Web server – Search Desk http://searchdesk.org/ Sat, 20 Nov 2021 22:38:31 +0000 en-US hourly 1 https://wordpress.org/?v=5.8 https://searchdesk.org/wp-content/uploads/2021/10/icon-100x100.png Web server – Search Desk http://searchdesk.org/ 32 32 How to run OpenLiteSpeed ​​Web Server on Rocky Linux 8 and AlmaLinux 8 https://searchdesk.org/how-to-run-openlitespeed-%e2%80%8b%e2%80%8bweb-server-on-rocky-linux-8-and-almalinux-8/ Sat, 20 Nov 2021 22:38:31 +0000 https://searchdesk.org/how-to-run-openlitespeed-%e2%80%8b%e2%80%8bweb-server-on-rocky-linux-8-and-almalinux-8/ This tutorial is for How to Run OpenLiteSpeed ​​Web Server on Rocky Linux 8 and AlmaLinux 8. We will do our best to make sure you understand this guide. I hope you will like this blog How to run OpenLiteSpeed ​​Web Server on Rocky Linux 8 and AlmaLinux 8. If your answer is yes, please […]]]>

This tutorial is for How to Run OpenLiteSpeed ​​Web Server on Rocky Linux 8 and AlmaLinux 8. We will do our best to make sure you understand this guide. I hope you will like this blog How to run OpenLiteSpeed ​​Web Server on Rocky Linux 8 and AlmaLinux 8. If your answer is yes, please share after reading this.

Check out how to run OpenLiteSpeed ​​web server on Rocky Linux 8 and AlmaLinux 8

OpenLiteSpeed ​​is a free, open source web server that you can use to run and serve sites. It offers a lot of special features to make your experience more consistent, for example custom PHP handling with smooth guidelines on how best to use it or admin interfaces that will allow you to manage all parts of the updates of the software. site in one place without having to manipulate many scripts. scattered in better places in town.

It is a multistage web server that works admirably with all operating systems and stands out with its lightning-fast speeds. You can use, modify or even reassign OpenLiteSpeed ​​in LGPL authorization details. Moreover, you can easily find the support of different users on the message sheets as it has been around for over ten years.

Preconditions

  • Rocky Linux 8 server
  • User account with sudo privileges
  • Strong internet connection

Contents

  • Update our system
  • Add OpenLiteSpeed ​​to Rocky Linux 8 to the repository
  • Install OpenLiteSpeed ​​on Rocky Linux
  • Install PHP
  • Install and configure MySQL
  • Configure OpenLiteSpeed ​​login administrator credentials
  • Try OpenLiteSpeed

Similar Items

  • How to install aapanel 6 on Fedora 34

Update Rocky Linux repositories

We need to update our system first so that our repositories are up to date. It is the first step every time you install on your system. Write the following command in our terminal.

$ sudo dnf update -y

Once the update is complete, add OpenLiteSpeed ​​to the repository.

Add OpenLiteSpeed ​​to the EPEL repository

To add OpenLiteSpeed ​​to our repository on Rocky 8 Linux, type the following into our terminal;

$ sudo dnf install epel-release

Sample output

…. Performing Transaction Verification The transaction verification was successful. Running the transaction test The transaction test was successful. Transaction in progress Preparation: 1/1 Installation: epel-release-8-13.el8.noarch 1/1 Running the scriptlet: epel-release-8-13.el8.noarch 1/1 Verification: epel-release-8- 13. el8.noarch 1/1 installed: epel-release-8-13.el8.noarch finished!

Add OpenLiteSpeed ​​to our repository

$ sudo rpm -Uvh http://rpms.litespeedtech.com/centos/litespeed-repo-1.1-1.el8.noarch.rpm

Retrieved from http://rpms.litespeedtech.com/centos/litespeed-repo-1.1-1.el8.noarch.rpm

Verification … ################################ [100%]

Preparing… ################################## [100%]

Update / installation …

1: litespeed-repo-1.2-1.el8 ############################## [100%]

Install OpenLiteSpeed ​​on Rocky Linux / AlmaLinux

Now that we have added the OpenLiteSpeed ​​repository to our system, we can now install OpenLiteSpeed ​​with the following command:

$ sudo dnf install openlitespeed

Once the installation is complete, check the status of the OpenLiteSpeed ​​server with the following command;

$ # sudo systemctl status lsws ●

lshttpd.service – OpenLiteSpeed ​​HTTP Server

Loaded: loaded (/usr/lib/systemd/system/lshttpd.service; enabled; predefined provider: disabled)

Active: active (running) from Friday 2021-11-12 12:22:52 UTC; 1min 41s ago

Process: 63411 ExecStart = / usr / local / lsws / bin / lswsctrl start (code = exited, status = 0 / SUCCESS)

Main PID: 63435 (light speed)

Group C: /system.slice/lshttpd.service

├─63435 openlitespeed (lshttpd – main)

├─63439 openlitespeed (lscgid)

└─63452 openlitespeed (lshttpd – # 01)

Nov 12, 12:22:49 PM rockylinux systemd[1]: Starting the OpenLiteSpeed ​​HTTP server…

Nov 12, 12:22 p.m. Rockylinux lswsctrl[63411]: [OK] light speed: pid = 63435.

12 Nov 12:22:52 rockylinux systemd[1]: The OpenLiteSpeed ​​HTTP server has started.

It should show the status as active so that we can continue with this tutorial. Otherwise, start your server first with the following command

$ / usr / local / lsws / bin / lswsctrl start.

Install PHP for OpenLiteSpeed

PHP is not integrated with OpenLiteSpeed ​​as it is with Apache. OpenLiteSpeed ​​delegates the execution of PHP to external PHP executables. This will allow better security, stability and management of multiple connections. Start the installation of PHP74 with the following command.

$ sudo dnf -y install lsphp74 lsphp74-common lsphp74-mysqlnd lsphp74-gd lsphp74-process lsphp74-mbstring lsphp74-xml lsphp74-mcrypt lsphp74-pdo lsphp74-imap lsphthp74-soap

Once the installation of PHP74 is complete, we can now move on to the installation of the MySQL server

Install the MySQL server

You can run the following command to install the MySQL server

$ sudo dnf install mysql mysql-server

Run the secure installation script to secure MyQL, but you need to start the mysqld service first;

$ sudo systemctl start mysqld

$ sudo systemctl activate mysqld

Check the status now with the following command;

$ sudo systemctl status mysqld

Sample output

● mysqld.service: MySQL 8.0 database server

Loaded: Loaded (/usr/lib/systemd/system/mysqld.service; Enabled; Provider Preset: Disabled)

Active: active (running) from Friday 2021-11-12 12:56:55 UTC; 2min 48s ago

Main PID: 66270 (mysqld)

Status: “The server is operational”

Tasks: 37 (limit: 11189)

Memory: 458.0M

Group C: /system.slice/mysqld.service

└─66270 / usr / libexec / mysqld –basedir = / usr

Nov 12, 12:56:47 PM Rockylinux systemd[1]: Starting the MySQL 8.0 database server…

Nov 12, 12:56:47 PM rockylinux mysql-prepare-db-dir[66189]: Initialization of the MySQL database

Nov 12, 12:56:55 PM rockylinux systemd[1]: MySQL 8.0 database server started.

Now is the time to run our secure installation, follow these steps:

$ sudo mysql_secure_installation

To connect easily to the system, it is preferable not to set the validation password. Type N and the following instructions may type Y to allow the installation to continue. Once done, we can now move on to the configuration of the OpenLiteSpeed ​​admin panel.

Configure the OpenLiteSpeed ​​administration panel

To change the default password in the OpenLiteSpeed ​​panel, we need to run the following command;

$ /usr/local/lsws/admin/misc/admpass.sh

Sample output

# Specify the administrator user name.

This is the username required to log in to the administrative web interface.

username [admin]: administrator

Specify the administrator password.

This is the password required to log in to the administration web interface. Password:

Retype the password:

The administrator username / password has been updated successfully.

We have successfully added the administrator, now it is good that we configure the firewall to allow OpenLiteSpeed ​​to work properly.

Configure firewall settings

OpenLiteSpeed ​​listens on ports 8088 and 7080, so we need to allow access to those ports. To do this, we can proceed as follows;

$ firewall-cmd –zone = public –permanent –add-port = 8088 / tcp

Do the same for port 7080

$ firewall-cmd –zone = public –permanent –add-port = 7080 / tcp

Then you must reload the system for the changes to take effect.

$ sudo firewall-cmd – reload

If you are having trouble with the following, make sure firewalld is up and running. Run the following command to activate it.

$ systemctl enable – now firewalld

Finally, we can test our OpenLiteSpeed ​​to see if it works with the following in your preferred browser;

http: //

To access the admin site we need to use port 7080 like this

http: //

Final words: How to run OpenLiteSpeed ​​web server on Rocky Linux 8 and AlmaLinux 8

hope you will understand this item How to run OpenLiteSpeed ​​Web Server on Rocky Linux 8 and AlmaLinux 8, if your answer is no, you can request anything through the contact forum section linked to this article. And if your answer is yes, then share this article with your family and friends.


Source link

]]>
How to install OpenLiteSpeed ​​Web Server on AlmaLinux 8 / Rocky Linux 8 https://searchdesk.org/how-to-install-openlitespeed-%e2%80%8b%e2%80%8bweb-server-on-almalinux-8-rocky-linux-8/ Wed, 17 Nov 2021 18:29:31 +0000 https://searchdesk.org/how-to-install-openlitespeed-%e2%80%8b%e2%80%8bweb-server-on-almalinux-8-rocky-linux-8/ Steps to download, install, configure, set up and run the OpenLiteSpeed ​​web server on Rocky Linux 8 and AlmaLinux 8 using the command terminal OpenLiteSpeed is an open source HTTP server version of the LightSpeed ​​Paid Web Server developed and owned by LiteSpeed ​​Technologies. Although it is new to the powerful Apache web server, it […]]]>

Steps to download, install, configure, set up and run the OpenLiteSpeed ​​web server on Rocky Linux 8 and AlmaLinux 8 using the command terminal

OpenLiteSpeed is an open source HTTP server version of the LightSpeed ​​Paid Web Server developed and owned by LiteSpeed ​​Technologies. Although it is new to the powerful Apache web server, it is however popular for its high performance, light weight and extreme speed. The loading time with Openlitespeed is a bit better than with Nginx. You also don’t need an additional module here, Openlitespeed is almost ready to go. Moreover, it provides a GUI dashboard to easily manage virtual hosts, modules and web servers.

We don’t need any additional plugins in WordPress for minification, caching, compressing and converting when using OpenLiteSpeed. Even the delivery of WebP directly through the web server.

Well, its paid version known as LiteSpeed ​​Web Server Enterprise Edition (LSWS) is designed to meet the demand for professional web hosting by delivering the fastest possible performance to multiple websites.

However, the open source version we’ll be installing here is similar to the company but lacks a few third-party plugins to ensure compatibility with cPanel, Plesk, and other control panels. In addition, the enterprise version offers a more powerful cache engine, full compatibility with Apache, and commercial support.

Steps to install OpenLiteSpeed ​​on Rocky Linux 8 / Almalinux 8

The steps given here can also be used for other RHEL 8 based Linux systems such as Oracle 8, CentOS 8 and others.

1. Add the Linux OpenLiteSpeed ​​repository

Unlike Apache HTTPd, the packages to install OpenLiteSpeed ​​are not available in the default repository of Rocky or AlmaLinux 8. Therefore, we have to add it manually using the command below.

sudo rpm -Uvh http://rpms.litespeedtech.com/centos/litespeed-repo-1.1-1.el8.noarch.rpm

2. Activate the Epel repository

There are a few packages required by OpenLiteSpeed ​​available through the Extra Enterprise repository. Therefore, activate the same.

sudo dnf install epel-release

3. Run the Rocky or AlmaLinux update command

To ensure that the system can successfully recognize the packages available in the newly added repositories.

sudo dnf update

Note: If you receive a warning:

Invalid configuration value: failovermethod=priority in /etc/yum.repos.d/litespeed.repo; 
Configuration: OptionBinding with id "failovermethod" does not exist

Then to remove it just edit the repository added by LightSpeed.

sudo nano /etc/yum.repos.d/litespeed.repo

And add # in front of each line with “failover method“.

4. Command to install OpenLiteSpeed ​​Almalinux or Rocky 8

Finally, we have everything we need to install and configure the OpenLiteSpeed ​​web server on your functional Rocky Linux 8 or AlmaLinux 8 server using the DNF package manager.

sudo dnf install openlitespeed

command to install openspeedlite almalinux 8

5. Install PHP for OpenLiteSpeed

According to your requirement, go for the last one PHP 8.0 or the earliest PHP 7.4. We have mentioned the commands for both, use one of the commands given.

For PHP 7.4

sudo dnf install lsphp74 lsphp74-mysqlnd lsphp74-process lsphp74-bcmath lsphp74-pdo 
lsphp74-common lsphp74-xml lsphp74-mbstring lsphp74-mcrypt 
lsphp74-soap lsphp74-gd lsphp74-opcache

Install PHP 7.4 for LiteSPeed web server

For PHP 8.0

sudo dnf install lsphp80 lsphp80-mysqlnd lsphp80-process lsphp80-bcmath lsphp80-pdo 
lsphp80-common lsphp80-xml lsphp80-mbstring lsphp80-gd lsphp80-opcache lsphp80-soap

Install PHP 8.0 OpenSpeeLite web server

6. Check the status of the web server

To confirm that the web server‘s OpenLiteSpeed ​​service is active and functioning properly, run the status commands:

sudo systemctl status lsws

Anecdotes: TO Stop and reboot the command are:

sudo systemctl stop lsws
sudo systemctl start lsws
sudo systemctl restart lsws

7. Open the required ports in the firewall

Apart from 80/443 for websites / webpages, we also need 8088 & 7080 ports to access the web interface to manage OpenLiteSpeed ​​from the browser.

sudo firewall-cmd --zone=public --permanent --add-port={80/tcp,443/tcp,8088/tcp,7080/tcp}
sudo firewall-cmd --reload

8. Create an administrator password

By default, the OpenLiteSpeed ​​web server administrator the web console will use a common username and password. To change it and set something strong and easily remembered, run the following command:

sudo /usr/local/lsws/admin/misc/admpass.sh

Set the OpenSpeed ​​Lite administrator password

9. Access the OpenLiteSpeed ​​web interface – Demo and administrator

There are two web interfaces provided by this open source web server, one for accessing the Demo page to check the PHP version, CGI and other things are working fine. And the other is Administrator Dashboard to manage virtual host, PHP and other settings.

For the demo page:

http://your-server-ip-address:7080

OpenLiteSpeed ​​demo page

For the Administrator page:

https://your-server-ip-address:7080

OpenLiteSpeed ​​administration page

Web server GUI administration page

Verdict

So these are the simple steps to get, configure, set up and run the OpenLiteSpeed ​​web server on Rocky Linux 8 and AlmaLinux 8 using the command terminal.

Other articles:

• How to install Apache, MySQL and PHP on AlmaLinux 8
• Install security patches or updates automatically on Rocky or AlmaLinux
• How to install Podman on Rocky / AlmaLinux 8
• How to install Apache on Almalinux 8 / Rocky


Source link

]]>
Apache web server users are advised to correct immediately https://searchdesk.org/apache-web-server-users-are-advised-to-correct-immediately/ Wed, 06 Oct 2021 07:00:00 +0000 https://searchdesk.org/apache-web-server-users-are-advised-to-correct-immediately/ Users of the open source Apache HTTP server who have updated to the recently released version 2.4.49 are encouraged to update to 2.4.50 immediately to apply patches for a newly disclosed zero-day that is already actively exploited by malicious actors. First reported a week ago on September 29, the fast-track patch reflects the widespread use […]]]>

Users of the open source Apache HTTP server who have updated to the recently released version 2.4.49 are encouraged to update to 2.4.50 immediately to apply patches for a newly disclosed zero-day that is already actively exploited by malicious actors.

First reported a week ago on September 29, the fast-track patch reflects the widespread use of the Apache Software Foundation’s free, cross-platform web server software, which dates back to the mid-1990s and has been a driving force. in the rapid development of the wide web world at the time. it still serves about a quarter of active websites at the World level.

The new versions fix two vulnerabilities, one of which is zero-day, followed as CVE-2021-41773, is clearly the most urgent. It was identified and disclosed by Ash Daulton of the CPanel Security Team.

The flaw was found in a change to the normalization of paths in the affected version of Apache, and it could allow an attacker to use a path traversal attack to map URLs to files outside the root document expected.

Apache has stated that if files outside of the document root are not protected by “require all denied”, such requests may succeed, and furthermore, the vulnerability may disclose the source of interpreted files, such as CGI scripts. , to an attacker.

This only affects Apache 2.4.49, which was discontinued on September 15, so users who have not yet upgraded to this version are not affected and should upgrade directly to 2.4.50.

Several cyber researchers claim to have already reproduced CVE-2021-41773, and proof of concept exploits are circulating.

Sonatype Sharma Ax stated that, associated with a separate issue, also reported earlier this week, in which misconfigured Apache Airflow servers were found to be thousands of credentials leaked, the incident demonstrated the importance of a quick fix.

“Crossing faults should not be underestimated,” said Sharma. “Despite repeated reminders and advisories issued by Fortinet, the years-old VPN firewall vulnerability (CVE-2018-13379) continues to be exploited to this day as many entities are behind schedule. updating patches, ”he noted.

“This year, the attackers exploited the Fortinet Road Crossing flaw to disclose passwords in excess of 500,000 VPN. This is 10 times the number of VPN firewalls that were compromised last year by the same feat,” he said.

Sharma said there were three takeaways from such an incident, namely:

  • This active operation follows disclosures quickly, even when the process has been well coordinated and managed responsibly;
  • That attackers will constantly monitor public exploits and scan for vulnerable instances – Shodan research reveals over 100,000 instances of Apache HTTP Server 2.4.49, of which 4,000 are in the UK;
  • And that not all fixes are always enough just because one issuer says so – threat actors can often find workarounds.

Leaked identifiers

Unlinked credential leak discovered by researchers Nicole Fishbein and Ryan Robinson of Intezer in Apache’s Airflow workflow management platform, which is the # 1 recommended open source workflow app on GitHub.

While probing a misconfiguration in Airflow, Fishbein and Robinson discovered several unprotected instances exposing credentials belonging to employees of organizations in the biotech, cybersecurity, e-commerce, energy, and other industries. finance, healthcare, IT, manufacturing, media and transportation.

Credentials related to accounts held with various services including cloud hosting providers, payment processing and social media platforms including Amazon Web Services (AWS), Facebook, Klarna, PayPal, Slack, and WhatsApp , were not exhibited by these organizations themselves.

“Companies with large volumes of sensitive customer data must be extra vigilant in their security processes,” said CloudSphere vice president of product Pravin Rasiah.

“This includes adhering to best practices for identifying and resolving security configuration errors that put data at risk in real time. Poor security configurations are often the result of incomplete visibility of the data infrastructure and a lack of security clearance guardrails.

“What may seem like a minor oversight in coding practices, as the researchers noted was likely to be the case here, can ultimately have devastating repercussions on a brand’s reputation, as the trust of customers rely on the security of their data first and foremost, ”he said.

“With a comprehensive assessment of the security posture of applications hosted in their cloud environment and the ability to troubleshoot issues in real time, businesses can operate securely without putting customer data at risk. “

This article was updated at 9:35 a.m. BST on October 7, 2021 to clarify the nature of the Airflow credentials leak.


Source link

]]>
Web Servers Market 2021 by Key Players, Types, Applications, and Forecast to 2027 – Wrestledelphia https://searchdesk.org/web-servers-market-2021-by-key-players-types-applications-and-forecast-to-2027-wrestledelphia/ Wed, 29 Sep 2021 13:31:58 +0000 https://searchdesk.org/web-servers-market-2021-by-key-players-types-applications-and-forecast-to-2027-wrestledelphia/ The Global Web Server Market is fueled by various factors, according to a detailed assessment explained in the report. This study shows how important an in-depth analysis should be and how greatly it affects the quality of information provided to readers. In addition, the report also takes into account the impact of the new COVID-19 […]]]>

The Global Web Server Market is fueled by various factors, according to a detailed assessment explained in the report. This study shows how important an in-depth analysis should be and how greatly it affects the quality of information provided to readers. In addition, the report also takes into account the impact of the new COVID-19 pandemic on the web server market and offers a clear assessment of the projected market fluctuations over the forecast period.

Web Server Market The report provides an in-depth examination of the expansion drivers, potential challenges, distinguishing trends, and opportunities for the market players enabling the readers to fully understand the Web Servers market landscape. The top key manufacturers included in the report alongside market share, inventory determinations and numbers, contact details, sales, capacity, production, price, cost, revenue, and business profiles . The primary objective of the Web Servers industry report is to provide key information about competitive positioning, current trends, market potential, growth rates, and other relevant statistics.

Sample request with complete table of contents and figures and graphics @ https://crediblemarkets.com/sample-request/web-server-market-220846?utm_source=Aniket&utm_medium=SatPR

Market segmentationThe Web Server market is segmented by type and by application. For the period 2016-2026, the growth among the segments provides accurate revenue calculations and forecast by type and by application. This analysis can help you grow your business by targeting qualified niche markets.
Market segment by type, coversLinux / Unix Windows Other
Market segment by Application, can be divided intoWeb browsing Information storage Other
Market segment by players, this report coversApache Microsoft NGINX IBM Oracle Red Hat Software Foundation

Geographically, the detailed analysis of consumption, revenue, market share and growth rate, historical and forecast (2015-2027): United States, Canada, Germany, United Kingdom, France, Italy, Spain, Russia, Netherlands, Turkey, Switzerland, Sweden, Poland, Belgium, China, Japan, South Korea, Australia, India, Taiwan, Indonesia, Thailand, Philippines, Malaysia, Brazil, Mexico, Argentina, Colombia, Chile, Saudi Arabia, United Arab Emirates, Egypt, Nigeria, South Africa and rest of the world

Direct purchase this market research report now @ https://crediblemarkets.com/reports/purchase/web-server-market-220846?license_type=single_user;utm_source=Aniket&utm_medium=SatPR

Some points from the table of contents

Global Web Servers Market Research Report with Opportunities and Strategies to Drive Growth – Impact and Recovery of COVID-19

Market Snapshot: It consists of Six Sections, Research Scope, Major Manufacturers Covered, Market Fragments by Type, Web Servers Market Portions by Application, Study Objectives, and Years Considered.

Market landscape: Here, the opposition in the global web server market is dissected, by value, revenue, offerings and share of the pie by organization, market rate, relentless circumstances Latest landscape and models, consolidation, development, obtaining and portions of the whole industry of the best organizations.

Manufacturer Profiles: Here, the major players in the global web server market are considered to depend on the region of transactions, key elements, net margin, revenue, cost, and start-up.

State of the market and outlook by region: In this segment, report examines net benefit, transactions, revenue, start-up, part of overall industry, CAGR and market size by region. Here, the global web server market is thoroughly examined based on areas and countries like North America, Europe, China, India, Japan, and MEA.

Application or end user: This segment of the exploration study shows how extraordinary end-customer / application sections are adding to the global web server market.

Market forecast: Production side: In this part of the report, the creators focused on the creation and creation esteem conjecture, the gauge of major manufacturers, and the creation and creation esteem estimate. by type.

Research findings and conclusion: This is one of the last segments of the report where the findings of the investigators and the end of the exploration study are given.

Do you have a specific question or requirement? Ask our industry expert @ https://crediblemarkets.com/enquire-request/web-server-market-220846?utm_source=Aniket&utm_medium=SatPR

Main information that the study will provide:

  • Global and Regional 360 Degree Web Servers Market Overview
  • Market share and sales revenue by key players and emerging regional players
  • Competitors – In this section, various leading players of Web Server industry are studied on the basis of their company profile, product portfolio, capacity, price, cost, and revenue.
  • A separate chapter on the entropy of the web servers market to better understand the aggressiveness of the leaders towards the market [Merger & Acquisition / Recent Investment and Key Developments]
  • Patent analysis Number of patents / Trademark registered in recent years.

Contact us:

Credible markets
99 Wall Street 2124 New York, NY 10005
E-mail- [email protected]


Source link

]]>
An “Always Free” Web Server Platform – Virtualization Review https://searchdesk.org/an-always-free-web-server-platform-virtualization-review/ Fri, 17 Sep 2021 07:00:00 +0000 https://searchdesk.org/an-always-free-web-server-platform-virtualization-review/ Using Oracle Cloud, Part 2: An “Always Free” Web Server Platform Tom Fenton details the web server work he did in his experiment to use an “always free” Ubuntu 18.04 VM on Oracle Cloud to host a small website. In a previous article, I explained how it took less than 10 minutes to register, create, […]]]>

Using Oracle Cloud, Part 2: An “Always Free” Web Server Platform

Tom Fenton details the web server work he did in his experiment to use an “always free” Ubuntu 18.04 VM on Oracle Cloud to host a small website.

In a previous article, I explained how it took less than 10 minutes to register, create, and use an “always free” Ubuntu 18.04 VM on Oracle Cloud. Yes, the free virtual machine was not that big (1 vCPU and 4 GB RAM), but I figured it would allow the creation of a small website – a good test of Oracle Cloud because the website on the virtual machine would need to open to allow access to the outside world. In this article, I will discuss which web server I chose to use, how I installed it, and how well it works.

Why Apache
The # 1 priority for my web server was simplicity; I just wanted a basic website that displays a “Hello World” message. I wanted to verify that a VM on Oracle Cloud would support an application like a web server and allow connectivity with the outside world.

Apache is a free open source web server which is, according to Netcraft, the most used web server on the net. In the past, when I installed it, I found that it just worked. It’s stand-alone and doesn’t require any additional components, but due to its popularity, it’s highly expandable and has plenty of articles, tips, and (most importantly) free help.

Apache installation
Below are the steps I followed to install Apache on my Oracle Cloud based VM. After logging into my VM using SSH as a user Ubuntu, I entered the following commands:

  1. sudo bash (that makes me the root user)
  2. apt install apache2 (this downloaded and installed Apache)

Check that Apache is installed
To check which version of Apache was installed and working, I entered the following commands:

  1. apache2 -v. # (this displays the version (-v) of Apache which has been installed)
    [Click on image for larger view.]
  2. ps-aux | grep apache2. # (this checks that Apache2 is running)
    [Click on image for larger view.]
  3. netstat -anp | grep apache. # (this verified for me that the Apache2 process was listening on port 80)
    [Click on image for larger view.]
  4. apt install lynx. # (this installs Lynx, a text-based web browser)
  5. lynx localhost. # (this starts the Lynx web browser and connects to the local host)
    [Click on image for larger view.]
  6. I then went to my laptop and tried to access the web server using Chrome. This expired and failed. I suspected that Oracle Cloud was blocking the port used by Apache (80).
    [Click on image for larger view.]

Opening the Oracle Cloud Port for Apache
By default, Oracle Cloud blocks all ports to the virtual machines it hosts, except the port used by SSH. To allow external connections to your virtual machines, you will need to open the ports from the Oracle Cloud portal. After logging into the portal, I performed the following operations:

  1. I selected Dashboard, expanded Calculate and clicked Instances.
    [Click on image for larger view.]
  2. I have selected my instance.
  3. Of Instance Information tab, I selected Subnet.
    [Click on image for larger view.]
  4. I selected the displayed security list.
    [Click on image for larger view.]
  5. I clicked Add entry rule and opened port 80.
    [Click on image for larger view.]
  6. I checked that the new entry rule was displayed.
    [Click on image for larger view.]
  7. When I tried to access the site again, it failed.

Opening the Ubuntu port for Apache
To allow external connections to my virtual machines, I would also have to open the port on the Ubuntu firewall. From the ubuntu shell I did the following:

  1. I checked that the UFW firewall was not run while entering ufw status
    [Click on image for larger view.]
  2. .

  3. Ubuntu 18.04 also has a kernel-based IP filter, iptables. I have listed the authorized ports when entering iptables –list. This showed me that there was no rule to open port 80. To open port 80 and restart the Apache server, I entered the following:

    iptables -I INPUT 6 -m state --state NEW -p tcp --dport 80 -j ACCEPT
    netfilter-persistent save
    systemctl restart apache2
          

After opening the port, I went back to my laptop and found that I could connect to the web server.

[Click on image for larger view.]

Summary
I was able to install and access an Apache web server that was running on an Ubuntu VM hosted on Oracle Cloud. It took me a little while to figure out how to open the firewall on Oracle Cloud and then on the VM, but after figuring out what needed to be opened and how to open it, the process was quick.

This “Always Free” Oracle Cloud instance would not be able to handle a large or complicated website, but that is not the subject of this article or the reason Oracle offers this free service. Oracle offers this service to allow people to get their hands dirty with their cloud services, and that’s what I intended to highlight in this article. While VM creation is only a small aspect of Oracle’s cloud offering, I was impressed with the ease of registering, creating, and managing a VM. Hopefully Oracle continues this ease of use with its other cloud services.

See “Using Oracle Cloud, Part 3: Checking Network Performance on Virtual Machines”.

About the Author

Tom Fenton has extensive hands-on IT experience gained over the past 25 years in various technologies, with the past 15 years focusing on virtualization and storage. He is currently working as a technical marketing manager for ControlUp. Previously, he worked at VMware as a Senior Course Developer, Solutions Engineer and in the Competitive Marketing group. He also worked as a senior validation engineer with the Taneja group, where he led the validation service lab and was instrumental in starting his vSphere Virtual Volumes practice. He’s on Twitter @vDoppler.


Source link

]]>
ESET Research discovers new IIS web server threats spy on … https://searchdesk.org/eset-research-discovers-new-iis-web-server-threats-spy-on/ Sun, 08 Aug 2021 07:00:00 +0000 https://searchdesk.org/eset-research-discovers-new-iis-web-server-threats-spy-on/ (MENAFN-Mid-East.Info) Dubai, United Arab Emirates: ESET researchers have discovered a set of 10 previously undocumented malware families implemented as malicious extensions for Internet Information Services web server software (IIS). Targeting both government mailboxes and e-commerce credit card transactions, while facilitating the distribution of malware, this diverse class of threats operates by spying on and tampering […]]]>

(MENAFN-Mid-East.Info) Dubai, United Arab Emirates: ESET researchers have discovered a set of 10 previously undocumented malware families implemented as malicious extensions for Internet Information Services web server software (IIS). Targeting both government mailboxes and e-commerce credit card transactions, while facilitating the distribution of malware, this diverse class of threats operates by spying on and tampering with server communications. At least five IIS backdoors spread through the operation of Microsoft Exchange mail servers in 2021, according to ESET telemetry and the results of additional internet-wide scans that ESET researchers performed to detect the presence of these backdoors.
Among the victims are governments in Southeast Asia and dozens of companies belonging to various industries located mainly in Canada, Vietnam and India, but also in the United States, New Zealand, South Korea. and in other countries.

Today, ESET Research is releasing the “Anatomy of native IIS malware” white paper and launching a series of blog posts on the most notable threats recently discovered: IIStealer, IISpy and IISerpent. These will be posted on WeLiveSecurity from today until August 11, 2021. The results of ESET’s IIS malware research were first presented at Black Hat USA 2021 and will also be shared with the community during the Virus Bulletin 2021 conference on October 8. 2021.

IIS malware is a diverse class of threats used for cybercrime, cyber espionage, and SEO fraud, but in all cases its primary purpose is to intercept incoming HTTP requests to the compromised IIS server and affect how the server responds to (some of) these requests. “Internet Information Services web servers have been targeted by various malicious actors, both for cybercrime and cyberespionage. The software’s modular architecture, designed to provide extensibility for web developers, can be a useful tool for attackers, ”says Zuzana Hromcová, ESET researcher, author of the article.

ESET has identified five main modes in which IIS malware operates:

  • IIS backdoors allow their operators to remotely control the compromised computer with IIS installed.
  • IIS infostealers allow their operators to intercept regular traffic between the compromised server and its legitimate visitors and steal information such as login information and payment information.
  • IIS injectors modify HTTP responses sent to legitimate visitors to serve malicious content.
  • IIS proxies turn the compromised server into an unintentional part of the command and control infrastructure for another family of malware.
  • SEO fraud IIS malware modifies the content served by search engines to manipulate SERP algorithms and improve the ranking of other websites of interest to attackers.

“It’s still quite rare for security software to run on IIS servers, which makes it easy for attackers to operate undetected for long periods of time. This should be disturbing for all serious web portals who want to protect their visitors’ data, including authentication and payment information. Organizations using Outlook on the web should also be careful, as it relies on IIS and could be an attractive target for espionage, ”says Hromcová.

ESET Research offers several recommendations that can help mitigate IIS malware attacks. These include the use of strong unique passwords and multi-factor authentication for the administration of IIS servers; keep the operating system up to date; using a web application firewall and endpoint security solution for the server; and periodically check the configuration of the IIS server to verify that all installed extensions are legitimate.

About ESET :

For more than 30 years, ESET® has been developing cutting-edge IT security software and services to protect businesses, critical infrastructure and consumers around the world against increasingly sophisticated digital threats. From endpoint and mobile device security to endpoint discovery and response, encryption and multi-factor authentication, ESET’s high-performance, easy-to-use solutions protect and monitor discreetly 24/7 / 7, updating defenses in real time to keep users safe and businesses running. without interruption. Evolving threats require an evolving computer security society that enables the safe use of technology. This is supported by ESET’s R&D centers around the world, working in support of our common future.

MENAFN08082021005446012082ID1102588022

Legal warning: MENAFN provides the information “as is” without warranty of any kind. We do not accept any responsibility for the accuracy, content, images, videos, licenses, completeness, legality or reliability of the information contained in this article. If you have any complaints or copyright issues related to this item, please contact the supplier above.


Source link

]]>
How to set up a Raspberry Pi web server in 2021 [Guide] https://searchdesk.org/how-to-set-up-a-raspberry-pi-web-server-in-2021-guide/ Tue, 06 Jul 2021 07:00:00 +0000 https://searchdesk.org/how-to-set-up-a-raspberry-pi-web-server-in-2021-guide/ Raspberry Pi is not just a small on-board computer, but a DIY board that can do almost anything and everything. Would you like to configure Pi-hole on Raspberry Pi to block ads and trackers from your entire home network? Yes, it does that. Do you want to set up a Raspberry Pi web server for […]]]>

Raspberry Pi is not just a small on-board computer, but a DIY board that can do almost anything and everything. Would you like to configure Pi-hole on Raspberry Pi to block ads and trackers from your entire home network? Yes, it does that. Do you want to set up a Raspberry Pi web server for web development and local file transfer? Well, he does too. In fact, using a Raspberry Pi is a great and affordable way to build a personal web server. So if you are interested, follow this simple guide and turn your Raspberry Pi into a web server in no time.

Configure a Raspberry Pi web server (2021)

To set up a Raspberry Pi web server, you must first install a web server. There are two popular web servers: Apache and Nginx. But in this tutorial, we will be using Apache because it is reliable and easier to use. Apart from that, we will also install PHP so that you can host dynamic web pages on your Raspberry Pi. Now that all of that has been said, let’s move on to the steps.

  • Install Apache web server on Raspberry Pi

1. First of all, make sure you have flashed Raspberry Pi OS with Desktop Computer User interface on SD card. If you’re new to all of this, follow our guide on how to set up Raspberry Pi remotely. That said, if you have an external monitor, things will be a lot smoother.

2. Once the Raspbian operating system has started, open the terminal and run the command below to update Raspbian operating system to the latest version.

sudo apt-get update && sudo apt-get upgrade -y

3. Then we have to install the Apache web server on Raspberry Pi. Run the command below in the terminal.

sudo apt install apache2 -y

Configure a Raspberry Pi web server (2021)

4. Once installed, the Apache web server will be operational. Simply open the browser on Raspberry Pi and enter localhost Where 127.0.0.1, and press Enter to access the web server. It should load the Apache HTML page.

Configure a Raspberry Pi web server (2021)

5. You can also directly enter the IP address of the Raspberry Pi in a browser to access the web server. To run hostname -I in the Terminal, and you will find the IP address of your RPi.

Configure a Raspberry Pi web server (2021)

6. Enter the IP address in the browser, and that’s it. In fact, you can use the IP address on any device on your local Wi-Fi network and you will be able to access the web server. For example, I can easily access the Raspberry Pi web server from my Chromebook.

Configure a Raspberry Pi web server (2021)

7. For your information, all web server files are saved in /var/www/html/ site. So you can change the directory to this location and view all files. Here are the commands to execute.

cd /var/www/html/
ls -al

Configure a Raspberry Pi web server (2021)

8. As you can see in the screenshot above, the index.html the file belongs to root. So before you change anything, you need to change the owner to pi (you). Run the command below to change owner.

sudo chown pi: index.html
ls -al

As you can see in the screenshot below, pi is now the owner of the web server. You can also use the same format to change the ownership of folders such as html and www.

change owner

9. Now go ahead and open the file through terminal or file manager. I am using the file manager for easier access. Move towards “var -> www -> HTML”, right click on the “index.html” file and choose “Text Editor”.

raspberry

10. Now if I make any changes to the title and save it, they will be reflected on the web server immediately. You will see the updated title when you open the web server in a browser the window. This step confirms that your Raspberry Pi web server is working fine.

Configure a Raspberry Pi web server (2021)

  • Install PHP on Raspberry Pi

If you want to test your web pages on Raspberry Pi, installing only the web server will not shut it down. You must also install PHP to have a solution like XAMPP on Raspberry Pi. It will allow you to test dynamic web pages on your Raspberry Pi. Here is how to go about it.

1. Run the command below to install the latest version of PHP on your Raspberry Pi.

sudo apt install php libapache2-mod-php -y

Install PHP on raspberry pi

2. Then go to the same var/www/html/ directory and create a php file using a text editor.

Install PHP on raspberry pi

3. Then open the file with a text editor and enter PHP code you want to add. For example, I added the PHP code which generates a simple instruction.

Install PHP on raspberry pi

  • Test FileZilla on Raspberry Pi

Once we have configured the Apache and PHP web server on Raspberry Pi, it is finally time to test if we can transfer our existing web assets to the RPi web server with the popular FileZilla FTP client. You can also use other FTP clients like WinSCP if you want. Here are the steps to follow.

1. Install FileZilla (To free) on another PC connected to the same Wi-Fi network.

2. Next, on Raspberry Pi, go to the “Start Menu -> Preferences -> Raspberry Pi Configuration” section. Here go to “Interfaces” and activate “SSH”.

Test FileZilla on raspberry pi

3. On FileZilla, open “File Menu -> Site Manager” and add a “New Site”. Here, choose “SFTP” as the protocol and enter the IP address of the Raspberry Pi web server in the “Host” field. Leave the “Port” field empty. After that enter the default credentials: pi as username and raspberry as password. Now click on “Connect”.

To note: If you changed the Raspberry Pi password during setup, enter the new password.

Test FileZilla on raspberry pi

4. You will connect to the web server of your Raspberry Pi. Now you can transfer all your HTML, CSS and PHP assets directly on Raspberry Pi and launch your web development without any problem.

Test FileZilla on raspberry pi

Turn your Raspberry Pi into a web server in a few easy steps

This is how you can set up a web server on Raspberry Pi. All the tools required to run a web server are available on the Debian based Raspbian operating system, so there is no problem. Even if you are a beginner, you can follow the step by step instructions above and turn the RPi card into a web server in no time. Anyway, it all comes from us. If you have any questions, let us know in the comments section below.


Source link

]]>
What is a web server and how does it work? https://searchdesk.org/what-is-a-web-server-and-how-does-it-work/ Thu, 10 Jun 2021 07:00:00 +0000 https://searchdesk.org/what-is-a-web-server-and-how-does-it-work/ When you log in, whether it’s to check out social media or even read this article, you are using one or more web servers. These are an essential part of the modern Internet and function as the connecting link between you and the website you are visiting. But what is a web server and how […]]]>

When you log in, whether it’s to check out social media or even read this article, you are using one or more web servers. These are an essential part of the modern Internet and function as the connecting link between you and the website you are visiting.

But what is a web server and how does it work?

What is a web server for?

A web server is the computer that receives and responds to user requests to access a website. It consists of both hardware, in the form of the device carrying the data, and software as the device’s operating system and web server software.

Web servers are near phones, not wires or the communications system. Web servers use various communication protocols to respond to client requests. The most commonly used is HTTP, which stands for Hypertext Transfer Protocol, a secure variant is HTTPS.

Other protocols include Simple Mail Transfer Protocol (SMTP) and File Transfer Protocol (FTP).

Web servers are computers. But instead of letting you use them for various tasks, they often have just one purpose. And like all computers, they need hardware to run.

The hardware part of a web server can be as large as the supercomputers used by Internet companies, like Google and Facebook, or as small and simple as a laptop. The operating system, which can be anything from Windows and macOS to Linux, is what allows you to communicate with the server.

The simplest web server contains an HTTP server, a database, and at least one scripting language. They all work in tandem, allowing the server to request web pages and communicate with other online servers as needed.

How does a web server work?

Man using laptop connected to a big server

Users can access web servers through the URL or domain names of websites that the server can communicate with. The software components do all the necessary processing and translation. It uses one of its scripting languages, such as PHP, Python, Ruby, or Java, to request a web page.

The server then downloads all requested files and media into its internal database before sending the content to your browser. This includes rich media files, images and JavaScript files, as well as HTML web pages.

All you need to do is enter the correct “location” of the server or URL. Using the URL, your browser retrieves the IP address of the domain using the Domain Name System (DNS). When the web server receives and approves the request, it sends the web page you are looking for.

But sometimes things go wrong. If you try to access a page that you are not authorized to access, the server will refrain from delivering the page. Instead, it responds with an error message telling you what went wrong, usually via an error code.

Remote or local web servers

Representation of web servers in the cloud

Since web servers are primarily hardware, they must exist in a physical location, even remotely. The vast majority of web servers are hosted remotely. As the name suggests, a remote server is a server that is not in the same location as the user.

When you plan to host your own website, you have the option of using remote servers or hosting your own locally. A remote web server, depending on the company you rent it from, may contain just your website or multiple websites with different URLs.

Read more: What is a URL?

But using a local web server often means turning your own laptop, computer, or tablet into a web server. Then it can receive requests from other people’s browsers and grant them access to your website. However, you can also buy a dedicated server, keep it and maintain it locally.

Choose the right type of server

In the tech world, you can find multiple tools performing similar tasks without being interchangeable. Before committing to any type of server, make sure that it suits your needs.

For example, a file server does not give you access to a website, but purports to be a storage unit for files and documents. You can use a file server to store files alongside a web server, but you can’t use it to host an entire website for open or limited access.


Zoom application on smartphone
Zoom to pay $ 85 million in privacy lawsuit

As part of the settlement, you may be eligible to receive between $ 11 and $ 34.

Read more


About the Author


Source link

]]>
How to create a basic web server in Node.js https://searchdesk.org/how-to-create-a-basic-web-server-in-node-js/ Thu, 13 May 2021 07:00:00 +0000 https://searchdesk.org/how-to-create-a-basic-web-server-in-node-js/ Node.js has become one of the most popular choices for server-side development since its initial release over a decade ago. Although it is still relatively new compared to PHP and other backend technologies, it has been widely adopted by tech giants like LinkedIn, PayPal, Netflix, etc. This article will teach you how to build and […]]]>

Node.js has become one of the most popular choices for server-side development since its initial release over a decade ago. Although it is still relatively new compared to PHP and other backend technologies, it has been widely adopted by tech giants like LinkedIn, PayPal, Netflix, etc.

This article will teach you how to build and run your own web server with Node.js and the Express.js web framework.

Technologies and packages involved

Node.js is a JavaScript runtime built on Chrome’s V8 engine that allows you to run JavaScript code outside of the browser. Traditionally, the JavaScript programming language has been used to manipulate the Document Object Model (DOM), adding interactivity to websites.

For this reason, the JavaScript code has been restricted to run only in the browser, as the DOM only exists on web pages. With Node.js, you can run JavaScript at the command line and on servers. Therefore, it is essential to install Node.js and npm on your machine before starting.

On the other hand, Express.js is a minimalist web framework that has become the de facto backend framework for Node.js. However, Express.js is not a necessity. You can still use the http Node.js module to build your server. Express.js is built on top of the http module and provides a simpler API with all the necessary configurations.

Build a web server

To better organize your code, you can start by creating a folder where all the files and dependencies will reside. Since Express.js is not a built-in Node.js module, you will need to install it using npm.

Read more: What is npm?

To install the Express.js package, run the command npm install express on your terminal or command prompt. Make sure you are in the project directory before installation.

Install express via npm

When done, you can open the folder using any text editor or IDE of your choice and create a new file named server.js. To use the Express.js package, you must first import and create an instance of it in the server.js file like this:

const express = require('express');
const app = express();

The main purpose of a web server is to respond to requests from different routes with the appropriate handler function. This code handles all GET requests made at the root (“/”) and responds with “Hello World!”

app.get('/', (req, res) => {
res.send('<h1>Hello World</h1>');
});

Likewise, you can display dynamic content and perform other operations depending on the path and type of request you make. This can be done using the route parameters, indicated by the semicolon : in front of the parameter.

app.get('/:name', (req, res) => {
res.send(`<h1>Welcome to ${req.params.name}!</h1>`);
};

In the two examples above, the first line represents the use of the .to have() Express.js method which takes 2 parameters: the endpoint or the route, and a callback handler function which takes requests and response objects as parameters. These 2 parameters are sent automatically when you make a request.

In the second line, the answer is made through the .send() method on the response object. Inside the parenthesis, you can enter any text or HTML code you want. In the case of dynamic routes, access req.params.name (since you used /:Name) of the request object will return the value of the dynamic route parameter (name in that case.)

Finally, to start listening for incoming requests on a port, you can use the .Listen() method that takes the port number and an optional callback function to execute on successful execution.

app.listen(5000, console.log('Server is running on port 5000'));

I used port 5000 in the example, but you can change it to any valid port. That’s all the code you need to build a basic web server with Node.js and Express.js. The same concept can be extended further to make other demands such as PUBLISH, TO PUT, Where WIPE OFF to other routes. Here is how the server.js the file will look like:

ExpressJS code for web server

Server test

To run the code and start the server, run the node server on your terminal or at the command prompt in the project directory. This will perform the callback function you provided on the .Listen() method.

Express server running

To confirm that the server is running, open a web browser and visit http: // localhost: 5000

Express.js - root route demo

Likewise, if you are visiting a dynamic route such as http: // localhost: 5000 / muo, the second handler function will run and display:

Express.js - Dynamic route demo

To stop the server, press Ctrl + C under Windows or Cmd + C on macOS.

Node.js can do more

The popularity of JavaScript is increasing sharply as developers use it on both the front end and the back end. This eliminates the need to learn multiple programming languages ​​and helps you start your journey as a full-stack web developer using only JavaScript.

If you decide you’d rather try out Google’s programming language, building a basic web server is a great starter project.


featured image for Go web server
How to create a basic web server in Go

Ready, Ready, Golang: Start building web servers with Go.

Read more


About the Author


Source link

]]>
GoAhead Developers Fix Null Byte Injection Vulnerability in Embedded Web Server https://searchdesk.org/goahead-developers-fix-null-byte-injection-vulnerability-in-embedded-web-server/ Tue, 27 Apr 2021 07:00:00 +0000 https://searchdesk.org/goahead-developers-fix-null-byte-injection-vulnerability-in-embedded-web-server/ Exploitation requires additional vulnerability or device misconfiguration UPDATE Embedthis fixed a null byte injection vulnerability in GoAhead, the embedded web server deployed in hundreds of millions of devices. “A specially crafted URL with an embedded character before the extension may result in the delivery of an incorrect file with a truncated filename,” one reads. security […]]]>

Exploitation requires additional vulnerability or device misconfiguration

UPDATE Embedthis fixed a null byte injection vulnerability in GoAhead, the embedded web server deployed in hundreds of millions of devices.

“A specially crafted URL with an embedded character before the extension may result in the delivery of an incorrect file with a truncated filename,” one reads. security advisory on GitHub document the bug.

Quoting the hypothetical URL https://example.com/example%00.html, the notice states that “the is decoded to be NULL”, causing the file manager to serve as “example” instead of ” example.html ”.

As a result, “remote attackers could access documents whose names are strict subsets of longer valid URLs.”

The advisory nonetheless describes the severity of the bug as “low” because “an exploit requires [either] additional vulnerability via downloaded malicious files ”or device configuration errors.

“Unlikely configuration”

The fault was discovered by Luc Rindel, an infosec master’s student at Carnegie Mellon University, during a PlaidCTF 2021 challenge earlier this month that involved manipulating the values ​​of IoT cameras and sensors.

“The vulnerability abuses the mismatch between the route extension scan and the decoded filename to trick GoAhead into believing that a file should be sent to the JST [JavaScript Template] manager even if it has an incorrect extension, ”says Rindels The daily sip.

“GoAhead should only send .html files to the JST manager, but the vulnerability allows any file to be sent to the JST manager.”

While Rindels reached XSS via a CSP bypass, it was done, he conceded, “using a highly personalized and unlikely setup.”

With the correct incorrect device configurations and the “combined vulnerabilities required” this could cause a DoS or [an attacker to] take unwanted control of the device, ”said Michael O’Brien, CEO and founder of Embedthis. The daily sip.

Obstacles to exploitation

However, real-world exploitation appears to be an unlikely scenario.

The server must be misconfigured to “allow file uploads to a directory that also allows JST templates to run” and a JST template must be uploaded “to a file in the upload directory of the same base name without the extension, ”before the file is served with it, O’Brien explains.

But “if an attacker can modify the configuration of the route, he already has access to the whole server and documents anyway”.

Keep up to date with the latest infosec research news

Additionally, the vulnerability “requires that a file with the same base name without an extension be present.” i.e. ‘example’ and example.html. Needless to say, most device manufacturers don’t and [it] It would be rather strange to do it on purpose.

JST expressions are also device-specific, he adds, so source code access is likely required as well.

Find the loophole

While looking for evidence of an incorrect extension analysis during CTF, Rindels realized that “the request URL must have been decoded, otherwise it couldn’t call with and delimiters,” Rindels says in a blog post published yesterday (April 26).

He suspected that a null byte exploit would fail, perhaps because “dangerous URL encodings like” would not be allowed or decoded, resulting in an error or an “attempt to serve.”

Alternatively, he speculated, “if the is decoded, in an extension request will simply be cut. There will be no overtime and GoAhead will attempt to serve.”

Undeterred, he downloaded a snapshot with the name containing, issued a request for, “and to my amazement the nuncio was there!”

Incidentally, the exploit failed to secure the CTF flag because Chrome blocks “URL encoded null bytes”, but could pave the way for Rindels’ very first CVE.

Patching, attenuation

Embedthis fixed the vulnerability in GoAhead versions 4.1.4 and 5.1.2. Version 2.2 is not affected.

Embedthis “responded very quickly,” correcting the flaw on April 5, four days after it was reported, Rindels said.

In addition to applying the update, O’Brien urges users to avoid serving JST templates “from directories that do not overlap with download directories.” You should NEVER have file uploads in a directory that allows content to be served and JST templates to be processed ”.

Seller says Go ahead is the world’s most popular embedded web server, hosting “dynamic embedded web applications via an event-driven single-threaded kernel” in medical devices, network equipment, and factory automation systems, among other devices.

This article was updated on April 28 with comments from Embedthis CEO Michael O’Brien.

DON’T FORGET TO READ Pwn2Own 2021: Clickless Zoom feat among winners as payout record in full swing



Source link

]]>