with the least amount of down time?

Answer: This week I ran into a situation this week. The easy part of the answer was to replace one disk drive with a new 300 GB drive and let the RAID controller synchronize the drives. Then you replace the last 147 GB drive with the 300 GB disk drive. The hard part of the question was whether you could partition the remaining disk space into a logical volume without rebooting. The answer is yes. It took about a two and half hours to mirror the first disk. During the first hour Exchange was really sluggish. The next hour and a half the response time was okay. It took about an hour and a half to mirror the second drive. The response time was okay during the entire mirroring operation. When the mirroring was complete I used the Compaq/HP disk array software to check the disk drives. My research on Internet said that it was unlikely that the disk array software would show the disk space that was not part of the existing RAID1 array as being available. I was mildly amused to see that it showed that 292 GB was available(i.e. 146 GB per drive). I used the disk array software to create a 146 GB RAID1 volume. When I went into Disk Management I could see 146 GB was available to be partitioned and formatted. Except for the first hour of mirroring this whole operation was pretty painless and did not require a reboot.

ISS X-Force Database: icmp-timestamp(322): ICMP timestamp requests

A PCI audit point I saw recently recommended that servers not respond to ICMP timestamp requests. For externally based web servers this probably means asking your host provider to implement a rule on their router to block ICMP packets type 13 or 14 with a code of 0. I haven’t tried this but this should allow normal maintenance packets(e.g. ping) and prevent echo tests using timestamp requests.

A PCI audit point I saw recently recommended that servers not respond to ICMP timestamp requests. For externally based web servers this probably means asking your host provider to implement a rule on their router to block ICMP packets type 13 or 14 with a code of 0. I haven’t tried this but this should allow normal maintenance packets(e.g. ping) and prevent echo tests using timestamp requests.

Description:

The target computer responded to an ICMP timestamp request. By accurately determining the target’s clock state, an attacker can more effectively attack certain time-based pseudorandom number generators (PRNGs) and the authentication systems that rely on them.

Platforms Affected:

  • Apple, Mac OS
  • Cisco, IOS
  • Data General, DG/UX
  • HP, HP-UX
  • HP, Tru64 UNIX
  • IBM, AIX
  • IBM, OS/2
  • Linux, Linux
  • Microsoft, Windows 98 Second Edition
  • Microsoft, Windows 2000
  • Microsoft, Windows 2003
  • Microsoft, Windows 95
  • Microsoft, Windows 98
  • Microsoft, Windows Me
  • Microsoft, Windows NT
  • Microsoft, Windows XP
  • Novell, Novell NetWare
  • SCO, SCO Unix
  • SGI, IRIX
  • Sun, Solaris
  • Wind River, BSD

Remedy:

Configure your firewall or filtering router to block outgoing ICMP packets. Block ICMP packets of type 13 or 14 and/or code 0.

ISS X-Force Database: icmp-timestamp(322): ICMP timestamp requests

.htaccess changes can break LiveWriter

Recently I changed some of my sites to not use the "www" on the front of the URL. It was a little tricky but I got it working right. The first part is to change WordPress to use shorter URL. The second part of the change was to modify the .htaccess file. I found that  the post, Comprehensive URL Canonicalization via htaccess for WordPress-Powered Sites, helped me the most. I checked it in a browser and everything looked fine. Much later I tried to write a post in LiveWriter and it did not work. It gave me the following error message.

blogger.getUsersBlogs method received from the weblog server was invalid

After a little debugging I figured out I could get rid of the problem if I refreshed my account settings for the web sites with the new .htaccess file. I guess LiveWriter is picky about the web site URL.

Server 500 error, Codeplex, and ISA 2004

I recently tried to visit Codeplex and got a an error page with a Server 500 error. It did not take too long to figure out that there was a configuration problem on my firewall, ISA 2004. There were several proposed fixes but the one that worked for me I found on a Techarena forum and it said to either turn on or off the HTTP Compression filter. I turned it on and it worked.

I think I had turned off the compression filter in ISA 2004 SP1 days. According to Lazyadmin HTTP Compression started working in SP2 and he has recommendations for configuring it in his post, Enabling HTTP Compression in ISA 2004.

BlogSecurity » Blog Archive » WPIDS v0.1.2 officially released

Recently while upgrading my WordPress blogs I installed WPIDS 0.1.2. WPIDS is a Intrusion Protection System, which is based upon the Intrusion Detection System PHPIDS. It is a nice plugin for those curious about WordPress security. In theory this should improve the security of my blogs.

For the last couple of days I have been monitoring its log. So far I have not found any false positives. It looks like it is blocking some comment spam. Most of my comment spam is caught by Akismet.

I am kind of fascinated with this plugin.  If the developers are looking for ideas, it would be nice if:

  1. It would tell me if there is a new filter available. I am not sure how often the filter is updated but with a little modification the plugin could update the file directly. WordPress would like updated plugins to be updated on their web site. An updated the revision number for the plugin would appear in the plugin panel. In a perfect world the use could then update the plugin automatically.
  2. The search stats button overlaid the standard report onto the admin page for the plugin. It is not very useful in this format.
  3. It would be nice if the report said why the bad request was blocked. I have several blocked requests showing something called “__utmz” in the tag field.
  4. It would be nice to download the report as a csv file.
  5. It would be nice to have a summary report by type of blocked request.