-
More Acess Denied details
I would like to give you some more details and hopefully speed up the 'next stable release' process.
After the release of 0.7.24 rc1 I'm overloaded with false positives due to a missed point of the upgrade instructions (see previous news). This slows down the process of discovering of not covered yet (if any) issues related with the latest e-token security protection.
The case is simple, we are able to stop those false positives with one line of code. However, this will solve our (core developer and support team) problems only. I'll give you some extra info which should help you identify us as 'good guys' 
During e-token test, I found very bad issue - it was there forever. In few simple words, if you use default e107.htaccess (renamed to .htaccess) your site will do something like 10 to 20 extra sql queries (depending on your site configuration) plus of course additional php parsing processor job of your server per missing image/css/javascript file reference.
A simple calculation says: if your average site sql requests count is 20, you have 4 missing images, you end up with 100 sql queries per page (instead 20). You should understand now the issue is really bad.
Most of "Access denied" issues were side effect of the above. It's really easy for me to 'mask' the problem as solved, but I hope you understand now why I don't want to do this.
We didn't invented upgrade instructions to 'keep you' busy, so please follow them, give us maximum information so that we'll be able to reproduce your problems, fix them and go forth. A whole 0.8 branch is waiting for us for the final work.
I wish to use the moment and add big THANKS to all community members who helped us fighting the latest issues.
-
Release Candidates
0.7.24 rc1
-
0.7.23 Released
0.7.23 Release with security fixes and enhancements.
-
So where to from here?
There has been a lot of speculation about the future direction of e107 recently, and its time to put that to rest and move forward.
The dev team has spent quite a long time (weeks, if not months) discussing all aspects of e107 - the code, the community, the organisation, to try and establish a coherent plan for the future. Some of the results have been around for a while - the establishment of jira as an issue tracking system, some draft coding standards and guidance that we're refining before making public, better code documentation and so on. Overall the objective is to have a much more professionally run project.
We recognise that some things have been far from perfect in the past - sometimes simply due to lack of time; sometimes for other reasons. We're trying to get it right now.
It is also sad to lose McFly's input - hopefully not entirely, since he's still going to be around. As a long-term contributor to e107, its hardly surprising that he needs to concentrate on other things for a while.
Moving on, there are a number of things planned:
1. For 0.7, as well as continuing to maintain the code, we will be adding a few enhancements. These are mostly ones which the dev team already have available, or can release with minimal work, since we don't want to deflect too much effort from getting 0.8 on the way. Various members of the community are also working on enhancements which we will consider.
2. For 0.8, the intention is to move to a release as soon as possible. Part of the delay was due to a realisation that some of the structure was wrong, and is having to be redesigned. This is nearly done, and you should start seeing code changes in SVN soon.
We have a good idea of the final structure we need, and 0.8 is going to be the 'bridge' between old and new in order to maintain a reasonable degree of backward compatibility and provide an upgrade path.
3. On the organisational side, Cameron is going to be the overall project leader (much as jalist was in the early days), backed up by SecretR and myself as the 'old hands'. We already have a capable support team under the leadership of 2dopey, which will continue. The dev team is to be strengthened - as well as existing devs Bugrain and nlStart we have some other community members to be approached. One area where we'd particularly like some input is on the security side. We've also had a tremendous number of offers of talented assistance from all round the world. Not just on the coding side, but also in areas such as marketing and public relations.
So over the next few weeks, we're going to review all these offers, and put together a team to take e107 forward.
More to come - so watch this space.
-
I'll be in my bunk
This has been something I have been considering for quite some time and I feel the time is finally here.
As of today, I am no longer developing for e107.
The main reason for the decision is due to priorities changing. Other things in my life (work, family, fire department, etc) just seem to be taking up most of my free time and I can't devote the time to e107. It also seems that the fire has gone out for me, I just don't seem to have the desire to open up the code like I used to.
For all the people that I have promised code for and for all of the work I have done that is incomplete, I am sorry. I had intended to tie up some loose ends before leaving, but it just didn't happen.
I do not know what the future hold for e107, but I wish it the best. I will still be hanging out #e107 during the day, so I'll still be seeing some of you.
I want to thank all of the people I have worked with on e107...especially jalist. He graciously accepted code from a complete php newbie and allowed me to get involved with the project. I have totally enjoyed my experience with e107.
Now for some fun, for those of you that understand the reference of the news title...discuss
Top three Firefly episodes:
1) Out of Gas
2) Objects in Space
3) Jaynestown
Top 3 Firefly characters (not part of the crew):
1) Jubal Early
2) Stitch Hessian
3) Adelei Niska
-
e107 community under attack - effective solutions
I decided to write this post because of the large number of forum help requests and accusations against e107 system. Although support team has tried to consolidate the discussion in low number of forum threads (see septor's Consolidated Flood Attack Information) people are still opening new threads which is only increasing the panic.
I often read angry posts of people who are blaming e107 because it can't handle the situation. This is wrong. You would never blame your medical man why he can't invent (develop!) a medicine against your current disease. Don't blame e107 because it's installed on servers which can't handle current bot attacks. Don't search e107/PHP based solution to fight the problem. This won't help.
I spent time to write a detailed information on my blog about server tools which will help to stop attacking bots before they reach your PHP engine. They also should help for finding rootkits already installed on the attacked servers. The information should be used by Dedicated server owners, but it could be pointed to your shared hosting provider if needed. The information I'm providing is based on my experience - number of attacked servers were able to come back in normal working state (no CPU overload, large number of FW blocked IPs).
For those server owners not familiar with server administration, I posted link to a company which offers low cost server configuration service. If you are not experienced enough, you really should look up for a security professionals.
I'm hardly convinced this is the only way we stop the attack against our community.
The whole article - Secure server configuration - stop the madness
Good Luck!
-
E107 sites under attack
Over the past couple of days a lot of e107-based sites (including e107.org) have been under attack from two angles:
1. Repeated accesses of contact.php. The objective of these attacks was to compromise sites via a vulnerability which existed in older e107 versions.
This vulnerability is fixed (as far as we know) in 0.7.22 - so if you haven't already upgraded, do it yesterday!
If you already have 0.7.22 installed, the attack simply loads up the server, and becomes a DDOS. It shouldn't be able to gain access to your site; but will slow it down (or seize it up).
If you are running earlier versions of e107, the hackers will most likely have gained access and uploaded various files. These include a Perl script which does all sorts of nasty things. So upgrade your site, and check carefully for strange files - delete any which shouldn't be there. This thread lists the files one user found. File Inspector will also help here.
2. Repeated accesses of the file 'help_us.php' (which they expect to be uploaded as part of the previous attack). Usually this will trigger a 'page not found' error. Typically this is the standard e107 error page, which does some database access, again slowing down the server. Thus this is also a DDOS attack.
In most cases (assuming you are running 0.7.22) your host is the best person to help with these attacks, by putting in server level blocks on the relevant IP addresses. (There are a large number of addresses involved - most likely a botnet of some sort).
There are a number of forum threads on this topic; things you can do to reduce the effect of the attacks (but not stop them) include:
1. If you're not using the contact form, delete contact.php
2. If you are using the contact form, rename it, and update the link.
3. Put in a 'pure HTML' error page for '404' (page not found) errors
While we believe that 0.7.22 blocked these attacks, we are aware of a few 0.7.22 sites that have been compromised. It seems likely that a different attack vector was used in these cases - most likely via a plugin. Or possibly via other means, such as a compromised FTP password. So please check server logs etc to try and identify how access was gained.
-
0.7.22 Released
As promised, here's another release
This release includes the fixes for the e_parse issues introduced with the last release (sorry about that).
It also includes a fix for a small security issue.
I have also done some work on my build system, hopefully now:
All files should pass the File Inspector test now.
Upgrade files no longer contain empty directories.
Link to downloads here: http://e107.org/edownload.php
Changes found here in the changelog
Please let us know if you find any problems, which I'm sure you will
Update:
The Russian Language pack for 0.7.22 has already been completed and can be found here:
http://e107.svn.sourceforge.net/viewvc/e107/trunk/e107_langpacks/zipped_langpacks_utf-8/0.7.22/
-
Subscribe to releases mailing list
When creating releases on sourceforge, there used to be an email that was sent to a mailing list, allowing people to be notified of new releases. Well, I can't seem to find that after some sf changes. I'm probably blind.
Because of this, I have created a new userclass on e107,org called 'RELEASES'. If you go to your settings page and add yourself to this userclass, you will be notified of new releases via e107.org (If I remember to send the email).
We will definitely be releasing a new version soon, we have at lease one issue to fix before then, so this will be a good test of the emails.
|
