Comments for mandagreen.com http://mandagreen.com Webdev done right Wed, 19 Jun 2013 09:15:01 +0000 hourly 1 http://wordpress.org/?v=190 Comment on Hardening OpenX by Cristi http://mandagreen.com/hardening-openx/#comment-6123 Cristi Wed, 19 Jun 2013 09:15:01 +0000 http://mandagreen.com/?p=277#comment-6123 yes, the varchar(0) solution is just a temporary patch that you’d have to hope it lasts. the cron that alters the tables will do the trick, but as you said, it’s just another workaround. now that I think of it, I believe the best solution would be to alter it to varchar(0) again, then lower the privileges on the mysql user – you would only grant select, insert, delete, update (maybe replace), but no drop, create and alter. then, whenever you need to upgrade, grant all privileges, upgrade, test, and lower the privileges again.
also, remember, the problem is not with the varchar(0) “fix”, but with the mysql injection problem within openx – i’m psyched to see that such a mature application, with so many downloads, still has such security breaches.

@erik – “deny from all” will affect your ad serving as it will deny access to everything, no only php scripts. see http://httpd.apache.org/docs/current/mod/mod_access_compat.html
basically, all requests to images (or other media) will be denied. if you wish to only disallow php scripts, try using the directive, but there are a lot of other options too – here are a few suggestions:
http://stackoverflow.com/questions/2618908/how-to-prevent-a-specific-directory-from-running-php-html-and-javascript-langu
http://www.wpbeginner.com/wp-tutorials/how-to-disable-php-execution-in-certain-wordpress-directories/
http://stackoverflow.com/questions/1271899/disable-php-in-directory-including-all-sub-directories-with-htaccess

]]> Comment on Hardening OpenX by Erik http://mandagreen.com/hardening-openx/#comment-6122 Erik Wed, 19 Jun 2013 07:11:07 +0000 http://mandagreen.com/?p=277#comment-6122 I think that another thing you should add to this is that no php code should be able to execute in the images directory. Add this to your apache vhost file:

# make sure no php files can be delivered from images/ folder

Deny from all

Order deny,allow

It will not affect your OpenX but it will make it impossible for an attacker to upload something nasty in your images directory. We have seen web shells and spambots uploaded to the images directory.

]]> Comment on Hardening OpenX by Anonymous http://mandagreen.com/hardening-openx/#comment-6121 Anonymous Wed, 19 Jun 2013 00:43:21 +0000 http://mandagreen.com/?p=277#comment-6121 just an fyi, the solution of setting the varchar to 0 worked for a few months, but then today we suddenly got hit with another attack. The attackers somehow re-injected their malicious code into the append and prepend fields, so the varchar(0) solution isn’t exactly permanent. I’ve set up a script that periodically executes every minute and sets the varchar back to 0 and clears all the prepend and append fields in banners and zones, but this still doesn’t actually prevent injection, it simply removes it within 60 seconds of being injected… If anyone has a solution for totally preventing this type of attack from happening again (and not just having a script to undo the damage every 60 seconds) please let me know!

]]> Comment on Showing all reviews and ratings on a page in Magento by Cristi http://mandagreen.com/showing-all-reviews-and-ratings-on-a-page-in-magento/#comment-6027 Cristi Mon, 13 May 2013 13:10:15 +0000 http://mandagreen.com/?p=80#comment-6027 Not sure what images are not showing up. Could you be a little more specific?

]]> Comment on Showing all reviews and ratings on a page in Magento by Marie http://mandagreen.com/showing-all-reviews-and-ratings-on-a-page-in-magento/#comment-6026 Marie Mon, 13 May 2013 13:01:41 +0000 http://mandagreen.com/?p=80#comment-6026 Hello just wanted to give you a quick heads
up and let you know a few of the pictures aren’t loading correctly. I’m not sure why but I think its a
linking issue. I’ve tried it in two different web browsers and both show the same outcome.

]]> Comment on Hardening OpenX by Cristi http://mandagreen.com/hardening-openx/#comment-5954 Cristi Mon, 15 Apr 2013 10:09:43 +0000 http://mandagreen.com/?p=277#comment-5954 That’s a good comment, thank you. Most of the time, security involves additional steps that might seem like they don’t have anything to do with security at all. Take the following trivial example, involving a car. Beside installing a good alarm system on your car, it’s usually considered good practice not to let expensive stuff in the car, like phones, gadgets, money, jewelry. Same with (web) apps. Sure, the varchar(0) workaround could overwritten, but combined with the rest of the items in this article, it will definitely boost the overall security. On top of that, most attacks don’t really run sql queries, cause in that case the attacker could even drop the entire database and then everything in here wouldn’t make sense at all. Instead, most attacks rely on improper user data handling (by the app itself) or brute force attacks (on the admin area or on the server account – ftp, ssh). That’s why I recommend updating to the latest version of openx as soon as possible, and also add another layer of security, like basic auth. If they hack your ftp or ssh account, well, there isn’t much you can do but clean everything up and next time set a better password (or a tighter auth system).

]]> Comment on Hardening OpenX by Claudio http://mandagreen.com/hardening-openx/#comment-5953 Claudio Mon, 15 Apr 2013 09:42:12 +0000 http://mandagreen.com/?p=277#comment-5953 Hi,
I’m being affected by the “append” code attack.
I think that if the hacker is able to execute an “update” query on the append and prepend fields of the banners and zones tables, he is also able to alter and delete all of the database content.
So, I don’t think that altering the above database fields to varchar(0) could be considered a security solution: it looks like trying to solve the problem by putting the head under the ground… What do you think?

]]> Comment on Hardening OpenX by Anonymous http://mandagreen.com/hardening-openx/#comment-5920 Anonymous Fri, 05 Apr 2013 23:09:01 +0000 http://mandagreen.com/?p=277#comment-5920 This is very useful information. Thank you for writing this article. This information helped me secure my organization’s OpenX server which had been subject to constant code injection attacks. Setting the character limit to 0 on the append and prepend fields in the zones and banners table is a great idea. I wish I would have thought of that sooner! I was about to write a script to clear these fields every 60 seconds, but your solution is far more elegant and effective!

Thanks again for this great article and good luck to you in your endeavors!

]]> Comment on Fixing “Catalog Price Rules” cart issue in Magento 1.4.1.0 by Mark Richard http://mandagreen.com/fixing-catalog-price-rules-cart-issue-in-magento-1-4-1-0/#comment-5899 Mark Richard Sat, 30 Mar 2013 09:52:27 +0000 http://mandagreen.com/?p=185#comment-5899 Thanks for solution Crist, it’s really working.

]]> Comment on Showing all reviews and ratings on a page in Magento by Glamour Photography London http://mandagreen.com/showing-all-reviews-and-ratings-on-a-page-in-magento/#comment-5892 Glamour Photography London Thu, 28 Mar 2013 02:07:09 +0000 http://mandagreen.com/?p=80#comment-5892 Way cool! Some very valid points! I appreciate
you penning this article plus the rest of the website is also really good.

]]>