Disabling HTTP TRACE

The HTTP TRACE Method is a debugging tool in Apache that just echo’s back what was sent to it. Attackers could potentially use this to trick a browser into revealing cookies or other request details from the domain with HTTP TRACE enabled. See http://www.apacheweek.com/issues/03-01-24#news for more info

Here is a sample HTTP TRACE session through telnet

[root@wwwa ~]# telnet 11.22.33.44 80
Trying 11.22.33.44...
Connected to mywebsite.com (11.22.33.44).
Escape character is '^]'.
TRACE / HTTP/1.1
Host: www.mywebsite.com
X-Header: testing

HTTP/1.1 200 OK
Date: Thu, 29 Nov 2007 15:25:59 GMT
Server: Apache/2.2.6 (Unix)
Transfer-Encoding: chunked
Content-Type: message/http

42
TRACE / HTTP/1.1
Host: www.mywebsite.com
X-Header: testing

Disabling this is easy enough. Just add this to your Apache configuration:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* http://www.campusbooks.com/ [R]

CentOS 5 Virtual Mail Toaster Howto

I have recently configured several CentOS virtual mail servers.  It took me quite a while to figure it out the first time or two, but has gotten significantly easier since then. Initially, I pieced information together from a half-dozen or so various other howto’s that were either designed for a different distro, or were outdated (or both).

So when I put together another server last night, I made careful notes when installing it and generated a howto document.   It walks a user all the way from a clean CentOS 5 install, through to a functioning virtual mail server.  It uses postfixadmin as a web interface for managing the domains and accounts.  All domain and user information is stored in a MySQL database.   Postfix is installed for the MTA, and Dovecot for the POP3/IMAP server.    It doesn’t require system accounts for any of the users.  All mail services are accessible over encrypted SSL/TLS protocols.

My list of essential FireFox plugins

I just got a new laptop, which is a good chance to start over with a clean system configuration.   After trying to use FireFox without any of my normal plugins, I realized how much I’ve come to rely on these plugins:

ColorZilla:  Adds a button the the bottom left of the status bar.  When you click on it, you can then highlight anywhere on the page to get the HTML Color value.

FasterFox:  A couple very handy utilities for timing page loads, and speeding them up in general.  I find myself watching the page load timer all of the time.  It simply displays the amount of time that each page takes to load in the status bar.  It has a few advanced options to preload links on pages, to increase the number of simultaneous HTTP requests to a server that makes your browsing experience faster.

FireBug: Modify HTML and CSS in real time – incredibly handle for HTML development work and debugging

Google Toolbar: My main point in using this is just to see the PageRank of each page.

MeasureIt: Adds an icon to your status bar that, when clicked, turns your cursor into a crosshair so that you can measure the size of any elements on your current web page.

no-referrer: Adds an option on the context menu for links to open the link in the new tab without passing the HTTP Referrer field.   I use this when on any ‘private’ pages like my awstats pages, or blog admin pages, where I don’t want to tell the world about via the HTTP referrer.

ShowIP: Adds an item to the status bar with the IP Address of the server – This is very useful information to have when doing system administration tasks.   May not always be correct when changing DNS entries though.  That is probably Firefox caching though instead of this plugin’s.

Web Developer: Adds all kinds of options for looking at some HTML details.  The main one I use is for looking at the HTTP Response headers.

bcSpamBlock 1.2 for WordPress released

I had a few users who have been using my bcSpamBlock WordPress plugin for blocking spam tell me that it also completely blocks trackbacks. Thanks to their input and specifically wlx who sent me a patch to have it skip validation on trackbacks and pingbacks.

I modified the WordPress component of the code so that it doesn’t check for the cryptographic signature for trackbacks, but instead makes sure that the remote host is the webserver for the site that it says it is. If that check passes, it also retrieves the page and verifies that it contains a link to your own blog.

I’ve updated the plugin and it is available for download on the bcSpamBlock wordpress page

Use Folderpane Tools to sort your accounts in Thunderbird

I now have a bunch of email accounts each with their own IMAP folders.   It has been terribly annoying that they always show up in the order in which the accounts were added and there is no way to sort them.   I finally came across a Thunderbird plugin called ‘Folderpane Tools‘ which allows you to change the order of the accounts.

It still isn’t ideal.  Any changes have to be done through the little plugins window and require Thunderbird to be restarted.  Oh well, I guess its better than nothing.

The volatile Plesk / Apache relationship

Plesk’s integration with Apache can be quite confusing for those used to manually modifying the Apache configuration files. It isn’t safe to modify most of the files, because Plesk rewrites them whenever a configuration change is made. Here’s a quick overview of how Plesk fits in with Apache:

The main Apache configuration in /etc/httpd/conf/httpd.conf (or /etc/apache2/apache2.conf on Debian/Ubuntu systems) is left unchanged. It includes /etc/httpd/conf.d/* (or /etc/apache2/conf.d/*). Plesk creates a file in that directory where it does most of its global configuration. That file is generally used for system-wide applications like webmail, mailman, etc. This file is overwritten when certain changes are made via Plesk. It also has an “Include” line for each virtual host like this:

Include /var/www/vhosts/mydomain.com/conf/httpd.include

These files contains the VirtualHost configuration for each domain. They also are overwritten whenever certain changes are made via Plesk (and sometimes just at random, it seems). When Plesk is recreating these files, it looks for a corrosponding ‘vhost.conf’ file in the same ‘conf’ directory. If it finds one, then the resulting httpd.include file Include’s that vhost.conf file. in it.

Therefore, if you want to manually make any changes to the Apache configuration for a website, you need to create a vhost.conf file for it, then re-save the domain’s configuration via plesk.

Also, if you’d like to bypass the whole plesk ordeal for a new domain, you can still create the Apache configuration manually in the original /etc/httpd/conf/httpd.conf file (or /etc/apache2/sites-available/* files).

Quick Perl Internal Server Error (HTTP 500) fix

I’ve had a couple customers in the past month or so run into a problem where they were trying to run a simple Perl script, but kept getting HTTP 500 errors (Internal Server Error) despite double checking through their code, and simplifying it down to almost nothing. One had spent half a day troubleshooting a seemingly simple error. Apache would log something like this:

[Sat Nov 03 22:46:57 2007] [error] [client 11.22.33.44] (2)No such file or directory: exec of '/var/www/cgi-bin/hello.pl' failed
[Sat Nov 03 22:46:57 2007] [error] [client 11.22.33.44] Premature end of script headers: hello.pl

By time they contacted me, they were so frustrated, that it is hard to tell them how easy the fix is. In both cases, the users had created the files on a Windows machine and then uploaded them to a Linux server. Many windows applications happen to save text files in a slightly different format than Linux does. Specifically, windows uses the two characters CR and LF (Carriage Return, and Line Feed), where Linux simply uses just a LF.

Carriage Return is the ASCII character 13, and is also recognized as ‘\r’, or ‘^M’. The Line Feed character is ASCII code 10, and represented as ‘\n’, or ‘^J’.

An attempt to run this same ‘hello.pl’ script via a command line results in:

[root@host cgi-bin]# ./hello.pl
: bad interpreter: No such file or directory

To fix, simply convert the file to a Unix text file format. Your text editor may have an option to save the file in a Unix format. If you are stuck with the editor you have, you can use the ‘dos2unix‘ command which is available on pretty much any Linux box.

[root@host cgi-bin]# dos2unix hello.pl
dos2unix: converting file hello.pl to UNIX format ...

And now your script will magically work (You did remember to add the content-type header, right):

[root@flickerworks cgi-bin]# ./hello.pl
Content-type: text/html

Hello World