Genericons XSS Vulnerability - How to Protect your WordPress Site

The article covers Genericons #XSS Vulnerability and saw how to protect the WordPress Site from it. 

The Genericons package includes a file called example.html which has been found to be vulnerable to a DOM-based XSS #vulnerability. 

This package is included in various WordPress plugins and themes.

You can fix this issue by trying to Remove the example.html file located in the genericons directory.


The recommended way to patch your system is simply to upgrade WordPress. 

This will not only secure your system against this vulnerability, but also any other issues that may have been fixed.

If your permissions allow it, you can usually upgrade your installation using the admin panel update controls.

Although we highly recommend that you update WordPress completely (along with any affected themes or plugins), you can also easily manually delete the offending files.


To do so, log into your WordPress server and navigate to your document root directory.

You can remove the offending files by typing:

sudo find . -path "*/genericons/example.html" -exec rm -f {} \;

You can then check your directory structure again:

find . -path "*/genericons/example.html"

 All of the example.html instances within a genericons directory should be removed.


#Genericons includes a file called example.html which has been found to be vulnerable to attack from the Document Object Model level. 

Any WordPress plugin or theme that includes this file is open to an attack. 


To help combat this, we have done the following for VaultPress users:

1. We've deleted the file everywhere we can to proactively secure your site.

2. We've added it to our security scanner so that if there are any cases where we couldn't detect the file or couldn't delete it, you will still be notified if the file exists on your site. 

3. For users with sites where we couldn’t remove the file, we have personally emailed each of you with steps to remove the file and details about where the file is located.


Also, another important security update was released today for #WordPress in Version 4.2.2. Version 4.2.2 fixes several vulnerabilities that could allow users to compromise your site including the Genericons vulnerability.

Read More




Install PowerDNS and PowerAdmin on CentOS 7 - How to do it

This article covers the step by step procedure to install PowerDNS on CentOS 7. PowerDNS (pdns) is an open source DNS server written in C++ and released under GPL License. It has become a good alternative for the traditional DNS server Bind, designed with better performance and low memory requirements. 

PowerDNS provides two products, the Authoritative server, and the Recursor. 

The PowerDNS Authoritative server can be configured through the different backend, including the plain Bind zone files, RDBMS such as MySQL, PostgreSQL, SQLite3 or LDAP.


To Install PowerDNS on CentOS 7:

1. First let's start by ensuring your system is up-to-date:

$ yum clean all

$ yum -y update

2. Install PowerDNS and backend.

First, you need to enable EPEL repository and all required packages on your system:

$ yum install epel-release

$ yum install bind-utils pdns pdns-recursor pdns-backend-mysql mariadb mariadb-server

Enable PowerDNS on boot and start PowerDNS server:

$ systemctl enable mariadb

$ systemctl enable pdns

$ systemctl enable pdns-recursor

3. Configure MariaDB.

By default, MariaDB is not hardened. You can secure MariaDB using the mysql_secure_installation script. you should read and below each steps carefully which will set root password, remove anonymous users, disallow remote root login, and remove the test database and access to secure MariaDB:

mysql_secure_installation

4. Create PowerDNS Database and User in MariaDB.

Login as a MariaDB root and create a new database and tables:

### mysql -uroot -p

5. Configure PowerDNS.

Open the /etc/pdns/pdns.conf file.

Finally, restart the Power DNS service:

$ systemctl restart pdns.service

$systemctl enable pdns.service

6. Configure Recursor.

Open the /etc/pdns-recursor/recursor.conf file.

Read More




Unable to add bridge port vnet0 No such device - Fix it now ?

This article covers how to resolve the error, Unable to add bridge port vnet0: No such device which happens when the bridge device specified in the guest's (or domain’s) <interface> definition does not exist.

Theerror messages reveal that the bridge device specified in the guest's (or domain's) <interface> definition does not exist.

To verify the bridge device listed in the error message does not exist, use the shell command ifconfig br0.

A message similar to this confirms the host has no bridge by that name:

br0: error fetching interface information: Device not found

If this is the case, continue to the solution.


To fix the error, Unable to add bridge port vnet0: No such device :

1. Edit the existing bridge or create a new bridge with virsh

Use virsh to either edit the settings of an existing bridge or network, or to add the bridge device to the host system configuration.

2. Edit the existing bridge settings using virsh

Use virsh edit name_of_guest to change the <interface> definition to use a bridge or network that already exists.

For example, change type='bridge' to type='network', and <source bridge='br0'/> to <source network='default'/>.

Read More




Virtuozzo VS Hyper-V - Which is better

This article covers some comparison between Virtuozzo VS Hyper-V. 

Hyper-V and Virtuozzo are both popular VPS platforms used by a large number of web hosting providers for the provisioning of Windows VPS hosting services, with Virtuozzo being favoured for Windows Server 2003 VPS hosting and Hyper-V being the most reliable solution for Windows Server 2008 VPS hosting services.


Advantages of using Virtuozzo over Hyper-V include:

1. Direct Linux support – Virtuozzo can be installed on their Windows or Linux VPS hosting nodes, and although Hyper-V can be used for the hosting of virtual machines running Linux it is only available for use on Windows Server 2008.

2. Web based control panel (Parallels Power Panel) – the Parallels Power Panel will allow users to manage their Linux or Windows VPS hosting server from a web based interface meaning that if they aren't in a situation where they can access their VPS server via Remote Desktop then they can use the Power Panel to restart their VPS server if necessary or to kill any services or processes which may be overloading their VPS server’s resources.

3. Separate application – the fact that Virtuozzo is a separate application which can be installed on top of the operating system can have its advantages in some cases, for example if a web hosting providers wishes to discontinue using a server for VPS server hosting then all they have to do is uninstall the application from their server, although in most cases it is advised to do an OS reload anyway to ensure that you have a blank canvas to start with.


Advantages of using Hyper-V over Virtuozzo:

1. Cost – with Virtuozzo VPS hosting web hosting providers have to pay for the cost of the Virtuozzo application and the cost of the operating system license, but because Hyper-V is part of the Windows Server 2008 operating system they will only need to pay for the operating system license – this can help to reduce the costs of Hyper-V VPS hosting services and as the cost of the operating system falls, prices will fall further and will eventually meet Virtuozzo Windows Server 2003 hosting services when it comes to price which will mean that people will gradually move over to using Windows Server 2008 VPS hosting.

2. Reliability – as Hyper-V is part of the Window Server 2008 operating system, web hosting providers are able to guarantee reliable Windows Server 2008 VPS server hosting services.

3. Native support for Windows Server 2008 – although Virtuozzo may have support for Windows Server 2008, it hasn’t been able to offer the most reliable of Windows Server 2008 VPS hosting services.

Read More




Add MySQL Service on WebsitePanel - Do it now

This article covers how to add MySQL service in websitepanel. 

WebsitePanel began as DotNetPanel, which its creators made only for the Windows web technology platform as a Windows hosting panel.


To add MySQL Service on WebsitePanel, follow the steps provided below:

1. Download the installation file from here. Choose to skip registration and start the download.

2. Run the .msi file to start the installation. Click “Next” when prompted.

3. Select the product to upgrade, then click “Next“.

4. Click “Execute” to apply the update.

5. Click “Next” to configure the product.

6. If you already have a database within your server, the installer will check and update your database. Type in the correct password and then press “Check“, then press “Next” when the connection is successful.

7. Click “Execute” to apply the configuration, then “Next” to finish this part of the installation.

8. Click “Next” to proceed.

9. The installation is completed, click “Finish” to continue.

10. This shows the product you have installed, you can close the installer here or click “Add…” to install additional products such as MySQL Server ver 5.7

11. Select the “CONFIGURATION” tab and click “Servers” from the drop-down list.

12. Next, click on “My Server“, scroll down and search for “MySQL 5” tab (since we have installed MySQL 5.5 by default).

13. Click on the small “Add” besides the “MySQL 5” tab to add MySQL service to WebsitePanel.

14. From the drop-down list, choose the version of MySQL that had been installed (MySQL Server 5.5 in our case), then click "Add Service".

15. You will see a message saying that installation of  MySQL Connector/Net is required, follow the instructions and download the installer.

16. Run the downloaded installer but DO NOT choose “Typical Installation“, choose “Custom Installation” instead and remove the entire “Web Providers” section from your installation as it will give a nasty error after installation. Proceed with the installation by clicking “Next” and then “Install“.

17. Return to the MySQL Service Properties page, fill in the password with the password used to login to MySQL root account and then click “Update” at the bottom of the page. If the password entered is correct, the MySQL service will be successfully added to the list of server services.

Read More




Create Keytab File for Kerberos Authentication in Active Directory

This article covers how to create keytab files for Kerberos. Active Directory uses Kerberos version 5 as authentication protocol in order to provide authentication between server and client. Kerberos protocol is built to protect authentication between server and client in an open network where other systems also connected.


The Kerberos Keytab file contains mappings between Kerberos Principal names and DES-encrypted keys that are derived from the password used to log into the Kerberos Key Distribution Center (KDC).


The Kerberos Keytab file contains mappings between Kerberos Principal names and DES-encrypted keys that are derived from the password used to log into the Kerberos Key Distribution Center (KDC).


The keytab is generated by running kadmin and issuing the ktadd command. If you generate the keytab file on another host, you need to get a copy of the keytab file onto the destination host ( trillium , in the above example) without sending it unencrypted over the network.


To Create a Kerberos principal and keytab files for each encryption type you use:

1. Log on as theKerberos administrator (Admin) and create a principal in the KDC.

You can use cluster-wide or host-based credentials.

The following is an example when cluster-wide credentials are used. It shows MIT Kerberos with admin/cluster1@EXAMPLE.COM as the Kerberos administrator principal:

bash-3.00$ kadmin -p admin@EXAMPLE.COM

kadmin: add_principal vemkd/cluster1@EXAMPLE.COM

Enter password for principal "vemkd/cluster1@EXAMPLE.COM": password

Re-enter password for principal "vemkd/cluster1@EXAMPLE.COM": passwordCopy code

If you do not create a VEMKD principal, the default value of vemkd/clustername@Kerberos_realm is used.

2. Obtain the key of the principal by running the subcommand getprinc principal_name.

3. Create the keytab files, using the ktutil command:

Create a keytab file for each encryption type you use by using the add_entry command.

For example, run ktutil: add_entry -password -p principal_name -k number -e encryption_type for each encryption type.

Read More





Focus on your business, not your servers.

Click Here to Learn More




Recent Post