I have two dev environments: one using free MAMP and the other installed MySQL and configured PHP in MacOS Lion.
In the MAMP environment everything is working, however, in the other one it is not. What happens is that when I try to login the browser stays in the same page.
The PHPSESSID is received.
The path set in php.ini entry "session.save_path" is writable (since it rights when I try to login). And "session.auto_start" is set to "0" (I tried it to set to "1" but then I get an error stating that a session is already started and the start_session() function was ignored)
Any idea what must be causing this? I can post my configurations and code if you think it would help...
I Accidentally updated symfony to version 2.0.12 and the FOS UserBundle to latest version. Because of this, the login form needed the parameter "_csrf_token"
Related
I am trying to understand/reproduce Log4shell vulnerability, using this poc and also information from Marshalsec.
To do that, I've downloaded Ghidra v10.0.4, which is said (on Ghidra download page) to be vulnerable to log4shell. Installed it on an ubuntu VM, along with java 1.8 (as stated in POC), and loaded the Poc + marshalsec snapshot.
Tried to start Ghidra, it said java 11 was needed, so although I've installed java 1.8 I still downloaded java 11 and, when you start ghidra, it says the installed version is not good enough and ask for the path to a java11 version; so I just gave him path to the jdk11 directory and it seems happy with it. Ghidra starts alright.
Then set up my listener and launched the poc, got the payload string to copy/paste in ghidra, and got a response in the ldap listener saying it'll send it to HTTP. But nothing more. The end.
Since the HTTP server is set up by the same POC, I thought maybe I just couldn't see the redirection, so I started the http server myself, started the ldap server myself with marshalsec, and retried (see pics below for exact commands/outputs).
Setting http server:
Set listener:
Setting LDAP server:
Send payload string in Ghidra (in the help/search part, as shown in kozmer POC); immediately got an answer:
I still receive a response on the LDAP listener (two, in fact, which seems weird), but nothing on the HTTP. The the Exploit class is never loaded in ghidra (it directly sends me a pop-up saying search not found, I think it is supposed to wait for the server answer to do that?), and I get nothing back in my listener.
Note that I don't really understand this Marshalsec/LDAP thing so I'm not sure what's happening here. If anyone have time to explain it will be nice. I've read lot of stuff about the vuln but it rarely goes deeply into details (most is like: the payload string send a request to LDAP server, which redirect to HTTP server, which will upload the Exploit class on the vulnerable app and gives you a shell).
Note: I've checked, the http server is up and accessible, the Exploit.class file is here and can be downloaded.
Solved it.
Turned out for log4shell to work you need a vulnerable app and a vulnerable version of Java; which I thought I had, but nope. I had Java 11.0.15, and needed Java 11 (Ghidra need Java 11 minimum, only vulnerable version of Java 11 is the first one).
Downloaded and installed Java 11, POC working perfectly.
I am using subfission/cas "dev-master" branch with Laravel 5.5, PHP 7.0.27 with phpCAS 1.3.5. I have two servers (test and prod) with identical Laravel installations. However, when I go to log in via CAS, one server redirects to the appropriate login screen, while another gives me a white screen with:
CAS Authentication wanted!
You should already have been redirected to the CAS server. Click here
to continue. phpCAS 1.3.5 using server https://example.com/cas/
(CAS 2.0)
Clicking on "click here" sends me where I need to go, but I'm very confused as to how this error occurs or even what it means. There doesn't seem to be much documentation on this
I just had the same problem. Worked fine on local dev, but failed when I went to production. I downgraded to ~2.0.9 and it fixed the issue. (I'm using Laravel 5.4)
I'm struggling to get the connected mode to connect to my local instance of SonarQube.
I'm suspecting it has something to do with the way my system is set up.
I'm using a Mac (OS X 10.11.x) and I have PHP and Apache set up according to this tutorial. I think perhaps there is an issue with a firewall rule or something.
When I connect to http://localhost:9000/api/system/status with a browser, there is no problem. telnet localhost 9000 works fine too.
But when I enter credentials and create a configuration in SonarLint, I always get:
error testing connection: Fail to request http://localhost:9000/api/system/status
Anybody have a clue?
It is also worth to check SonarLint issue tracker. Issue looks related rather to the plugin than PhpStorm itself.
Check your Phpstorm log folder ~/Library/Logs/PhpStormVERSION/FILE.log (FILE - some log file for phpstorm, in Intellij it's idea.log)
I see the tutorial you followed enabled SSL and I guess that should be because of a certificate.
I just upgraded from nexus 1.8.0.1 to 2.8.0-05 and now I cannot fully log in anymore. When I try to login nothing happens. There is still the "Log In" button on the top right and the menu on the left does not show anything (except what was there when not being logged in). So, the login has no effect.
I also tried to log in with invalid account info and it gives me the login error ("incorrect username, pass..."), so the login data is checked. I tried it with the admin and with a user login - no difference. The actual content is still there (all repos with artifacts) and are shown in a browser.
How can I log in?
Details:
I upgraded from nexus 1.8.0.1 to 2.7.2-03 (file: "nexus-2.7.2-bundle.tar") and then to 2.8.0-05 (file: "nexus-2.8.0-05-bundle.tar") on my CentOS 5.10 according to the upgrade notes and some instructions I found (except for the step with plexus as there was no such file). For nexus 2.7 I got an InvalidMagicMimeEntryException but according to NEXUS-6102 this was fixed in 2.8 and therefore I went on with upgrading to 2.8 and it does not happen anymore - I'm not sure, if this has caused the problem.
This is a bit of a shot in the dark... but I do know of an issue that could cause this. If you have an SSL enabled reverse proxy (like nginx or Apache+mod_proxy) in front of Nexus you need to make sure it is setting the X-Forwarded-Proto header. If you're using apache you can do this with:
RequestHeader set X-Forwarded-Proto "https"
If this isn't the problem I'm going to need some diagnostic information. If you can submit your nexus.log file to https://support.sonatype.com I'll take a look at it.
Our code-signing certificate recently expired. It's been renewed, but now whenever I try to package the app with the renewed cert (whether I attempt a migration of the expired cert or not), after installation, I get the following message any time I try to run the app:
"This installation of this application is damaged. Try re-installing or contacting the publisher for assistance."
Opening up the package contents, the publisherid file inside Resources/META-INF/AIR is blank. This is apparently the problem, because if I manually edit it to contain our previous publisherID, the app will run.
But of course, it's not like we can tell all our users "oh install it then manually edit this file inside the package."
Has anyone encountered this or know how to fix it?
Ah, after a bit more banging my head against my desk I got it.
For anyone who comes after me:
I had to change a couple things in my app descriptor file.
First I had to change the namespace to point at AIR 1.5.3 instead of 1.5
<application xmlns="http://ns.adobe.com/air/application/1.5.3">
And then I had to manually specify our old publisherID in the descriptor as well
<id>OurAppID</id>
<publisherID>OurOldPublisherID</publisherID>
Now it works just as it's supposed to, installs as an update to our old version instead of a new app, and actually runs instead of just throwing that error.