Textpattern Forum

You are not logged in. Register | Login | Help

#21 2010-11-13 09:08:28

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 5,916
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

thebombsite wrote:

When I first installed the plugin I was looking at around 3500 files!

Oh my giddy aunt. Didn’t your admin side slow down at all? In versions prior to v0.12 it checked every file whenever the timeout was reached so you could be waiting a long time. Not to mention the fact that the Files tab will:

  1. take ages to load
  2. take forever to do a select all, in Firefox at least: click the top file, scroll to the bottom (if you have enough wafer-thin scrollbar to grab :-) and shift-click. In mine it goes back to the top and scrolls through the entire list, selecting each file as it goes. Very boring to watch. Dunno if there’s anything the plugin can do to help here (any ideas anyone?)

Anyway I figure that I shall have to be very specific about the folders and individual files I specify for the top level directory (thebombsite) and have separate plugins in each Txp install in sub-directories.

Yes. Depending how you set it up, you might be better off selecting a smaller quantity in the main site and then install prognostics to check the specific files in each sub-dir. It’ll be way more efficient and keep your sites nippy, especially if you also set a fairly small amount of files to check each click. You can still collect all checksum files in a single dir (use the Unique prefix option) so your sites don’t get cluttered with yet more files.

When I clicked on the contained link it simply took me to my site and not to admin. There was no “/textpattern/index.php” included in the link. I’m thinking that’s wrong.

Ah, right. Well caught. If your intrusion is detected on the public side there’s no ‘texpattern’ directory in the URL so the destination URL is wrong. I’ll need to address that, thanks.

btw, there’s also a slight bug in v0.12 on the Alarms panel. Even though your files are only checked in small batches everywhere else, on the Alarms panel it’s supposed to check them all so it always gives you a complete picture of what’s been changed. It’s not doing that at the moment. Not a show stopper, but slightly annoying. Simple one-line fix; I’ll issue a new version later.

Oh and it looks great in Vitraux, including the help docs. :)

I’m checking all my plugins on both Vitraux and classic now as standard ;-)

Last edited by Bloke (2010-11-13 09:10:11)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern.

Txp Builders – finely-crafted code, design and Txp

Offline

#22 2010-11-13 15:19:54

hcgtv
Member
From: Charlotte, NC
Registered: 2005-11-29
Posts: 2,154
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Upgraded to v0.12 on PHPXref, noticing a lag on a page where I have feeds supplied by SimplePie. The feeds page does display, but it takes about 10 seconds, where it should be displayed instantly, since the feeds are refreshed every hour via a cron job.

This site is running TxP 4.2.0, should I upgrade to 4.3.0?

Edit: A couple of sites are feeding slowly this morning, so it’s not the plugin.

Last edited by hcgtv (2010-11-13 15:42:58)


txp:tag – Textpattern Tags ~ TxPlanet – Textpattern Planet

Offline

#23 2010-11-13 15:47:43

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 5,916
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

hcgtv wrote:

noticing a lag on a page where I have feeds supplied by SimplePie.

Hmm, the plugin shouldn’t care about the content. In theory it just runs and quits. TXP 4.3.0 might help, but the only major difference is the fact that the prefs work nicer so I doubt that’ll help.

Questions:

1) How many files are you monitoring, out of how many overall?
2) What’s the plugin timeout value?
3) How many files per run are you processing?
4) Have you saved the prefs since you upgraded? The new setting won’t take effect until you Save
5) What priority is the plugin? Does it make any difference if you back it off a bit?
6) Is there anything else on that Page that you think might interfere? If you can post the code or any relevant form snippets it might help me figure out what’s causing this
7) If you disable the plugin does the page consistently load quickly?

Very odd behaviour in all. Will have to put me thinking cap on based on your findings from the above questions. Thanks in advance.

Edit after reading your edit: oh, ok. Must admit that the Internet is horribly slow here today. Think there may be some global DNS/router issues somewhere. It’s horrendous.

Last edited by Bloke (2010-11-13 15:48:57)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern.

Txp Builders – finely-crafted code, design and Txp

Offline

#24 2010-11-13 16:35:23

maverick
Member
From: Southeastern Michigan, USA
Registered: 2005-01-14
Posts: 755
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

maverick wrote:

With the various sym links the files showing in the panel add up fast. As in several thousand.

thebombsite wrote:

I was looking at around 3500 files!

Bloke wrote:

Oh my giddy aunt.

Ditto on Stuarts number — when I said several thousand, mine was 3546.

# take ages to load

Surprisingly, not as bad as you might think

  1. take forever to do a select all,

Keyboard shortcut to select all was speedy. However, selecting all led to the white page of death. Selecting a smaller amount of files worked okay.

thebombsite wrote:

When I clicked on the contained link it simply took me to my site and not to admin. There was no “/textpattern/index.php” included in the link. I’m thinking that’s wrong.

maverick wrote:

a href=“http://www.domain.com//index.php?event=smd_prognostics&step=smd_prognostics_ack&smd_prognostics_suppress=1”>Acknowledge alarms

Ditto – I noticed that even if I had used a traditional admin install (domain.com/textpattern), that “textpattern” was missing from the url (see above). Though my url did give the index.php

Bloke wrote:

EDIT: yah nuts. Yeah it uses hu to return the path to the sitefor acknowledging alarms which I believe is wrong in multi-site. Hmmm. Needs some thought.

Other plugins are running into the same issue

The “ihu” for hosting images on a subdomain is what made me wonder if creating another preference for the admin subdomain url would work.

Bloke wrote:

Thanks Mike, yes it might.

I have to take off again for a while, but I’ll set up a login and send it as soon as I get a chance.

Mike

Offline

#25 2010-11-13 17:37:06

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 5,916
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

maverick wrote:

Keyboard shortcut to select all was speedy. However, selecting all led to the white page of death.

That should have been fixed in v0.12. If it’s still doing it, let me know. Wish FireFox had a keyboard shortcut for ‘select all items in select list’. Or at least if it does, I don’t know about it. Perhaps the slowness is not a FireFox thing but a Windows thing…

v0.13 is in the works still. Refactoring some stuff and tweaking a few things on the journey.

“textpattern” was missing from the url

Yeah that was a stupid oversight on my part. Fix on its way.

The “ihu” for hosting images on a subdomain is what made me wonder if creating another preference for the admin subdomain url would work.

I saw your post and it’s not the first time I’ve wished for such a constant. I’m sure someone cleverer than me can figure out how to patch TXP to do this.

I have to take off again for a while, but I’ll set up a login and send it as soon as I get a chance.

Brill, thanks.

Incidentally I’ve just had notification of a suspected injection hit at phpxref. Prognostics caught it and prevented it, which I’m pretty chuffed about. I’m dissecting the frognostics and adding the info to the knowledge base.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern.

Txp Builders – finely-crafted code, design and Txp

Offline

#26 2010-11-14 00:19:54

thebombsite
Plugin Author
From: Exmouth, England
Registered: 2004-08-24
Posts: 3,251
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

frognostics – love it. I think you should apply to the O.E.D. for inclusion in the next edition. ;)


Stuart – The BombsiteProText ThemesTextgarden

In a Time of Universal Deceit
Telling the Truth is Revolutionary.

Offline

#27 2010-11-14 16:11:39

thebombsite
Plugin Author
From: Exmouth, England
Registered: 2004-08-24
Posts: 3,251
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Here’s a good one considering my “special needs”. I was doing an update to the “Vitraux” php file and when I saved it threw me a message:-

Your request has been denied by smd_prognostics. Nice try.

and it’s nice to know that it works but…

Now I’ve removed all the “/themes/” files from the file list but I still get the message. I should point out that my modifications were actually saved. I’m thinking there is probably something else I should be doing??

Last edited by thebombsite (2010-11-14 16:12:19)


Stuart – The BombsiteProText ThemesTextgarden

In a Time of Universal Deceit
Telling the Truth is Revolutionary.

Offline

#28 2010-11-14 16:54:05

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 5,916
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

thebombsite wrote:

Your request has been denied by smd_prognostics. Nice try.

If you haven’t already, turn off the Admin-side check for SQL Injections. That (experimental) feature has some holes in it right now which means that if you have certain content in the thing you’re trying to save on the admin side it’ll trigger the injection warning. Currently if your content contains # or -- or any SQLish commands like drop, insert, update and so on it’ll trigger, which is very annoying when trying to save the smd_prognostics plugin itself as it contains all those words and symbols :-)

I’m working on ways round this. Currently I have a few avenues to explore:

  1. Allow you to specify admin-side events and steps that you wish to bypass the SQL injection. Primarily this might be Pages/save, Forms/save, Stylesheets/save, possibly Articles/save and things like ied_plugin_composer/save and smd_admin_themes/save, among others
  2. Allow you to only notify that the injection has taken place, or silently capture it and then continue instead of dying
  3. Something else that may come to me randomly as I think this through, or that someone else suggests as a viable alternative
  4. Get rid of the stupid admin-side feature altogether

Best advice: switch it off for now until we’ve figured out the best way to do it.

Last edited by Bloke (2010-11-14 16:56:04)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern.

Txp Builders – finely-crafted code, design and Txp

Offline

#29 2010-11-14 19:41:28

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 4,513
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Incidentally I’ve just had notification of a suspected injection hit at phpxref. Prognostics caught it and prevented it, which I’m pretty chuffed about. I’m dissecting the frognostics and adding the info to the knowledge base.

Knowledge base? If TXP is vulnerable, let’s fix the bug. If not, just ignore it.

Allow you to specify admin-side events and steps that you wish to bypass the SQL injection.

Another way to deal with it: deactivate the account of the user which triggers this. Just because a user can’t do SQL injection, doesn’t necessarily prevent him/her from doing other damage like uploading massive amounts of files, changing articles and so on (depending on privileges).
For single user installs, checking admin side actions probably isn’t interesting.

A feature that would be nice to have (if it isn’t there already): new TXP version notification. The best way to stay safe is to keep software up-to-date.

Looking at amount of code between checking and updating the smd_prognostics_lastcheck value. What’s the chance of a race-condition occurring (file/db-update) or multiple checks happening at once?

Another feature that would be nice to have: being able to specify a preferred time slot (outside peak hours) in which to check files. Basically imitating cron for those poor souls on Windows hosting ;)

Offline

#30 2010-11-14 20:29:01

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 5,916
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

ruud wrote:

Knowledge base? If TXP is vulnerable, let’s fix the bug. If not, just ignore it.

Sorry, I meant my own knowledge base. I’m using the output from the various attacks to find ways to improve the plugin and either predict or at least add options to help people fight the prospective attacks. If we happen to find a demonstrable TXP vulnerability along the way, then that’ll be fixed pronto.

Another way to deal with it: deactivate the account of the user which triggers this.

Not sure I follow. An admin-side “attack” is one that begins http://site.com/textpattern/some_file?attack=content (or a POST equivalent). Since the callbacks are different for the two sides, the only way I could see to detect if someone on the outside was targetting something on the inside was to add a callback on head_end — the earliest point a plugin can run, istr. On the public side I have the pretext callback to attach to. So it’s not an attack from the ‘inside’ as such, but a side-effect is that it affects logged-in users too. Which stunning realisation has just led me to the fix: if $txp_user is set during an “attack” (primarily a save operation) don’t run the prognostics check. Simple. Thank you!

What I will probably do when I implement this is remove the distinction between admin and public sides and just have SQL Injection on/offm, since at the moment it is a tad confusing.

A feature that would be nice to have (if it isn’t there already): new TXP version notification.

A good idea, thanks. I’ll see if I can find a way to grab that on the advice page.

What’s the chance of a race-condition occurring (file/db-update) or multiple checks happening at once?

I’ll have to check. I have noticed that if you set the timeout too short and add quite a few files on the Files page, before the time the checksums file has been updated, the prognostics warning fires that the checksums file has changed!

being able to specify a preferred time slot (outside peak hours) in which to check files.

That would be neat yeah. Will see if I can find a way to do it.

Last edited by Bloke (2010-11-14 20:31:34)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern.

Txp Builders – finely-crafted code, design and Txp

Offline

Board footer

Powered by FluxBB