I was pretty fascinated by viruses because the computer of my dad was infected with the Sasser worm which caused the computer to reboot continuously. After the virus was removed I thought; let’s create a virus! So I’ve created a bunch of funny viruses but didn’t spread it outside my home.

High school

At my high school all the computers where kind of locked down. We didn’t have a start menu back then in Windows 2000 with some program every student only had a folder with programs we where allowed to use.

Getting in

I can create a virus so I can crack a school computer right? After a quick Google search I found a program which creates a bootable floppy with a administrator reset program. Next day at school I’ve booted from the floppy, removed the administrator password, restarted and yeah! I’m in! Locally but still… finally a normal desktop and I can install whatever I want. Guess what… The next day in the lunch break I was playing Counter Strike 1.6 with my buddies on school computers! After playing it every lunch break in a week the network administrator at our school noticed it. Instead of shutting it down he joined us from his office!

Going further

The lockers at my high school where automated with a chip. Every student with a locker does have a chip to open it. What if I could open all the lockers? I’ve tried hard but back then I’d no idea how those chips where working so let’s try social engineering. “I lost my chip”, so let’s go to the reception and ask if they can open my locker. I’d to say my name and class, they verified it with my school picture and with 1 click on the screen my locker was open. Alright… if they can do it, why I can’t do it? I’ve watched the receptionist a couple of days and written down the times there was nobody. In that case the glass screen was closed but not locked, there was a usb hub on the desk so let’s fix a USB drive with a remote desktop program on it. But then I’ve to install it, make sure it start on boot etc. What other options are there? A autorun.inf works on CD’s, why not on a USB drive? Hell yeah! That’s working! Windows 2000 was a great place for viruses. You can imagine how that story ends; the next day a lot of lockers where open when I arrived early at school. I controlled the computer at the reception from my computer at home. Awesome!

Let’s have some more fun

Do you remember net send? In Windows 2000 it was enabled by default! net send * Hello school!, after that every computer in the whole school received that message. Pretty funny until I noticed the hostname where the message was send from was in that message. Within 5 minutes the network administrator stood next to me. I’d some fun sending messages to individual computers to irritate my class mates until the network administrator finally found the option to disable it.

What other things can we do? Change the boot screen of Windows? I created another bootable floppy which replaces the ntoskrnl.exe with a modified one and then reboots the computer. So the next morning when all the computers which contains the modified file in a classroom where booting; my awesome boot screen was visible!

Never changed your test results?

Yes, even that I’ve done at the beginnen with an old test results system at school. Later they moved to a new more advanced system which I did not manage to get into. The old system was running on a server at school which was available through a network shared folder. I just had to search through the school network for open network shares so it wasn’t that hard.

My hacking website

Meanwhile I’d created several “hacking tools”, like a trojan horse, a mail bomber, etc. but I’ve created it just for fun, I’m not using them. That’s why I’ve created a website back then to sell my programs. I gave them some fancy names, played around in Photoshop to make some cool banners for them and done. It was possible to buy the programs by calling to a payed number (for some programs you’d to call multiple times) which costs €1,30 per call. I think I was getting about €0,80 from it per call but it was better then bringing the newspapers around.

On my website I’d for example a program called “MSN Terror” it was a program where you can fill in someones MSN address and when you start it the program will kind of brute force the login. Because Microsoft had a brute force protection after a several tries the account was blocked for some minutes. So when you keep doing that you’re unable to login with that MSN account.

Hello competitors

Back then I was not the only one who was creating and selling “hacks”, a guy who named himself MR-X with his MR-X Shop was doing the same. There was also a website Frukky which was selling hacks he found on the internet. The problem was; Frukky bought hacks at my and MR-X his website and was selling it for less on his own website. So a kind of “war” started. What MR-X did was implementing a backdoor in his new hacks so everyone who bought it and used it was infected but it was just for Frukky. I’ve no idea if he used it and I’ve still no idea who those guys where. When someone knows who these guys are, I’d like to get in touch with them to chat about those days. If you search on the internet some hacks are still available, but they don’t have their own website anymore. If you come across hacks of mine, please let me know. I always used my real name.

University

When I was done with my high school, which I didn’t finish by the way. I’d a company to run, when I was 13 I started a webhosting company and I thought there was nothing more useful to learn at my high school at the age of 15. After some visits at the attendance officer I was allowed to go to the university. In Dutch: “MBO niveau 4” where I started the ICT manager education. Within a few weeks there I arranged exemption for almost all IT related classes because I could prove I already knew it. At some classes we’d to open a computer and tell the teacher where the components are located, really? Also we’d some programming classes where we’d to build a website with HTML tables… come on, you can imagine the education level.

Let’s have some fun!

In the past I’ve created my own trojan horse (still in VB6) which I spread around the school by infecting USB drives (still with the autorun.inf trick) which all students where using to store there documents. They where reporting to my command and control server so I’ve created a grid of all the computers with the IP addresses. That way I can target individual computers to irritate class mates. I’d no intention to do any damage to all infected computers. It started with shutting down some computers of people I didn’t like that much. MSN was pretty popular those days so with the trojan I was able to change they’re status but I’d the most fun with opening cd drives. One day a teacher was talking to a student and his arm was hanging on a computer. I looked up the IP address, connected to the computer and opened the drive where the hand of the teacher was hanging. You’d to see his face, it was hilarious.

The end of school

About 3 months after starting the education I quit and started full time working. I was not allowed by the attendance officer to work full time from home for my own business. So I started working at a local computer store and ran my own business in the weekends. I did get an offer to finish the education within 1.5 year instead of 4 and skip the first year of the continuing education (in Dutch: “HBO”) but I declined it. So I’ve only finished my elementary school.

My biggest hacks

GHED

When I started with web development I needed webhosting to put my website online. There are some companies which offer free webhosting but most of them inject ads. So after searching around I came across GHED: “Gratis hosting en domein”, in English: “Free hosting and domain”. At the time of writing they still exists but I just read they stop in 2018. You can earn points by clicking on ads, filling out surveys, etc with affiliate marketing. You can trade those points for webhosting or a domain.

You’ll get webhosting at a big hosting company but years ago they had their own dedicated server with all the free hosting accounts on it. That server wasn’t protected that well so I used a c99 shell script to look around on the server which was running on the Direct Admin control panel. I came across a unprotected phpMyAdmin folder, I modified the login script to send me an email when someone uses it and I was waiting. Apparently that one wasn’t used by anyone so let’s do some social engineering: I’ve created a thread on their forum with a link to the phpMyAdmin installation with the question if that’s the right one to use. Guess what… a administrator logged in with the admin credentials, removed the folder from the server and replied with the correct link.

So I received an email with the username and password, logged in with a proxy to the Direct Admin control panel and there we are! I could do anything I want on that server with hundreds of websites hosted on it.

Recent hacks?

I’m a ethical hacker now so I report things I find and don’t abuse it. After shutting down my hacking website I focused on web development which I’m still doing. I’m not doing that much with hacking anymore but recently I published these related blog articles:

– Hacking public GIT repositories
– Magento 1 cacheleak exploit

And did I only create hacks in VB6? No… I also created invoice programs, a radio station program, CD / DVD Magic and much more.

Wrapping up

Some things I regret, other things where so much fun but keep in mind: hacking and abusing it is not allowed by the law! A lot of things I did at school can get you suspended or can bring you in serious trouble! It sounds like a fun story but I’ve been suspended at my high school for a week and one time the police was contacted for stuff I’ve done. It’s getting a little bit long and I haven’t told everything I wanted yet, maybe I’ll update this post later with more stories.

Het bericht [EN] My hacking history verscheen eerst op Roy Duineveld.

public function store()
{
    $validatedData = request()->validate([
        'title' => 'required',
        'body' => 'required',
    ]);
}

Normally you would do something like request()->all() which isn’t always save if you’re not setup the mass assignment variables on the model right. For example when you’ve disabled mass assignment by adding protected $guarded = []; to a model. A better way is to use request()->only() with the fields you need. With the above example that would be: request()->only(['title', 'body']) but that’s feels like duplication right? You’ve already defined the fields in the validation array. From Laravel 5.5 $validatedData will output an array with the validated fields, the same as request()->only() would do.

What about Form Requests?

The first thing I was thinking when I’ve watched that lesson; is there something similar when using Form Requests? I’m not a big fan of validating data in my controller. A comment under the lesson brought me here: laravel-validator which introduced that functionality to Laravel 5.4 with:

public function store(FormRequest $request)
{
    Page::create($request->valid());
}

But Laravel 5.5 introduced the validated() method (currently still undocumented) so that package isn’t needed anymore and confirmed by the author. I did find a bug with it but was fixed already in Laravel 5.5.4.

What if not all the data should be saved to the model?

In a project I’m currently working on I’m using Spatie’s Medialibrary package so I’ve rules to validate images and lately I’m using protected $guarded = []; on all my models to disable the mass assignment checks. Let’s say we’ve a page with a title, body and image. In our rules() method on our PageRequest we’ve these rules:

return [
    'title' => 'required',
    'body'  => 'required',
    'image' => 'image'
];

When we save the page with Page::create($request->validated()); we’ll get a database error because there is no image column. Spatie’s Medialibrary saves all the media in a seperated table so we don’t have a image column on our pages table. After we’ve saved the page we’ll process the image.

We’ve a few option to fix this:

1. Instead of using protected $guarded = []; we could specify the fillable ones with protected $fillable = ['title', 'body'];.
2. We could use Page::create($request->only('title', 'body')); here instead of the validated() function.
3. We exclude the image: Page::create(collect($request->validated())->except(['image'])->toArray());

I’m using option 3, it may look like the longest / most complex option but if you’re getting more and more fields you’ll see it’s the easiest because it’s just a blacklist of fields you don’t want. You could refactor this back to your model so the blacklist is defined there.

What option do you prefer?

Het bericht [EN] Laravel 5.5 validated() method on Form Requests verscheen eerst op Roy Duineveld.

While figuring out how I could accomplish this I came across this great article from Sebastian de Deyne from Spatie. He registers a view namespace in a service provider with $this->loadViewsFrom() which allows you to specify the theme directories and a namespace. But from a service provider I don’t have access to the current authenticated user because that part is loaded later, see Laravel’s request lifecycle. When I looked at the loadViewsFrom() function I noticed a addNamespace() function on the views which can be used from (for example) the view facade: View::addNamespace().

So what’s the best place to register the view namespace? I’d like to base it on the current user so I need to make sure the user is logged in. What about a middleware? Let’s create the middleware:

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\View;

class UseThemeForUser
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        View::addNamespace('theme', [
            resource_path('views/themes/' . Auth::user()->theme),
            resource_path('views/themes/default'),
        ]);

        return $next($request);
    }
}

But this should only be executed for the frontend when a user is logged in. Let’s first register the middleware as a route middleware in app/Http/Kernel.php as theme. Now we can use this middleware in our routes file (for example with a route group) or controller. In my case I’ve created a dedicated frontend routes file and registered it in my route service provider together with the web and auth middleware because our theme middleware depend on those.

In all our controller and views which depend on a theme we can use for example theme::home to load our /views/themes/custom/home.blade.php file if the users theme is set to custom, or if that one doesn’t exists it will fallback to the /views/themes/default/home.blade.php template.

Het bericht [EN] Laravel theme fallback views based on the user verscheen eerst op Roy Duineveld.

Digital Ocean and Serverpilot

I’ve created a droplet at Digital Ocean for $10 a month with 1GB memory, 1 core and a 30GB SSD disk. I can recommend to name your server with a hostname, so instead of “royduineveld”, name it “royduineveld.nl”, it’s important to do so for a PTR record. I’d like to use Serverpilot so I’ve created a account and followed the steps. A alternative for Serverpilot is Laravel Forge, I’ve created a comparison between them.

Server setup

A lot of things are configured for you by Serverpilot but some things you’ll have to do yourself, just read through the docs and see what’s handy for you. Things I’ve done:

General setup

• Change the timezone, it’s important to restart your server after changing it so other services like MySQL and crontab adapt it: sudo dpkg-reconfigure tzdata and sudo reboot

Security steps

• Setup SSH public key authentication, it’s more secure and easier then using passwords: echo "MY SSH KEY" >> /srv/users/serverpilot/.ssh/authorized_keys
• Disable SSH password authentication, you can always access your server from the console at Digital Ocean. Edit /etc/ssh/sshd_config and set PasswordAuthentication no and restart the service: sudo service ssh restart

Monitoring

I like New Relic for monitoring, I’ve setup APM and Browser to monitor my PHP applications, Synthetics to get notified when something goes down and Server to keep track on statistics.

• Install New Relic Server (replace the license key):

  echo deb http://apt.newrelic.com/debian/ newrelic non-free >> /etc/apt/sources.list.d/newrelic.list
  wget -O- https://download.newrelic.com/548C16BF.gpg | apt-key add -
  apt-get update
  apt-get install -y newrelic-sysmond
  nrsysmond-config --set license_key="YOUR LICENSE KEY"
  /etc/init.d/newrelic-sysmond start
  

• Install New Relic APM for PHP 7.0 (select option 2 in the installer, provide your license key when asked and replace your server name)

  wget -O - https://download.newrelic.com/548C16BF.gpg | sudo apt-key add -
  sudo bash -c "echo deb http://apt.newrelic.com/debian/ newrelic non-free > /etc/apt/sources.list.d/newrelic.list"
  sudo apt-get update
  sudo apt-get install -y newrelic-php5
  sudo NR_INSTALL_PATH=/opt/sp/php7.0/bin newrelic-install
  sed -i "/^newrelic.appname =/s/=.*/= \"YOURSERVERNAME\"/" /etc/php7.0-sp/conf.d/newrelic.ini
  sudo service php7.0-fpm-sp restart
  

  Afterwards create a .user.ini in your app directories: ~/apps/APPNAME/public/.user.ini with the application name in it: newrelic.appname = "APPNAME"

Application specific

Some applications of mine are using Redis as cache backend, I’m also using the Gulp build tool in some projects which requires Node.js and for Magento 1 projects Magerun is a very handy tool.

Redis Server with Redis for PHP 7.0

sudo apt-get install -y redis-server
sudo apt-get install -y gcc make autoconf libc-dev pkg-config
sudo pecl7.0-sp install redis
sudo bash -c "echo extension=redis.so > /etc/php7.0-sp/conf.d/redis.ini"
sudo service php7.0-fpm-sp restart

Node.js with NPM

sudo apt-get update
sudo apt-get install -y nodejs
sudo apt-get install -y npm
sudo apt-get install -y nodejs-legacy
chown serverpilot:serverpilot /srv/users/serverpilot/tmp/

I’m using Node.js to run Gulp on my server, on your local machine you probably installed Gulp globally, don’t do that on your server! After running npm install you can run Gulp with node_modules/.bin/gulp or for example with Laravel Elixir you can run npm run prod

Magerun

wget https://files.magerun.net/n98-magerun.phar -O /usr/local/bin/magerun
chmod +x /usr/local/bin/magerun
chown serverpilot:serverpilot /usr/local/bin/magerun

Backups

I’ve written another article about server backups and how I’ve set it up, see: Backup your server with AutoMySQLBackup and Duplicity.

Email

For email I’ve also written a dedicated article: Free email forwarding.

Conclusion

Moving from shared hosting to a VPS gives you flexibility, you can do whatever you want with your server. But it requires some server/linux knowledge, when you’re using Serverpilot a lot is taken care of, including updates! But when something goes wrong you need to fix it yourself.

Het bericht [EN] From shared webhosting to your own VPS verscheen eerst op Roy Duineveld.

You can find .htaccess files across multiple folders with a default Magento 1 installation, not only in the root. For example the .htaccess file in the /var directory blocks access to all files in there. Don’t forget to block access to that directory in your Nginx configuration too! If you don’t block access people can access log files and even cached files. You may think that’s not dangerous but it is, with this exploit you can get the MySQL database credentials.

1. First, check if a website is vulnerable at magereport.com
2. Try to access the resource_config.json file by visiting http://website.com/var/resource_config.json
3. Copy and modify the media directory path from the resource_config.json file to something like: /home/users/username/website.com/app/etc (make sure it points to /app/etc)
4. Create a MD5 hash from that path, for example with http://www.md5.cz/ or generate it from the terminal: php -r "echo md5('PATH');" en replace the path, that will generate something like: 68095313d2b99db25e7ebcd5bc8d9642
5. Use the first 3 characters from that hash, with my example that will be 680
6. Visit http://website.com/var/cache/mage--2/mage---XXX_CONFIG_GLOBAL and replace the XXX with those 3 characters
7. Now you can search in the global configuration, you can find among other things the MySQL credentials here
8. Try to connect to the database remotely or search for a PhpMyAdmin or Adminer script

From that point the possibilities are endless as I’ve written before in my Hacking public GIT repositories post, from defacing to change payment provider credentials and further.

Why now publish this exploit? I’ve “created” it in 2015 but back then a lot of webshops where vulnerable. Meanwhile the percentage is pretty low so I thought; let’s share it with the world.

Do you need a security audit for your webshop? Contact me!

Het bericht [EN] Magento 1 cacheleak exploit verscheen eerst op Roy Duineveld.

AutoMySQLBackup

This tool is pretty simple and can be installed with: sudo apt-get install automysqlbackup You’re done! Backups will be made daily, automatically of all your databases and will be stored in /var/lib/automysqlbackup If you’d like to manually run it: sudo automysqlbackup

Restoring from one of those backups is as easy as extracting and importing the .sql file with: mysql -u username -p databasename < databasefile.sql, provide your password when asked and your done.

Duplicity

You could copy a lot of directories from your server daily with SCP to another server, or first zip them but then you’ve to create multiple cronjobs to handle all of this. And what about old backups and thought about disk space on the backup server? Duplicity can take care of all of this. Don’t have a backup server? Duplicity supports a lot of storage platforms and transfer protocols like: Amazon S3, Backblaze, Dropbox, Google Drive, SSH/SCP, WebDav, etc. and it’s creating diff files instead of doing complete backups everyday to save diskspace. Let’s install it with: sudo apt-get install duplicity

Full backups

Let’s start with a full backup. I’ve got a TransIP STACK account, it’s a Dutch hosting provider which gives 1TB of free storage which you can access with WebDav so I store my server backups there. Also my webserver is managed by Serverpilot so my directories I’d like to backup are:

• /srv, all my websites, applications and logs are stored here
• /var/lib/automysqlbackup, all daily, weekly and monthly backups of all my MySQL databases

I’m not going to use any encryption in this example so to create a full backup with Duplicity from the above directories to my TransIP STACK storage:

sudo duplicity full 
--ssl-no-check-certificate 
--no-encryption 
--include /srv 
--include /var/lib/automysqlbackup 
--exclude '**' 
/ 
webdavs://username:password@username.stackstorage.com/remote.php/webdav/backups

Create a monthly cronjob (as root user else you can’t access the AutoMySQLBackup files) from it and you’re done!

Incremental backups

When you’ve created your first full backup, Duplicity can create incremental backups with the full backup as reference. This means: when a full backup is ready, Duplicity will compare everything with that backup and creates diff files from the changes. And yes Duplicity is smart enough to restore backups from it, you don’t have to run multiple diff files over the full backups or something. Setting up a incremental backup is as easy as replacing full with incremental in the example above. Create a daily cronjob, done!

Removing old backups

Now you’ve setup 2 cronjobs, but it keeps running and won’t delete anything. I’d like to keep 3 months of backups, this can be done with this command:

duplicity remove-all-but-n-full 3 
--ssl-no-check-certificate 
webdavs://username:password@username.stackstorage.com/remote.php/webdav/backups
--force

Restoring backups

But what if something goes wrong and you’d like to restore a backup? You can use the restore command:

duplicity restore 
--ssl-no-check-certificate 
--no-encryption 
webdavs://username:password@username.stackstorage.com/remote.php/webdav/backups .

Which will restore the latest backup to the directory your currently in. You can even restore one file with the --file-to-restore parameter or choose with --time from which backup you’d like to restore. If you want to know which backups you can restore, run the collection-status command.

How I’ve setup my backups

AutoMySQLBackup is installed and running and with crontab -e as my root user I’ve setup my Duplicity cronjobs:

0 1 * * * duplicity --full-if-older-than 1M --ssl-no-check-certificate --no-encryption --include /srv --include /var/lib/automysqlbackup --exclude '**' / webdavs://username:password@username.stackstorage.com/remote.php/webdav/backups >> /dev/null
0 5 1 * * duplicity remove-all-but-n-full 3 --ssl-no-check-certificate webdavs://username:password@username.stackstorage.com/remote.php/webdav/backups --force >> /dev/null

A little bit different from what I’ve said earlier. By default the duplicity command creates a full backup and when there is one already it creates an incremental one. With --full-if-older-than we can specify when a new full backup should be made. This method is better than creating two cronjobs; one for a full backup the first of the month and the other one incremental the other days. What if the full backup fails? We’re getting two months of incremental backups, etc.

Do you want to know more? Run the man duplicity command for the manual or check the duplicity manual online.

And don’t forget: backup, backup, backup!!!

Het bericht [EN] Backup your server with AutoMySQLBackup and Duplicity verscheen eerst op Roy Duineveld.

Use G suite, or previously: Google Apps

For 99% of my customers G suite is the way to go and they love it. But I’ve a personal Google account with a Gmail address and why should I pay for G suite just for mail? I don’t need the rest. At the shared hosting company I just had some email forwarders setup in the Direct Admin control panel. That’s what I want! Just some simple mail forwarders…

Setup mail forwarders with Postfix

I’ll spare you the details, but configuring Postfix to forward emails isn’t that hard. But we’re still missing the SPF and DKIM records to make sure our emails will not be marked as spam, that’s taking some more time but I don’t like to repeat these steps on multiple servers and for multiple domains…

Use a email service to send emails

To make sure our emails will not be marked as spam we could use a email service like SendGrid, Mandrill, Amazon SES, etc. I’ve created a account at SendGrid, configured the DNS records, installed the WordPress plugin for my blog and it’s working perfectly! Not one email was marked as spam! But that’s for sending emails, I still need those email forwarders…

Catch-all email forwarding with Improvmx

Improvmx makes it possible to create a catch-all email forwarder very easily. Change your DNS MX records, fill-in your domain and email address and you’re done! How awesome is that? But what if I want to be explicit about my email forwarders or don’t want a catch-all one…

Mailgun!

With Mailgun it’s also possible to receive emails, not as a inbox (which I don’t need) but as a forwarder or parser! So I’ve deleted my SendGrid account, removed the SendGrid WordPress plugin, created a Mailgun account, added my domain, configured the DNS records, installed the Mailgun WordPress plugin and created some “routes” to forward my email. Awesome!

Things to keep in mind

By using a email service you’ll have to make sure you configure it at all your applications/websites. For WordPress there is a Mailgun plugin, Laravel supports it out of the box and for other platforms who don’t have anything like that you can use the SMTP credentials provided by Mailgun. Also the title of the article is “free email forwarding”, yes it’s free up to 10.000 email a month, you need more? Check out the Mailgun pricing. And a quick tip for testing your mail forwarder: http://send-email.org.

Alternatives

Once in a while I receive emails with suggestions for other services, I’m trying to list them here:

• forwardmx.io (paid)
• forwardemail.net (free and open source)
• cloudflare.com (free)

Het bericht [EN] Free email forwarding verscheen eerst op Roy Duineveld.

Let’s start with prevention

It’s pretty easy to prevent this, just make sure your GIT directory is not in your virtualhost. For example with Laravel; there is a “/public” directory where you should point your virtualhost to, so with Laravel you’re not “vulnerable”. When you’re using WordPress you could use Bedrock and in general for everything else or if Bedrock isn’t an option; block it with your webserver! In case of Magento you can test if your GIT directory is accessible with Magereport.

Apache configuration or .htaccess file

RedirectMatch 404 /\.git

nginx configuration

location ~ /.git/ {
      deny all;
}

The possibilities

When the GIT directory is accessible you can read the GIT configuration file pretty easily, just put “/.git/config” after a websites url. Cool, we can see the remotes and stuff but what else can we do? We can download the whole repository!

Downloading a public facing GIT repository

On Github there is a tool called DVCS Ripper which includes a script to rip GIT repo’s. Download the “rip-git.pl” file and run it:

./rip-git.pl -s -v -u http://www.example.com/.git/

Regarding the size of the repository it could take some time, if there is only code in the repo it’s probably done within a few minutes but in other cases where for example all product images (which is a bad idea btw) are stored in the repo it can take hours. The longest I’ve waited is about 4 hours with a repo of multiple gigabytes.

What next? What’s so dangerous?

Is it not dangerous enough that somebody can download your complete sources? They can setup a copy of your website, search for bugs in your code and exploit them or in case the developer was really stupid there is a configuration file in the repo with database passwords! I’m not joking, I’ve experienced this with multiple websites and even big webshops! To make it even better (or worser?) some sites had a PhpMyAdmin installation running at “/phpmyadmin”. The possibilities are endless from that point. Some things I could do:

• Deface the website and put Gandalf Sax on it
• Create a administrator account to access the backend
• Change some payment provider credentials so all payments go to my bankaccount
• Dump the database and sell it with the sources to a competitor or on the black market
• Leak usernames and passwords

How to find public GIT repo’s?

As mentioned before just try “/.git/config” after the url, but also Google can help you with this. Just search this on Google:

.git intitle:"Index of"

And you’re going to find a lot of websites, but all of them do have directory listing enabled in their webserver (so you can browse through folders without a index html or php file). Google doesn’t index for example the /.git/config file directly so there are a lot more websites with this problem!

What big websites do have this problem?

I’ve created a simple script to loop through the top 1 million websites of the Alexa ranking, you can find this script in a Github Gist. After running this script multiple hours and scanning the top 10.000 websites I’ve found 73 public facing GIT repo’s. Some of them aren’t dangerous because it’s a open-source website like the website of AngularJS which is on that list, but most of them are not intended to be public. I’m not going to put some names here until it’s fixed and the owner of the website agree to publish the name here but I came across sites like:

• Webshops
• News sites
• File sharing sites
• Cloud providers
• Online advertising companies
• Online video streaming sites
• Stock image sites
• Proxy providers

And to emphasize again, those are in the top 10.000 websites of the world! Later I came across this website, they’ve crawled the whole 1 million Alexa list and created some fancy charts from it.

Conclusion

DON’T PUBLICLY EXPOSE YOUR GIT DIRECTORY! Or any other version control system like HG, Bazaar, SVN, CVS, etc.

Updates

I’ve contacted some companies with a publicly exposed git directory and here are the results:

• translated.net: after downloading the source code I also found a XSS vulnerability. Meanwhile everything is fixed in co-operation with the company.
• the-watch-series.to: I’ve downloaded the sources but didn’t find the time to inspect it, after contacting the support team the issue is fixed and the code is removed.

Het bericht [EN] Hacking public GIT repositories verscheen eerst op Roy Duineveld.

Creating a plugin

The first step is to create a plugin, this is very simple. Create a new folder in the “/wp-content/plugins” folder and name it for example: “import-demo”. Inside that folder create a file “import-demo.php” and place some plugin header information inside it:

<?php
/*
Plugin Name: Import demo
Plugin URI: https://royduineveld.nl
Description: A demo import for my blog
Version: 1.0
Author: Roy Duineveld
Author URI: https://royduineveld.nl
*/

After that you could create some admin menu’s to start the import manually, but I’ll skip that for now because I’m going to run the import from the WordPress cron system.

Getting started with the import

First we need a source, for example a csv or xml file. In this post I assume that you’ve got a xml file:

$xml = simplexml_load_file(file_get_contents('http://domain.com/your-xml-file.xml'));

After that, just loop through the items and create a post for each entry:

$postCreated = array(
	'post_title' 	=> $item->title,
	'post_content' 	=> $item->content,
	'post_excerpt' 	=> $item->excerpt,
	'post_status' 	=> 'publish',
	'post_type' 	=> 'post', // Or "page" or some custom post type
);
$postInsertId = wp_insert_post( $postCreated );

After that we may need some post options / meta’s, for example some fields for the Yoast SEO plugin:

$postOptions = array(
	'_yoast_wpseo_title'	=> $item->title,
	'_yoast_wpseo_metadesc'	=> $item->metadescr,
);
foreach($postOptions as $key=>$value){
	update_post_meta($postInsertId,$key,$value);
}

Adding a featured image

To add a featured image to a post we’ve to “sideload” it and to do it within our import plugin we’ve to “hack” a little bit to catch the attachment id and save it on the post:

add_action('add_attachment','featuredImageTrick');
media_sideload_image($item->image, $postInsertId, $item->title);
remove_action('add_attachment','featuredImageTrick');

With this action hook we need that “featuredImageTrick()” function:

function featuredImageTrick($att_id){
    $p = get_post($att_id);
    update_post_meta($p->post_parent,'_thumbnail_id',$att_id);
}

And we need to make sure we’ve included some WordPress core files:

require_once(ABSPATH . 'wp-admin/includes/media.php');
require_once(ABSPATH . 'wp-admin/includes/file.php');
require_once(ABSPATH . 'wp-admin/includes/image.php');

Run your import with the WordPress cron

WordPress does have a cron system build in which doesn’t require to setup a cron task on your hosting environment within your control panel or with the “crontab” command on Linux systems. But how is this working? WordPress runs a asynchronously request when someone visits your WordPress website (so the page request doesn’t slow down for the visitor). A function checks the time and the scheduled tasks and runs the task if needed. That’s for example how the WordPress checks for version updates and that’s how the auto updates are handled. We can hook into to this with a simple function. But first we’ve to wrap everything we’ve written into a function and we’ve to created a WordPress action for it:

add_action('import_demo', 'importIt');
function importIt(){
    // The code until now
}

After that we can register two hooks to activate the cron task and deactivate it when the plugin is disabled or removed:

register_activation_hook(__FILE__, 'activateCron');
function activateCron() {
	wp_schedule_event(strtotime('tomorrow midnight'), 'daily', 'import_demo');
}

register_deactivation_hook(__FILE__, 'deactivateCron');
function deactivateCron() {
	wp_clear_scheduled_hook('import_demo');
}

With this setup our import will run at or after 0:00, it depends on when a visitor is coming. If you need to make sure that the cron is running at the specified time you can setup a real cronjob by disabling the default cron behavior with this in your “wp-config.php” file:

define('DISABLE_WP_CRON', true);

After that you can setup a cronjob, for example to run it every 5 minutes:

*/5 * * * * php /path/wp-cron.php

This doesn’t mean your import is running every 5 minutes, this is like a visitor is coming to your website every 5 minutes. So at midnight it will trigger the import.

Remove previous posts before import

Currently we’ve build the import to add posts every night, but it’s not overwriting existing ones from the previous import. The easiest way is to just delete those posts and re-import them. To do this we’ve to identify those imported posts first. Just add a extra post option / meta:

$postOptions = array(
	'imported' => true
);

And after that we can identify them and remove the post with its featured image:

currentPosts = get_posts(array( 
	'post_type' 		=> 'post',
	'post_status' 		=> 'publish',
	'meta_key'			=> 'imported', // Our post options to determined
	'posts_per_page'   	=> 1000
));

foreach($currentPosts as $post){
	if($thumbId = get_post_meta($post->ID,'_thumbnail_id',true)){
		wp_delete_attachment($thumbId,true);
	}
	wp_delete_post( $post->ID, true);
}

Wrapping it up

Congrats! You’ve build your own import for WordPress. You can find the complete “import-demo.php” on Github Gist. Good luck!

Het bericht [EN] Creating your own WordPress import verscheen eerst op Roy Duineveld.

When you’re not using version control

You’ve downloaded the WordPress archive, extracted it, uploaded it to your hosting environment, ran the installation, installed some useful plugins and put your purchased theme from Themeforest in the “/wp-content/themes” directory. Congrats you’ve installed WordPress! You can update Wordpress and it’s plugins easily through the backend and critical WordPress updates are even installed automatically. To update your premium theme from the backend you could use the Envato WordPress Toolkit so you don’t have to do this manually. Fantastic, what a great system! No I’m not joking, it really is! How simple can it be?

Version control your custom theme or plugin

But what if you’re creating your own theme (for example with Sage) or plugin? You could just upload it every time you’ve changed something but how do you keep track of your changes? What if you’ve to undo your latest change or working on it with a team? That’s where version control systems like GIT can be handy! Put your custom theme or plugin in version control, work on it by committing your changes so you can do a rollback later if needed and work easily together with your team by using online services like Github or BitBucket. On your server you “cd” into the correct directory and “clone” your GIT repository with your theme or plugin. Great! Problem solved.

Version control everything

But what if you’ve multiple custom themes or plugins? Then you’ve to “cd” into all those directories and “pull” the latest versions, why don’t you just put everything (WordPress and all plugins and themes you’re using) in version control? No problem, fixed in no-time! Init GIT, add all the files and do a initial commit.

WordPress auto updates

But why is the auto updater not working anymore? Because WordPress checks if it’s under version control because files should not automatically change when they’re under version control. As you can see there in the code we can override this by defining a “automatic_updates_is_vcs_checkout” filter to ignore this check. But is that really what you want? Then we’ve uncommitted changed files after a update, so don’t! When you’ve WordPress under version control you should take care of all types of updates by yourself. Update WordPress on your local environment, “commit” the changes and “pull” them on the production environment.

Installations and updates from the backend

WordPress doesn’t auto update anymore because it’s under version control, but we still can update WordPress by clicking the update button. Also we (or your end user / customer if they’ve a admin account) can install plugins and update everything else (plugins, themes and translations) from the backend. When we do one of these things we’ve again uncommitted changed files, so it’s advised to disallow these things by defining the “DISALLOW_FILE_MODS” constant. Now it’s “impossible” to get changed files on your production environment. So a “git status” shouldn’t return any changes, if it is returning files changes something (like a plugin or theme) isn’t following the WordPress standards or you’ve got hacked. I don’t wanna scare you, but when you’ve got hacked your happy with version control because you can see what files are changed and with a “git checkout .” all the changed files by the hacker are undone.

Use Bedrock!

You’ve got all your WordPress websites under version control. But think about it, isn’t their much duplication? WordPress itself is in all those GIT repositories and probably on every WordPress website you’re using almost the same plugins. When there is a WordPress, theme or plugin update you’ve to open all those sites locally and update, commit, push and pull. Can this be done cleaner with less duplication in repositories and less work when there is an update? Absolutely! Use Bedrock!

What is Bedrock?

Bedrock is a boilerplate for WordPress which is using a better folder structure, handles dependency management with Composer and makes it very easy to configure with Dotenv and environment specific configuration files. With Bedrock you’ve a very solid base when you’d like to put your WordPress site under version control.

How is Bedrock making it easier?

Dependency management

All your dependencies like WordPress itself and mostly plugins are defined in your “composer.json” file, just one line with the name and the version number you’d like. After running “composer install” (or “composer update” in case you’ve changed something in the “composer.json” file) all the dependencies will be downloaded (or grabbed from the Composer cache in case the dependency is already downloaded before) but ignored for version control so they aren’t in your GIT repository. So if you want to update WordPress or something else, change the version number in the “composer.json” file, run “composer update” and commit the two changed files (the composer.json and composer.lock file). On your production environment you just have to do a “git pull” and a “composer install” and your update is live. How clean can your GIT repository be?

Dotenv and environment specific configurations

One of the other great things about bedrock is the build-in configuration which is using Dotenv. The configuration files take care of defining constants per environment, like the earlier mentioned “DISALLOW_FILE_MODS” constant and Dotenv takes care or environment specific configuration settings. Just one simple “.env” file which contains all the configuration options.

What are the downsites of using Bedrock?

All translations needs to be committed in your GIT repository by default which causes “duplication” again, you’ve to do some additional stuff go get multisite working and not really a “Bedrock problem” but relevant if you’ve bought some premium stuff from Themeforest: it’s to devious to install premium stuff with Composer.

What do you use?

For “simple” WordPress websites without custom code I don’t use version control, I think it’s a little bit overkill and I like the auto update feature in that case. But for projects with a custom theme or plugin I’m using Bedrock and I’ve my theme or plugin in the same repository because most of the time it’s specific for that website. What do you do in which scenario and why?

Het bericht [EN] WordPress, use version control or not? verscheen eerst op Roy Duineveld.