Topic: Side effects of PHP workaround?

[Lars]

I used the PHP vulnerability workaround procedure explained in the advisory. After that, it seems that I can´t send e-mails via webmail anymore - when I press "Send message" I am immediately brought back to the Compose page, and the message has not been sent. Also, it seems that some cookies coming in to LAN computers are blocked.

Has anyone else got the same experience, or am I being paranoid here?

Anyway, I would appreciate it greatly if someone would present the exact procedure of how to reverse the workaround again from the root prompt.

Thank you in advance!

Lars

[Patrick Hickey]

I am seeing the exact same issues.

I am also not going to back the changes out due to the risk of being hacked - however small.

Be patient and one of the developers will  issue a re-install or patch,

regards,

patrick

[Rich Lafferty]

Lars, Patrick --

Thanks for the heads-up. In future, please send reports like this to

   bugs@e-smith.com

so we can see them in a timely manner.

In this case, there really is no workaround but to fix PHP itself. We're working on
an update blade as we speak.

Cheers,

--Rich

[Lars]

Thank you for verifying the faults.

Patrick, I´m greatful for your concern about my servers safety. However, at the moment I need to work from outside my LAN, and need to use webmail. Through SSH I can turn the workaround "on and off" momentarily, but I need the exact syntax in the same manner as in the advisory to reverse the workaround, as I am no Linux oracle (would love to be if time just let me...).

If you don´t want to publish the syntax publicly I would very much appreciate a message to my mail adress above.

Regards and thanks
Lars

[Dan G.]

This is an infuriating little bug.  After a couple of long emails lost in a POOF after clicking send, I actually broke down and installed Outlook Express :/

Hope to see that patch soon...

Dan

[robert]

Lars wrote:
>
> Thank you for verifying the faults.
>
> Patrick, I´m greatful for your concern about my servers
> safety. However, at the moment I need to work from outside my
> LAN, and need to use webmail. Through SSH I can turn the
> workaround "on and off" momentarily, but I need the exact
> syntax in the same manner as in the advisory to reverse the
> workaround, as I am no Linux oracle (would love to be if time
> just let me...).
>
> If you don´t want to publish the syntax publicly I would very
> much appreciate a message to my mail adress above.
>
The syntax in the advisory should have produced a file /etc/php.ini.old. This is the PHP initialisation file with file-uploads still enabled. The newer /etc/php.ini has file-uploads disabled. What you could do is this:
1. mv /etc/php.ini /etc/php.ini.safe
2. mv /etc/php.ini.old /etc/php.ini
3. /etc/e-smith/events/actions/restart-httpd-full
This will reenable PHP file-uploads.

To go back into safe mode:
1. mv /etc/php.ini /etc/php.ini.unsafe
2. mv /etc/php.ini.safe /etc/php.ini
3. /etc/e-smith/events/actions/restart-httpd-full

However, you do not need to do this if you want to be able to read your mail from outside the LAN. If you can ssh into the server, you can use the onboard mailreaders pine or mutt to read your mail without the need for webmail. This is a better solution. If you logged in as root through ssh, simply typing 'mutt' or 'pine' at the prompt will open the admin mailbox. To see a user's mail, do this:
su lars (just an example, of course)
pine (or mutt)
To go back to a root prompt after su'ing to lars, simply type 'exit' at the user prompt.
I would actually recommend doing things the other way round, that is ssh in as lars, then su to root (if you need to at all). For this you will need a real user shell for user lars, instead of the default sme user shell that doesn't allow logins. Change a user's shell like this:
chsh -s /bin/bash lars
(This changes the login shell for user lars to the bash shell (same shell that root uses).

Hope this helps,
Robert

[Lars]

I take the easy way out and reenable the unsafe mode while uploading attachments and sending mail, then I restore safe mode. It´s really quick via SSL with the command lines you provided.

Regards
Lars