System Administration

Nginx Catch-All Error Pages

Using a combination of named locations along with the error_page directive, we can make it so nginx automatically serves error pages from a directory structure with support for wildcard/catch-all files. For example the handler for status code 503 will check for /errors/error_503.html /errors/error_50x.html /errors/error_5xx.html /errors/error.html Creating the helper maps First off, we'll need to use the map directive to help us make the above lookup work. You will need to place these lines within the server block…

Keep reading

Root your box with W3TC and Nginx

Several guides for integrating everybody's favorite caching plugin for Wordpress with Nginx tell you to include something like this in your nginx configuration: location / { include /var/www/wordpress/nginx.conf; } At the time of writing, this suggestion is currently in the guide ranked #2 for the search terms "w3tc nginx". If you don't know already, generally this conf is writable by W3TC (and PHP by extension). It does this to make it so W3TC can regenerate your Nginx configuration for you. Now let's assume an attacker has hacked your Wordpress…

Keep reading

[CVE-2016-5483] Galera Remote Command Execution via crafted database name

mysqldump is a common utility used to create logical backups of MySQL databases and one of the SST methods used by Galera to bring out-of-sync nodes back into the cluster. Using an evil database name, an attacker can gain remote command execution on all nodes in the cluster or backdoor MySQL backups in a similar attack to my previous post. Of course, this method requires the CREATE DATABASE privilege instead of CREATE TABLE. Example Attack First, the attacker creates a malicious database using the query below: CREATE DATABASE `test \! id…

Keep reading

[CVE-2016-5483] Backdooring mysqldump backups

mysqldump is a common utility used to create logical backups of MySQL databases. By default, it generates a .sql file containing the queries to create/drop tables and insert your data. By crafting malicious table name, an attacker can execute arbitrary SQL queries and shell commands if the dump file is imported. If we are still giving cute names to vulnerabilities, my vote is for "Bad Dump". For another related exploit scenario, see RCE in Galera via Crafted Database Name Attack Scenario The attacker has gained access your application and…

Keep reading

Insecure Defaults - Exploiting LOAD DATA LOCAL INFILE

Although it is documented that the default binary distributions of MySQL/MariaDB/Percona all seem to be compiled with allow local infile enabled, the warning is misleading: The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the server's choosing rather than the file named by the client in the LOAD DATA statement. Such a server could access any file on the…

Keep reading