Security Vulnerability in cpCommerce

Today I noticed an unusual program listening on one of the web servers that I managed. Upon investigating, I found out that the attacker was able to gain access through a program called cpCommerce that one of our customers had installed.

I was able to pretty quickly identify the security hole and hacked up the PHP code so that it wouldn’t work again. I then downloaded the latest release of this program and took a look at it to see if the bug had been fixed…and it hadn’t.

So, I headed over to their site to submit a bug report. Although, since it’s a security problem, I didn’t want to post all of the detail publicly so that it could be exploited further. After a little big of fighting with their forum software, I was able to send the developer all of the details, and he has since posted a patch for the program.

I’m not familiar with the program, but it doesn’t look like the patch is just a hack-job either. It looks like it was fixed correctly in a way that would possibly prevent other similar scripts in the program from having the same problem.
http://cpcommerce.cpradio.org/forums/index.php/topic,3430.0.html

Using mod_rewrite in Apache 2.0 for load balancing

The mod_proxy_balancer function included with Apache 2.2 is a great way to set up an Apache front end to a rails-based Mongrel cluster. The latest versions of many Linux distributions now include Apache 2.2 but unless you have a new server with the latest distro, it’s likely that your server is running Apache 2.0.

I usually try to avoid upgrading from Apache 2.0 to 2.2 by compiling it from source because of all of the interdependencies. You end up having to recompile so much other stuff, that it just turns out to be a mess.

Fortunately Apache 2.0 can use mod_rewrite which can be used to do some primitive random load balancing. Here is a sample configuration snippet:

<VirtualHost>
        ServerName mydomain.com
        ServerAlias www.mydomain.com

        ## The random map file of our clusters
        RewriteMap clusters rnd:/etc/httpd/conf/clusters.map
        RewriteEngine On

        ## Don't rewrite for static files
        RewriteCond %{REQUEST_FILENAME} !-f
        # Use mod_rewrite to randomly select from one of the Mongrel
        # cluster servers
        RewriteRule ^/(.*) http://${clusters:mongrel_cluster}/$1 [P,L]
</VirtualHost>

The cluster.map file should contain something like this:

mongrel_cluster  localhost:3000|localhost:3001|localhost:3002

Obviously, you’ll want to substitute your server names where appropriate, and configure the correct ports for your instances in the map file

Innovative WordPress Spam Blocking

I’ve been getting tons of spam comments lately and am getting tired of deleting them. Today I had to scroll through over a hundred of them and pick out the one or two legitimate comments before deleting the rest. I already have BadBehavior installed, but its not catching any of these, which makes me think that the spam robots know how to get around it.

So, I went on a hunt to find a good another good spam prevention tool. On wordpress.org, I came across one called JSSpamBlock that had a pretty good idea. Essentially, it creates an extra textbox on the comment page. If you have JavaScript enabled, it uses JavaScript to populate that box with the answer and hide it. If a user doesn’t have JavaScript enabled, then they are instructed to copy a number into the box.

The result is a spam protection scheme that is invisible to the average user. Yet spam robots won’t know how to execute the JavaScript to bypass it.

As an added security, I modified the jsspamblock.php file to change the name of the input field. I figure that it would be easy enough to modify a spam robot to look for this particular plugin. But since I modified the input field, hopefully even attempts to do that will not leave my site vulnerable. To make the same change on your installation, just replace all instances of ‘jsspamblock_input’ with something unique to your site.