Security is very high on 07.beta 3 Nobody can see anything

[Jochen Hoff]

One Year i run a 0.4 version without any problems. Then i got a messeage to update about a security problem. Ok. On my next free time i did it. Today beginning at 7 in the morning on a Sunday.

I read the Readme, the Forum and and and. I made a copy of the database and a copy of my installed version. Than i update.

I am an stupid fool. I must be crazy.

First the problems with .htaccess. I found them and a wonder it runs.

But i stupid Bastard tried to have a look for the Configuration in the admin-menue. I changed only the link displayings. After this i had the securest Blog on this world nobody can read or write anything.

Some hours late, i had changed anything in can change, nothing helps.

Warning: mysql_connect(): Access denied for user: 'web94@localhost' (Using password: YES) in /var/www/confixx/web94/html/tb/serendipity_db_mysql.inc.php on line 96

Warning: mysql_select_db(): Access denied for user: 'wwwrun@localhost' (Using password: NO) in /var/www/confixx/web94/html/tb/serendipity_db_mysql.inc.php on line 97

Warning: mysql_select_db(): A link to the server could not be established in /var/www/confixx/web94/html/tb/serendipity_db_mysql.inc.php on line 97
DATABASE_ERROR

The stupid prog are not aible and not willig to connect to the db. With phpmyadmin i have a acess with the same password and the same user as in serendipity_config_local.inc.php.

The most of my sunday has gone withe the serendipity, now i put it in the wind. I am tired with serendipity. Which stupid bastard tell us to update such a fucking Version.

[garvinhicking]

Try to stay calm. There's no use in yelling.

Please check exactly which Usernames+Password are

1. in serendipity_config_loca.inc.php
2. In your databsae, table serendipity_config

Compare all those values and see if they match the correct username. Check that no extra spaces are there at the beginning or end. Check if your Hostname, the username and password are really correct.

It's not serendipity's fault, it's an error in your configuration. Rest assured.

Garvin.

[romulus]

It could also be that the webserver can't read serendipity_config_local.inc.php because he isn't the owner anymore. Standard permissions of this file are set so only the owner can read this file. And if s9y/apache can't read this file, the database password can't be read and all is failing.
For a try you can set the permission to 644 and see if it works. But beware: with this permission every script on your server can read your database password, so you should only set it for a try and change it afterwards.

And please be calm

[Guest]

Try to stay calm. There's no use in yelling.

Please check exactly which Usernames+Password are

1. in serendipity_config_loca.inc.php
2. In your databsae, table serendipity_config

Compare all those values and see if they match the correct username. Check that no extra spaces are there at the beginning or end. Check if your Hostname, the username and password are really correct.

It's not serendipity's fault, it's an error in your configuration. Rest assured.

Garvin.

It is all the same. No Spaces nothing. Now i put the backup of the db on the Server. And start the update again.

[Guest]

It could also be that the webserver can't read serendipity_config_local.inc.php because he isn't the owner anymore. Standard permissions of this file are set so only the owner can read this file. And if s9y/apache can't read this file, the database password can't be read and all is failing.
For a try you can set the permission to 644 and see if it works. But beware: with this permission every script on your server can read your database password, so you should only set it for a try and change it afterwards.

And please be calm

It is 777 and it is the right user and the right group

[Jochen Hoff]

Now i am back on 0.4 CVS. All things are fine and run.

But there is a security hole i was told. And my problem are not made by serendipity 0.7beta3.

Ok. Ok. I am ready for rumors. I try it again. With a new download. May be a very long night.

[Jochen Hoff]

i had installed the new version. Changed .htaccess. The first three lines deletet.

All things are running fine. i can write new entrys, can change entrys. Nice no probs.

But now. I take the configuration menue. There is no passwort for the user i give the password. i change link to make linkable. i save. I get

Warning: mysql_connect(): Access denied for user: 'web94@localhost' (Using password: YES) in /var/www/confixx/web94/html/tb/serendipity_db_mysql.inc.php on line 96

Warning: mysql_select_db(): Access denied for user: 'wwwrun@localhost' (Using password: NO) in /var/www/confixx/web94/html/tb/serendipity_db_mysql.inc.php on line 97

Warning: mysql_select_db(): A link to the server could not be established in /var/www/confixx/web94/html/tb/serendipity_db_mysql.inc.php on line 97
DATABASE_ERROR

Oh whats thats. The admin of this site told me, all was a mistake of my.
I think there is a bug.

serendipity_admin.php?serendipity[adminModule]=installer changes writes something wrong in the serendipity directory not in the DB.

Now i try to find out, what it is doing

[Jochen Hoff]

The difference is in the file serendipity_config_local.inc.php

Before upgrading the db-password is encrypted in this file and is crypted in the databasetable config.

After upgrading it is the same.

After runnig the Configure Script from the admin-menu it is crypted in both.

If serendipitiy now wants to access the DB it takes the crypted password and dont encrypt it. So the Connection fails.

The best workaround is to have an Version of this file with encryptet DB-Passwort in your serendipity-root and make a copy after every using of the Config script.

Now the sunday has gone, but the problem is cleared.

[garvinhicking]

Serendipity does not save the password encrypted in neither DB-config nor in the serendipity_config_local.inc.php. It's plaintext on my and several other installations, I checked that today.

Now I suppose your browser must be sending some encrypted data via HTTP to serendipity; maybe because of caching problems or something different. Which browser are you using? What operating system does the server run under?

What I don't understand in your previous posting is " take the configuration menue. There is no passwort for the user i give the password. i change link to make linkable. i save."

You do change the DATABASE user and password, right? Do not edit the USERNAME/PASSWORD for the LOGIN - those two are different. And what to do you mean by "change link to make linkable"?

I am sure, that if you're willing to, we can solve that problem. I can also offer you to have a look at it, if you supply me with access to your blog (do so only via private mail, if you agree to that). Or we can try to solve it via IRC/ICQ.

[Guest]

Serendipity does not save the password encrypted in neither DB-config nor in the serendipity_config_local.inc.php. It's plaintext on my and several other installations, I checked that today.

OK. The Problem only comes up if i go in the Configuration in Admin-Menue and save, without doing or changing anything. Start and save, not more. After this the serendipity_config_local.inc.php was changed as i described.
No other File in the whole Installation was changed. Only this one. If i overwrite the file with the original version, all things running fine.

Now I suppose your browser must be sending some encrypted data via HTTP to serendipity; maybe because of caching problems or something different. Which browser are you using? What operating system does the server run under?

I tried it with Konquerer 3.3 on SuSE 9.1, Firefox 1.0 on SuSE9.1, IE 6.0 on Windows XP with and without SP2. Thats not a Problem with the browser.

What I don't understand in your previous posting is " take the configuration menue. There is no passwort for the user i give the password. i change link to make linkable. i save."

You do change the DATABASE user and password, right? Do not edit the USERNAME/PASSWORD for the LOGIN - those two are different. And what to do you mean by "change link to make linkable"?

This is a problem of my bad english. The German word is "Externe Links klickbar". This was the only change i made.

I am sure, that if you're willing to, we can solve that problem. I can also offer you to have a look at it, if you supply me with access to your blog (do so only via private mail, if you agree to that). Or we can try to solve it via IRC/ICQ.

I didnt have any problem with you. Really not. In the last night i figured out was the problem is.

In version 0.4 from CVS the dbpassword was crypted save in the database.
But in the config_local it was uncrypted.
After the update, this things doesent change.
But by the first running of admin-configuration, the scripts read the items from the db and not from the config_local. The script dosent compare the items and save the crypted DB-Password into config_local.php. After this no connect to the DB is possible, because the password is false.

Two ways to clear this.
First a Hint in the update papers, the Readme. If you start Admin Config the first time after an update from 0.4 please update the db-password before saving. Thats solves the problem.

Second compare the entries between db and config_local.php in this script.
The entrys in config_local.php must be right, because in all other ways you are not in this script. If there is a difference, the user have to deceide which entry is right and which is wrong.

I think thats was it. Or?

[garvinhicking]

Hi!

I just checked and installed the Serendipity 0.4 version. That one does not store the password (dbPass) in encrypted form in either serendipity_config_local.inc.php nor the database. Are you sure you don't mixup the login password and the database password? Because the login password is indeed stored as encrypted version, but that one is not used for database-login...

Still not sure if I understood you correctly

[Guest]

Hi!

I just checked and installed the Serendipity 0.4 version. That one does not store the password (dbPass) in encrypted form in either serendipity_config_local.inc.php nor the database. Are you sure you don't mixup the login password and the database password? Because the login password is indeed stored as encrypted version, but that one is not used for database-login...

Still not sure if I understood you correctly

Oh iam sure. Not sure about my wisdom, i have had saved, the origin database and the full Serendipity path from the Server before i do anything. I also had an old install of this in my local db from a testings installation. Maybee it was only a feature from the CVS and has gone before finishing the release.

And I am sure, i didnt change anything in the past. After installing it runs without problems. I am not a Hero, all thing who are running, surely in save for my activitis, i dont like work, without sense. (Dazu bin ich einfach zu faul). I am an lazy boone.

[garvinhicking]

Okay, thanks for your effort on this issue. I think that your case was a special one, which you got solved by once saving the right values in the database.

As I installed the 0.4 version on my machine from scratch and then upgraded to 0.7, other users hopefully won't see this issue. But if they do, I'll try to get their attention to this thread, so that they just need to enter the right dbPass value into the database or in the config file.

Regards,
Garvin.

[Guest]

Okay, thanks for your effort on this issue. I think that your case was a special one, which you got solved by once saving the right values in the database.

As I installed the 0.4 version on my machine from scratch and then upgraded to 0.7, other users hopefully won't see this issue. But if they do, I'll try to get their attention to this thread, so that they just need to enter the right dbPass value into the database or in the config file.

Regards,
Garvin.

Ok. I hope i will help to others.