Nginx Catch-All Error Pages

Using a combination of named locations along with the error_page directive, we can make it so nginx automatically serves error pages from a directory structure with support for wildcard/catch-all files. For example the handler for status code 503 will check for /errors/error_503.html /errors/error_50x.html /errors/error_5xx.html /errors/error.html Creating the helper maps First off, we'll need to use the map directive to help us make the above lookup work. You will need to place these lines within the server block…

Keep reading

Implementing ptsname_r on OSX with Rust

I've been working on a project with rust that requires creating a pseudo-terminal and like many others, I've run into a lot of problems with the functions available to get a pair of master/slave fds for my PTY. openpty int openpty(int *amaster, int *aslave, char *name, const struct termios *termp, const struct winsize *winp); This function seems like a good fit at first glance but the documentation contains this disclaimer: Nobody knows how much space should be reserved for name. So, calling openpty() or forkpty() with non-NULL name…

Keep reading

Root your box with W3TC and Nginx

Several guides for integrating everybody's favorite caching plugin for Wordpress with Nginx tell you to include something like this in your nginx configuration: location / { include /var/www/wordpress/nginx.conf; } At the time of writing, this suggestion is currently in the guide ranked #2 for the search terms "w3tc nginx". If you don't know already, generally this conf is writable by W3TC (and PHP by extension). It does this to make it so W3TC can regenerate your Nginx configuration for you. Now let's assume an attacker has hacked your Wordpress…

Keep reading

[CVE-2016-5483] Galera Remote Command Execution via crafted database name

mysqldump is a common utility used to create logical backups of MySQL databases and one of the SST methods used by Galera to bring out-of-sync nodes back into the cluster. Using an evil database name, an attacker can gain remote command execution on all nodes in the cluster or backdoor MySQL backups in a similar attack to my previous post. Of course, this method requires the CREATE DATABASE privilege instead of CREATE TABLE. Example Attack First, the attacker creates a malicious database using the query below: CREATE DATABASE `test \! id…

Keep reading

[CVE-2016-5483] Backdooring mysqldump backups

mysqldump is a common utility used to create logical backups of MySQL databases. By default, it generates a .sql file containing the queries to create/drop tables and insert your data. By crafting malicious table name, an attacker can execute arbitrary SQL queries and shell commands if the dump file is imported. If we are still giving cute names to vulnerabilities, my vote is for "Bad Dump". For another related exploit scenario, see RCE in Galera via Crafted Database Name Attack Scenario The attacker has gained access your application and…

Keep reading