20 March 2012

Installing a Unified Communications SSL certificate in Microsoft IIS 6.0

Just another working day in Redmond

Being placed in the dire situation where my project has to go live and is being served by a Windows server that has no administrator I was forced to open up my RDP client and venture back in time to the days of dinosaurs and IIS.

Unified Communications SSL Certificates are pretty much the only solution I could find to allow a single installation of IIS to share a single certificate that is valid for multiple domains that don't conform to a wildcard.  Whew, what a mouthful.  In other words if you have the domains http://www.ihatemicrosoft.com , http://www.apacheisfree.com, and http://www.graphicalinterfacesareforpansies.com you can use a SSL single certificate to secure them by setting up Subject Alternate Names.

Getting them up and running was a cinch for me made only slightly more complicated by previous failed installation issues which I had to identify and undo.

Firstly if somebody else has tried to install the certificate and failed it's not a bother.  Just get the exact details that were used and rekey it (if the issuer allows this).  GoDaddy allowed me to instantly request a new certificate which I was quickly able to install onto the "master" domain (the one that is not a Subject Alternate Name). Thus I was working from a clean canvas, without incorrect or expired certificates lurking around.

I really don't feel like replicating the bazillions of articles written for Microsoft IIS 6.0 so I'll link to an article that is pretty useful and is on a site full of useful articles - How To Install a Certificate in IIS 6.0 .  I personally had to remove the old (expired) certificate and issue a new CRF but hopefully you won't have to go through all that.

Now that you have it installed for your master the next issue is to set up the SSL bindings, which is the clever bit and the whole point of using Subject Alternate Names.  Basically the issue with using the same IP and port (443) for different sites causes an issue with other sorts of certificates for obvious reasons.  However the Unified Communications SSL certificate is able to validate a number of domains quite happily, we just need to get IIS 6.0 to bind the SSL 443 ports correctly to the host names.

You have probably already noticed that you can't set host headers for SSL in the IIS manager.  That's okay, there is a DOS tool to do this.  For non-Linux people the this might be very very scary, but you need to just drop to a command prompt and do a few things.  Before you do that, however, click on the root node of your domain list to view a list of domains.  Make a note of the long number and host header values that identify the site(s) you want to add as Subject Alternate Names.

Now pop to a DOS prompt and follow the advice given at Digicert which helps you to configure the IIS 6.0 SSL host headers using a VB script.  Basically the important thing is to run the following command from c:\Inetpub\AdminScripts (assuming a default IIS installation):

cscript.exe adsutil.vbs set /w3svc/site identifier/SecureBindings ":443:host header"

If you get an error when browsing that refers to an Invalid Host Header just check that you have correctly matched the site identifier number to the hostheader in the command above and rerun with the correct values to fix it.  You may need to stop and start (why does IIS not have a restart option Steve Ballmer?)  to get everything happy.


14 March 2012

Preventing Directory Traversal attacks in PHP

Directory traversal attacks occur when your program reads or writes a file where the name is based on some sort of input that can be maliciously tampered with.  When used in conjunction with log poisoning this can lead to an attacker gaining remote shell access to your server.

At the most simple it could be to include a file like this:

echo file_get_contents($_GET['sidebar']);

The intention would be for you to be able to call your URL and send a parameter indicating which sidebar content you want to load... like this:  http://foo.bar/myfile.php?sidebar=adverts.html

Which is really terrible practice and would not be done by any experienced developer.

Another common place where directory traversal attacks can occur is in displaying content based on a database call.

If you are reading from or writing to a file based on some input (like GET, POST, COOKIE, etc) then make sure that you remove paths.  The PHP function basename will strip out paths and make sure that you are left only with a filename.

This is still not foolproof, however, as an attacker would still be able to read files in the same directory.

A safer way to do it is to whitelist the files that are allowed to be included.  Whitelisting is safer than blacklisting, so instead of trying to exclude all malicious combinations we will rather allow only a set of safe options to be used.

Consider the following code as an alternative to the above:

$page = $_GET['page'];
$allowedPages = array('adverts','contacts','information');
if ( in_array($page, $allowedPages) ) 
    echo file_get_contents(basename($page . '.html'));

You should consider configuring PHP to disallow opening remote urls with the file stream wrapper by setting allow_url_fopen to Off in your php.ini file.  This does mean that you can't use any function that relies on the file stream (like file_get_contents) to read a URL (you'll need to use curl instead) but it does prevent an attacker from including their own code into your site.

On a system configuration scale it's ideal to have each site running in a chroot jail.  By locking down access to the user that your webserver runs under to a specific directory you can limit the impact of a traversal attack.

So in summary:

  1. Use basename() on any variable you use to include a file
  2. Set allow_url_fopen PHP setting to Off
  3. Set a whitelist of files that you allow to be included


Continuous Integration with Jenkins and Git

Jenkins is a free and open source solution for monitoring the execution of jobs, including software project builds.

By monitoring the outcome of a build you are able to provide continuous quality control throughout the development period of a project.  The aim is to reduce the effort required in quality control at the end of development by  consistently applying small amounts of effort to quality throughout the development cycle.

Under the continuous integration (CI) model developers should consistently integrate their development efforts into the repository.  There should be time delay between committing code changes and the new build - this allows developers to recognize and correct potential problems immediately.  Of course measures must be in place to flag errors with the build.

The advantage to developers and project managers to having a stable repository to which commits are made and tested are multiple.  I don't need to replicate the Wikipedia list here but suffice to say that I've found although development is slowed slightly by needing to correct bugs (lol!) the overall quality of code is improved.  A drawback that is mentioned on Wikipedia and actually made itself very apparent to me immediately is the need for a good test suite.  You should expect to either assign a developer to coding unit tests or to allocate time for developers to code these as part of their development cycle.

If you're running Ubuntu installing Jenkins is very easy - a version is included in the repositories and so can be installed with apt-get.  There is an excellent resource at that guides you through the installation of Jenkins at rdegges.com that will help you get started.  I personally found the Jenkins site itself slightly lacking in documentation aimed at first time users, but there is a large community base of users for support. There is a good tutorial for setting up PHP projects here.

Just by the way, the JAVA_HOME variable should be set to /usr/lib/jvm/default-java on Debian distro's.  This is a symbolic link to the currently installed JVM.

Installing PHPUnit

In case you struggle to install PHPUnit you should have a look at this bug comment on Launchpad which will help to solve the known "coverage" bug in Ubuntu installs.  The following steps are given (and work) to install phpunit on Ubuntu:

sudo apt-get remove phpunit
sudo pear channel-discover pear.phpunit.de
sudo pear channel-discover pear.symfony-project.com
sudo pear channel-discover components.ez.no
sudo pear update-channels
sudo pear upgrade-all
sudo pear install --alldeps phpunit/PHPUnit
Note that I have omitted the last step of the process given on the web which installs phpunit again with apt-get.  This breaks the installation because the new version of PHPUnit is incompatible with the CodeCoverage filter and you will get this error: PHP Fatal error:  Call to undefined method PHP_CodeCoverage_Filter::getInstance() in /usr/bin/phpunit on line 39

If you follow the steps given above and install phpunit with pear you should be okay :-)

09 March 2012

Adding a CakePHP based virtual host in Apache 2.2

It's very simple to set up a name based virtual host in Apache 2.2 using the default Ubuntu package.

I'm assuming that you have installed Apache already and that you have edited /etc/apache2/sites-enabled/000-default to change the AllowOverride None to something like this:

<Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all

If you have not already used this command

sudo a2enmod rewrite

then do so in order to enable mod_rewrite.

Now edit your /etc/hosts file and add an entry that points to the server where you are setting up the virtual host.

The line should look something like this:  mysite.local

Where the IP address points to the server where you are setting up the host and mysite.local is a nickname for the site. Remember to add the .local :)

Now create a file in /etc/apache2/sites-available and name it something that relates to the sitename (for future maintainability). I would suggest naming it the same as the sitename. Edit it and copy this basic skeleton structure into it:

<VirtualHost *:80>
        ServerAdmin webmaster@example.com
        ServerName  mysite.local
        ServerAlias mysite

        # Indexes + Directory Root.
        DirectoryIndex index.php
        DocumentRoot /var/www/mysite/

It is important that the ServerName matches the entry you made in your /etc/hosts file.

Now run the command a2ensite mysite.local which is a Debian convenience command which creates the symbolic link from the file you created to the /etc/apache2/sites-enabled/ directory.

You will need to restart Apache (service apache2 restart). If all is well you will be able to navigate to http://mysite.local on your local machine and view the site present on the server at /var/www/mysite