Yuck. What’s more, if you’re using SuExec (like I am) then your Apache directives are ignored.

Solution: Edit your trac.fcgi and prepend the following code.

# hack for SuExec
import os;
os.environ['TRAC_ENV_PARENT_DIR'] = ‘/var/lib/trac’

Affected versions: >= 2.6.17
Fixed in version: 2.6.24.2

Fix

You can download the vmsplice patch locally or from the official LKML thread: [PATCH] vmsplice exploit fix

Patching on Debian Etch

Update 12/02/08: Debian repositories have been updated and contain patched kernels. If you’re using a stock kernel, the following two commands should sort you out (providing you reboot afterwards).

1
2

aptitude update
aptitude upgrade

Install kernel sources

1
2
3
4
5
6
7

export KVER=`uname -r`
aptitude update
aptitude install linux-source-${KVER}
cd /usr/src
tar -xjf linux-source-${KVER}.tar.bz2
ln -s linux-source-${KVER} linux
cd linux

Patch kernel sources

1

patch < vmsplice.patch -p1

Compile kernel and install

You’ll want to copy your existing kernel configuration.

1
2
3
4
5
6

cp /boot/config-${KVER} .config
make-kpkg clean
make-kpkg --initrd --append-to-version=-mykernelname kernel_image
cd ..
dpkg -i linux-image-${KVER}-mykernelname_${KVER}-mykernelname-10.00.Custom_i386.deb
reboot

References

• http://www.isec.pl/vulnerabilities/isec-0026-vmsplice_to_kernel.txt
• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=465246
• http://milw0rm.com/exploits/5092
• http://milw0rm.com/exploits/5093

TrueCrypt, probably the best solution available, was only working on Linux and Windows… up to now.

Some dude got impatient for the OS X port, managed to make a deal with a developper to code it for 1500$, raised those 1500$ and BAM! Bob’s you’re uncle.

The software is labelled alpha, described as beta, and used in production… w00t. Jokes aside, it’s been released for a few weeks now and no serious data-destroying bug stories have arose. Nevertheless, you might want to backup to another more trusted encrypted disk somewhere, every now and then.

Bare in mind the TrueCrypt team annouce their 5.0 release for the 4th of Febuary 2008 (that’s in 2 days) and claim OS X support. Watch this space…

Still interested? Download the software here:

• TrueCrypt for OS X
• TrueCrypt for Linux and Windows

OS X notes:

• Your encrypted filesystem image should have a .img extension.
• When mounting a hidden volume, you’ll be asked the outer volume password, then the hidden volume password.
• Unmounting in finder does not dismount the image. It’s a known bug. Use ocutil -detach.

HTTPS is just HTTP encapsulated inside an SSL tunnel. Apache’s virtual hosts are a clever “hack” whereby the Host header in the HTTP packet is verified. This alllows a single apache instance on a single IP/Port combination to serve a (not so) infinite number of differentes sites (aka vhosts).

Problem: The SSL tunnel is created before the first HTTP packet gets sent. Apache needs an SSL certificate but doesn’t have a Host header to match, hence cannot choose a virtual host.

Solution

This trick essentially does the matching of the Host header after the SSL connection has been established. How? Via some mod_rewrite magic!

Caveats

Although I said so, it’s not really that magical. There are a few things this trick does not solve.

• The SSL certificate used will be common to all SSL vhosts.
• Certain Apache directives may be common to all SSL vhosts (example: SuExecUserGroup). Basically anything you can’t override in a .htaccess file will be shared amongst vhosts.

The trick

The process is only 2 steps and involves modifying your Apache configuration. I assume you have a working SSL vhost configured.

1. Create virtual hosts “map file”.
2. Modify existing SSL vhost.

1. The virtual hosts map file

Create a new file in your Apache server root. Example:/etc/apache2/ssl.map

Write a list of virtual hosts and their respective DocumentRoot. Example:

foo.example.com        /var/www/foo.example.com/
bar.example.com        /var/www/bar.example.com/
# you can even put comments!
# Alias to bar
boar.example.com        /var/www/bar.example.com/

2. Edit your SSL vhost

Open your Apache config, inside the <VirtualHost> section of your SSL vhost, include the following code or include this file: Mass SSL vhosts Apache config.

Important: Make sure to edit line 8 to include the correct path to your ssl.map file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

### Mass SSL Vhosts ###
RewriteEngine on
 
#   define two maps: one for fixing the URL and one which defines
#   the available virtual hosts with their corresponding
#   DocumentRoot.
RewriteMap    lowercase    int:tolower
RewriteMap    vhost        txt:/etc/apache2/ssl.map
 
#   1. make sure we don't map for common locations
RewriteCond   %{REQUEST_URI}  !^/cgi-bin/.*
RewriteCond   %{REQUEST_URI}  !^/icons/.*
 
#   2. make sure we have a Host header
RewriteCond   %{HTTP_HOST}  !^$
 
#   3. lowercase the hostname
RewriteCond   ${lowercase:%{HTTP_HOST}|NONE}  ^(.+)$
#
#   4. lookup this hostname in vhost.map and
#      remember it only when it is a path
#      (and not "NONE" from above)
RewriteCond   ${vhost:%1}  ^(/.*)$
 
#   5. finally we can map the URL to its docroot location
#      and remember the virtual host for logging puposes
RewriteRule   ^/(.*)$   %1/$1  [E=VHOST:${lowercase:%{HTTP_HOST}}]

Restart Apache and you’re done. You should be able to browse (in https) the vhosts you added to your ssl.map file.

Grandma says: You don’t need to reload Apache when you edit your map file. Just create the document root folder on the filesystem, add a new entry to your map and you’re good to go.

With the right extensions, firefox can become much more than a web browser. But this isn’t about turning your firefox into a blogging platform or a social bookmarking application. It’s about turning your firefox into one of the best tools for web development, debugging and penetration testing web applications.

The following picture is a mind-map of Firefox extensions that can prove very useful during the security audit of a web application. This picture was taken from the Security Database FireCAT 1.3 article.

Alot of these tools share common functionalities, and some are just plain better than other. It’s all a matter of taste, so I suggest you try them out yourself.

Nevertheless, here is my personal pick of the crop.

Must have

• Firebug. Amazing javascript debugger and DOM inspector. Includes many other tools (profiler, network watch, …).
• SwitchProxy. Switch between different proxy configurations in a couple clicks.
• Add N Edit Cookies. Does exactly what it says on the tin.
• Tamper Data. Lets you view and modify outgoing requests very easily. Includes a handy “replay” function.
• Classic Compact. Not an extension. Just a theme, the default theme in fact, modified to be as compact as possible (because we all need that screen real estate).

Nice to have

• Poster. Lets you forge any HTTP request very easily. Supports common methods (get, post, head, …) file uploading and authentication. It’s like a portable <form> in your pocket.
• Hack Bar. Tool to aid when looking for SQL injections (includes SQL related functions and a few encoders/decoders). I mostly use it as an URL sandbox instead of the single-line address bar.
• Web Developer. Not as ground-breaking as firebug but includes a few handy functions.
• User Agent Switcher. Lets you switch user-agent globally. Includes pre-defined User-Agent strings.
• RefControl.Set your Referer header globally or per domain.
• NoScript. Allow or deny javascript globally, per domain, site, path, time, earth-moon distance, …
• Exploit Me. Suite of tools for automating user input fuzzing (brute-forcing payloads). At time of writing, two extensions are available; “XSS Me” and “SQL Inject Me”.
• ChickenFoot, GreaseMonkey. Scripting environments.

The above mindmap diagram is available in 3 formats:

• firecat_13.png
• firecat_13.pdf
• firecat-13.mm

References

• http://www.security-database.com/toolswatch/FireCAT-Firefox-Catalog-of,302.html

• Live search engine from Microsoft. Use the ‘ip:’ keyword. Example: ip:207.46.30.24
• CRUSH rIP tool. Works only on domains (no IPs), only com, net and org domains and you need to answer a captcha. Nevertheless, it found results that live.com didn’t.