Preventing XML External Entity (XXE) Injection in Laravel

As cybersecurity threats evolve, XML External Entity (XXE) injection remains a significant vulnerability affecting applications that parse XML input. If left unchecked, attackers can exploit XXE to access sensitive files, execute remote code, or perform denial-of-service (DoS) attacks. Laravel, a popular PHP framework, can also be vulnerable if not properly secured. This blog explores XXE injection, its risks, and how to protect your Laravel application with a coding example.

What Is XML External Entity (XXE) Injection?

XXE injection occurs when an XML parser processes external entities in XML input. Attackers can manipulate these external entities to gain unauthorized access to files, network resources, or even escalate their privileges.

Real-Life Scenario of XXE in Laravel

Suppose your Laravel application accepts XML files for data import or integration. If your XML parser allows external entities, an attacker could upload malicious XML files to exploit your system.

Example Malicious XML Code:

xml <?xml version="1.0"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <root> <data>&xxe;</data> </root>

The above code retrieves sensitive system files (/etc/passwd) by exploiting the external entity xxe.

How to Protect Laravel Applications from XXE?

Here’s a step-by-step guide to securing your Laravel application:

1. Disable External Entity Processing

The first defense against XXE is to disable external entity processing in your XML parsers. For PHP’s libxml, you can disable it globally or for specific instances.

Example Code to Disable External Entity Loading:

php // Disable loading external entities libxml_disable_entity_loader(true); // Securely parse XML $xmlContent = file_get_contents('path/to/xml/file.xml'); $dom = new DOMDocument(); $dom->loadXML($xmlContent, LIBXML_NOENT | LIBXML_DTDLOAD);

2. Use Secure Libraries

Instead of using default XML parsers, consider using secure alternatives like SimpleXML with proper configuration or third-party libraries designed for secure XML parsing.

3. Validate User Inputs

Sanitize and validate all user inputs to ensure they meet your application’s requirements. Reject malformed or suspicious XML files.

Leverage Free Website Security Tools

To ensure your Laravel application is free from vulnerabilities like XXE, perform regular security scans. Our Free Website Security Scanner is designed to identify such vulnerabilities and provide actionable insights.

Example Screenshot: Free Tool in Action

After scanning your application, you’ll receive a detailed report highlighting any vulnerabilities.

Example Screenshot: Vulnerability Assessment Report

How Our Tool Helps with XXE Prevention

Our free tool identifies vulnerabilities like XXE in your Laravel application by simulating real-world attacks. It highlights areas needing immediate action and provides recommendations to secure your app.

Conclusion

XML External Entity (XXE) injection is a critical security risk for Laravel applications. By disabling external entity processing, validating inputs, and using secure libraries, you can mitigate these risks. Additionally, tools like our Free Website Security Checker make it easier to detect and resolve vulnerabilities effectively.

Start your journey toward a more secure Laravel application today!

c – libxml xmlXPathEvalExpression order

Yes, the results of XPath expressions evaluated with xmlXPathEvalExpression or compiled with xmlXPathCompile are always sorted in document order. (Internally, theyre compiled by calling xmlXPathCompileExpr with a true sort flag.)

OTRS Upgrade procedúra

Nem tudom bárkinek szüksége lehet-e rá, de így egyben nem találtam meg neten, hogyan lehet 3.2-től fellépkedni 5.0-ig. Onnan meg már gyerekjáték a legfrissebb community editionra lépni.

3.2-3.3

Felhasznált források:

https://web.archive.org/web/20170225061351/http://doc.otrs.com/doc/manual/admin/3.3/en/html/upgrading.html

https://ftp.otrs.org/pub/otrs/

Scriptek futtatása nem root felhasználóként, lehetőleg otrs user 1.     Összes szolgáltatás leállítása:

Service cron stop service postfix stop service apahce stop

2.     Backup! Mentsél el mindent. Háromszor. VM, fájlok minden. /opt/otrs mappából csinálj egy /opt/otrs_old-ot.

3.     Wget https://ftp.otrs.org/pub/otrs/RPMS/rhel/6/otrs-3.3.1-01.noarch.rpm

4.     Sudo apt-get install alien

5.     Sudo alien otrs-3.3.1-01.noarch.rpm

6.     sudo dpkg -i packagename.deb

7.     Jogosultságok beállítása sudo /opt/otrs/bin/otrs.SetPermissions.pl --otrs-user=otrs --web-user=www-data --otrs-group=www-data --web-group=www-data /opt/otrs

8.     Modulok ellenőrzése /opt/otrs/bin/otrs.CheckModules.pl

9.     Cd /opt/otrs bin/otrs.CheckDB.pl cat scripts/DBUpdate-to-3.3.mysql.sql  | mysql -p -f -u otrs otrs scripts/DBUpdate-to-3.3.pl

10.  bin/otrs.RebuildConfig.pl bin/otrs.DeleteCache.pl

11.  Eredeti szerverről/mappából másolni a /opt/otrs/Kernel/Config/Defaults.pm fájlt, majd szerkeszteni Customer Common JS és Agent Common JS-hez felvenni ‘Core.UI.TreeSelection.js’ bejegyzést

12.  bin/otrs.Scheduler.pl -a start és felvenni cronjobnak

3.3-4.0.1

Felhasznált források:

https://web.archive.org/web/20170224232343/http://doc.otrs.com/doc/manual/admin/4.0/en/html/upgrading.html https://ftp.otrs.org/pub/otrs/

Scriptek futtatása nem root felhasználóként, lehetőleg otrs user 1.     Összes szolgáltatás leállítása:

service cron stop service postfix stop service apache2 stop

2.     Backup! Mentsél el mindent. Háromszor. VM, fájlok minden. /opt/otrs mappából csinálj egy /opt/otrs_old-ot.

3.     wget https://ftp.otrs.org/pub/otrs/RPMS/rhel/6/otrs-4.0.1-02.noarch.rpm

4.     sudo alien otrs-4.0.1-02.noarch.rpm

5.     sudo dpkg -i otrs_4.0.1-3_all.deb

6.     Jogosultságok beállítása sudo /opt/otrs/bin/otrs.SetPermissions.pl --otrs-user=otrs --web-user=www-data --otrs-group=www-data --web-group=www-data /opt/otrs

7.     Modulok ellenőrzése /opt/otrs/bin/otrs.CheckModules.pl apt-get install -y libarchive-zip-perl libtemplate-perl

8.     Cd /opt/otrs

9.     bin/otrs.CheckDB.pl cat scripts/DBUpdate-to-4.mysql.sql  | mysql -p -f -u otrs otrs

/opt/otrs/scripts/DBUpdate-to-4.pl

10.  bin/otrs.RebuildConfig.pl bin/otrs.DeleteCache.pl

11.  bin/otrs.Scheduler.pl -a start és felvenni cronjobnak

4.0.1 – 5.0.1

Felhasznált források:

https://web.archive.org/web/20170225061135/http://doc.otrs.com/doc/manual/admin/stable/en/html/upgrading.html https://ftp.otrs.org/pub/otrs/

Scriptek futtatása nem root felhasználóként, lehetőleg otrs user 1.     Összes szolgáltatás leállítása:

service cron stop service postfix stop service apache2 stop

2.     Backup! Mentsél el mindent. Háromszor. VM, fájlok minden. /opt/otrs mappából csinálj egy /opt/otrs_old-ot.

3.     wget https://ftp.otrs.org/pub/otrs/RPMS/rhel/6/otrs-5.0.1-03.noarch.rpm

4.     sudo alien otrs-5.0.1-03.noarch.rpm

5.     sudo dpkg -i otrs_4.0.1-4_all.deb

6.     Jogosultságok beállítása sudo /opt/otrs/bin/otrs.SetPermissions.pl --otrs-user=otrs --web-user=www-data --otrs-group=www-data --web-group=www-data /opt/otrs

7.     Modulok ellenőrzése /opt/otrs/bin/otrs.CheckModules.pl sudo apt-get install -y libxml-libxml-perl libxml-libxslt-perl

8.     Cd /opt/otrs

cat scripts/DBUpdate-to-5.mysql.sql  | mysql -p -f -u otrs otrs bin/otrs.Console.pl Maint::Database::Check

/opt/otrs/scripts/DBUpdate-to-5.pl

9.     cd /opt/otrs/ bin/otrs.Console.pl Maint::Config::Rebuild

bin/otrs.Console.pl Maint::Cache::Delete

10.  Eredeti szerverről/mappából másolni a /opt/otrs/Kernel/Config/Defaults.pm fájlt, majd szerkeszteni

11.  bin/otrs.Scheduler.pl -a start és felvenni cronjobnak

opt/otrs/bin/otrs.Daemon.pl start​​

iOS 16.1.1 includes fixes for two libxml vulnerabilities

https://support.apple.com/en-us/HT213505 Comments

Collabora code nextcloud

Collabora code nextcloud install#

Collabora code nextcloud code#

My docker-compose. I can also access the admin page at /loleaflet/dist/admin/admin.html When I point my browser at I see the OK message. I have the following subdomains all pointing at my server:Ĭ Īs I mentioned, the Nginx and Nextcloud setups are great. There are multiple bits that I might have got wrong so I'll dump as much info as I can here.

Collabora code nextcloud code#

My issue is that I cannot get my Collabora CODE instance to link to Nextcloud. So far I have Nginx and Nextcloud working really nicely with persistent volumes so that my configs survive kill & rm. # This module is currently not supported.I am trying to get a docker-compose.yaml together to run Nextcloud and Collabora CODE via Nginx Proxy Manager. # Uncomment if your server is build with the ngx_pagespeed module Gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/ text/vtt text/x-component text/x-cross-domain-policy Gzip_proxied expired no-cache no-store private no_last_modified no_etag auth # Enable gzip but do not remove ETag headers Return 301 $scheme://$host/remote.php/dav #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json #rewrite ^/.well-known/host-meta /public.php?service=host-meta last # Uncomment it if you’re planning to use this app. # The following 2 rules are only needed for the user_webfinger app. Ssl_certificate_key /etc/letsencrypt/live//privkey.pem Īdd_header X-Content-Type-Options nosniff Īdd_header X-XSS-Protection “1 mode=block” Īdd_header X-Permitted-Cross-Domain-Policies none Īdd_header Strict-Transport-Security “max-age=31536000 includeSubDomains” When trying to open a document handled by Collabora, the browser tries to directly access the nextcloud server (with http) which is blocked (because of mixed content) Nextcloud 21.0.2 with Collabora Online 4.1.1 and built-in CODE 6.4. Ssl_certificate /etc/letsencrypt/live//fullchain.pem PHP module pcntl (enables command interruption by pressing ctrl-c)Īccess_log /var/log/nginx/ Įrror_log /var/log/nginx/ error.PHP module redis (>= 2.2.6, required for Transactional File Locking).PHP module exif (for image rotation in pictures app).

Collabora code nextcloud install#

I used the instructions here to install Collabora CODE and the instructions here to setup reverse proxy for Apache2 with SSL using letsencrypt. PHP module imap (for external user authentication).PHP module ftp (for FTP storage / external user authentication).PHP module smbclient (SMB/CIFS integration).If you are using another Ubuntu version, you can install Collobaora Online with Docker. Note: This tutorial works on Ubuntu 20.04, 18.04 and 16.04. All of the Collabora Online codes will be eventually included in LibreOffice. PHP module openssl (required for accessing HTTPS resources) Collabora is a big contributor to the LibreOffice project.PHP module mcrypt (increases file encryption performance).PHP module intl (increases language translation performance and fixes sorting of non-ASCII characters).PHP module bz2 (recommended, required for extraction of apps).PHP module fileinfo (highly recommended, enhances file analysis performance).HTTP user authentication, depends on this) PHP module curl (highly recommended, some functionality, e.g.PHP module pgsql (requires PostgreSQL >= 9.0).PHP module sqlite (>= 3, usually not recommended for performance reasons).PHP module libxml (Linux package libxml2 must be >=2.7.0).

In this guide, we’ll look at how to use Vagrant with Libvirt on Linux. Vagrant is an open-source software written in Ruby to help you build and maintain a portable virtual software development environments, e.g. for VirtualBox, Hyper-V, Docker containers, VMware, Libvirt, and AWS. Vagrant makes it easy to create, stop and destroy Virtual Machines. The most Vagrant use case on Local machines is the use of VirtualBox provider. If you are a KVM and QEMU user, this article is for you. KVM has been known to have a better performance and small resource utilization as compared to Virtualbox. For CentOS Stream 8 / Rocky Linux 8 / AlmaLinux 8, check: Use Vagrant with Libvirt KVM on Rocky Linux 8 / AlmaLinux 8 Vagrant with Libvirt on Linux Pre-requisites: Installed Vagrant Installed Libvirt and QEMU-KVM Installing libvirt plugin for Vagrant Step 1: Install KVM and Vagrant For installation of KVM on Linux, we have some articles already baked for you. Install KVM on RHEL/CentOS 8, Fedora, Arch Linux, CentOS, Ubuntu/Debian, SLES For Vagrant installation, check below guides: How to Install Vagrant and Virtualbox on Fedora Istall Latest Vagrant on Ubuntu / Debian & Kali Linux Step 2: Installing Vagrant plugin for Vagrant Once you have Vagrant and KVM installed, you should be ready to install a libvirt plugin so that you can start managing KVM Virtual machines using Vagrant. But first ensure libvirt development package is installed: # CentOS / Fedora sudo yum -y install libvirt-devel sudo yum -y groupinstall "Development Tools" Then install Vagrant libvirt plugin: $ vagrant plugin install vagrant-libvirt Installing the 'vagrant-libvirt' plugin. This can take a few minutes... Building native extensions. This could take a while... Building native extensions. This could take a while... Installed the plugin 'vagrant-libvirt (0.0.45)'! If you encounter an error like below: ERROR: Failed to build gem native extension. current directory: /home/jmutai/.vagrant.d/gems/2.5.1/gems/nokogiri-1.8.4/ext/nokogiri /usr/bin/ruby -r ./siteconf20180704-25314-14hvlbq.rb extconf.rb checking if the C compiler accepts ... yes Building nokogiri using system libraries. pkg-config could not be used to find libxml-2.0 Please install either `pkg-config` or the pkg-config gem per gem install pkg-config -v "~> 1.1" Then run: $ gem install nokogiri $ vagrant plugin install pkg-config And retry installing the plugin. $ vagrant plugin install vagrant-libvirt Once the installation is complete, you can confirm that the plugin has been installed using the following command: $ vagrant plugin list vagrant-libvirt (0.10.8, global) Step 3: Downloading Vagrant boxes A Vagrant box for Libvirt is a tar archive with 3 files in it. A base VagrantFile Th metadata.json file QCOW2 image If you are interested in building your own Vagrant boxes, have a look at using Packer and Packer build templates for Vagrant on chef/bento github repo. It will help you to easily get started. In this example, we’re going to use a ready template. Let add CentOS 7 and CentOS 6 boxes. $ vagrant box add centos/7 --provider=libvirt ==> box: Loading metadata for box 'centos/7' box: URL: https://vagrantcloud.com/centos/7 ==> box: Adding box 'centos/7' (v1902.01) for provider: libvirt Add Ubuntu 20.04 Vagrant box: vagrant box add generic/ubuntu2004 --provider=libvirt Check the list of boxes presents locally. $ vagrant box list centos/7 (libvirt, 1902.01) fedora/29-cloud-base (libvirt, 29.20181024.1) generic/ubuntu1804 (libvirt, 1.9.8) Step 4: Create Libvirt VM Vagrantfile Vagrant needs a configuration file to get the details and settings for a VM to be created. Let’s create a single VM Vagrantfile. mkdir ~/vagrant-vms cd ~/vagrant-vms Create a Vagrantfile with content similar to below: # -*- mode: ruby -*- # vi: set ft=ruby : ENV['VAGRANT_DEFAULT_PROVIDER'] = 'libvirt' Vagrant.configure("2") do |config|

##### DEFINE VM ##### config.vm.define "cent-01" do |config| config.vm.hostname = "cent-01" config.vm.box = "centos/7" config.vm.box_check_update = false #config.vm.network "private_network", ip: "192.168.18.9" config.vm.provider :libvirt do |v| v.memory = 1024 end end end To bring the VM up, run: $ vagrant up Bringing machine 'cent-01' up with 'libvirt' provider... ==> cent-01: Creating image (snapshot of base box volume). ==> cent-01: Creating domain with the following settings... ==> cent-01: -- Name: centos-01_cent-01 ==> cent-01: -- Domain type: kvm ==> cent-01: -- Cpus: 1 ==> cent-01: -- Feature: acpi ==> cent-01: -- Feature: apic ==> cent-01: -- Feature: pae ==> cent-01: -- Memory: 1024M ==> cent-01: -- Management MAC: ==> cent-01: -- Loader: ==> cent-01: -- Nvram: ==> cent-01: -- Base box: centos/7 ==> cent-01: -- Storage pool: default ==> cent-01: -- Image: /var/lib/libvirt/images/centos-01_cent-01.img (41G) ==> cent-01: -- Volume Cache: default ==> cent-01: -- Kernel: ==> cent-01: -- Initrd: ==> cent-01: -- Graphics Type: vnc ==> cent-01: -- Graphics Port: -1 ==> cent-01: -- Graphics IP: 127.0.0.1 ==> cent-01: -- Graphics Password: Not defined ==> cent-01: -- Video Type: cirrus ==> cent-01: -- Video VRAM: 9216 ==> cent-01: -- Sound Type: ==> cent-01: -- Keymap: en-us ==> cent-01: -- TPM Path: ==> cent-01: -- INPUT: type=mouse, bus=ps2 ==> cent-01: Creating shared folders metadata... ==> cent-01: Starting domain. ==> cent-01: Waiting for domain to get an IP address... ==> cent-01: Waiting for SSH to become available... cent-01: cent-01: Vagrant insecure key detected. Vagrant will automatically replace cent-01: this with a newly generated keypair for better security. cent-01: cent-01: Inserting generated public key within guest... cent-01: Removing insecure key from the guest if it's present... cent-01: Key inserted! Disconnecting and reconnecting using new SSH key... ==> cent-01: Setting hostname... ==> cent-01: Configuring and enabling network interfaces... cent-01: SSH address: 192.168.121.159:22 cent-01: SSH username: vagrant cent-01: SSH auth method: private key ==> cent-01: Rsyncing folder: /home/jmutai/hacks/vagrant/labs/centos-01/ => /vagrant Vagrant will create a Linux bridge on the host system. $ brctl show virbr1 bridge name bridge id STP enabled interfaces virbr1 8000.5254005351c7 yes virbr1-nic vnet0 $ ip addr show dev virbr1 8: virbr1: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 52:54:00:53:51:c7 brd ff:ff:ff:ff:ff:ff inet 192.168.121.1/24 brd 192.168.121.255 scope global virbr1 valid_lft forever preferred_lft forever Run virsh list to see if you’ll get a list of VMs. $ virsh list Id Name State ----------------------------------- 3 centos-01_cent-01 running To ssh to the VM, use vagrant ssh command. $ vagrant ssh Last login: Fri Apr 19 07:40:17 2019 from 192.168.121.1 [vagrant@cent-01 ~]$ cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) To output .ssh/config valid syntax for connecting to this environment via ssh, run ssh-config command. You’ll need to place provided output under ~/.ssh/config directory to ssh. $ vagrant ssh-config Host cent-01 HostName 192.168.121.159 User vagrant Port 22 UserKnownHostsFile /dev/null StrictHostKeyChecking no PasswordAuthentication no IdentityFile /home/jmutai/hacks/vagrant/labs/centos-01/.vagrant/machines/cent-01/libvirt/private_key IdentitiesOnly yes LogLevel FATAL To redirect to output to your ssh configuration file, use: vagrant ssh-config >>~/.ssh/config

Then use ssh command to log in with name configured above: $ ssh cent-01 Last login: Fri Apr 19 07:40:42 2019 from 192.168.121.1 [vagrant@cent-01 ~]$ To shut down the VM, run: $ vagrant halt ==> cent-01: Halting domain… To set VM to its initial state by cleaning all data, use vagrant destroy: $ vagrant destroy cent-01: Are you sure you want to destroy the 'cent-01' VM? [y/N] y ==> cent-01: Removing domain… Step 5: Build your own Vagrant box (Optional) You need packer installed for this to work. Check: Install Latest Packer on Linux / FreeBSD / macOS / Windows Then clone bento Github repo. cd ~/ git clone https://github.com/chef/bento cd bento/packer_templates cd centos To build Vagrant box of CentOS Stream 8 run: $ packer build -only qemu -var "headless=true" centos-stream-8-x86_64.json ==> qemu: Gracefully halting virtual machine... ==> qemu: Converting hard drive... ==> qemu: Running post-processor: vagrant ==> qemu (vagrant): Creating Vagrant box for 'libvirt' provider qemu (vagrant): Copying from artifact: ../builds/packer-centos-stream-8-x86_64-qemu/centos-stream-8-x86_64 qemu (vagrant): Compressing: Vagrantfile qemu (vagrant): Compressing: box.img qemu (vagrant): Compressing: metadata.json Build 'qemu' finished. ==> Builds finished. The artifacts of successful builds are: --> qemu: 'libvirt' provider box: ../builds/centos-stream-8.libvirt.box If the build is successful, ready to import box files will be in the builds directory at the root of the repository. $ vagrant box add builds/centos-stream-8.libvirt.box --name "centos-stream-8" ==> box: Box file was not detected as metadata. Adding it directly... ==> box: Adding box 'centos-stream-8' (v0) for provider: ==> box: Successfully added box 'centos-stream-8' (v0) for 'libvirt'! Verify the box is installed. vagrant box list

Как скачать и установить Debian 10 Buster

Установка Debian 10 Buster или 11, 9 или 8, не столь важно. Важно то, что создание сервера, начинается именно с инсталляции ОС. Установка Debian может проводиться на ПК, ноутбук или на полноценное серверное оборудование. Важно понимать, что Linux системы предназначены для администрирования серверов. Поэтому установка дистрибутива Debian, является первостепенной задачей. В прошлых руководствах я рассказывал про установку debian 8.5 jessie и debian 9.1 stretch, шаги по установке не изменились. Нам по прежнему необходимо выполнить все те же действия.

Debian по прежнему является ключевым дистрибутивом Linux. Система стара и востребована, считается, что дистрибутив Debian наиболее безопасен и защищен в отличии от других Linux-систем. Тем не менее поддержка этого дистрибутива разработчиками закончится уже через пару лет.

Повышенная стабильность — самый важный фактор, который мне нравиться в Debian.

Выпуск нового обновленного релиза вышел 26 марта 2022 года Debian 10 buster. Дистрибутив имеет множество исправлений безопасности системы. Более строгие алгоритмы проверки подписей OpenSSL.

Исправлено большое количество существующих ошибок в пакетах и компонентах, вот небольшая выписка: apache-log4j1.2, apache-log4j2, atftp, base-files, beads, btrbk, cargo-mozilla, chrony, cimg, clamav, cups, debian-installer, debian-installer-netboot-images, detox, evolution-data-server, inux-signed-amd64, linux-signed-arm64, linux-signed-i386, llvm-toolchain-11 и т.д.

Обновлены пакеты безопасности системы, вот некоторые из них: samba, apache2, neutron, wordpress, tomcat9, squashfs-tools, php7.3, bind9, postgresql-11, libxml-security-java, apache-log4j2, xorg-server, spip, djvulibre, debian-edu-config, h2database, linux-signed-amd64, linux-signed-arm64, linux-signed-i386, tryton-server и т.д

Удалены бесполезные пакеты: angular-maven-plugin и minify-maven-plugin. В этом руководстве я расскажу как установить Debian 10 buster на компьютер, ноутбук или серверное оборудование. Для последующей настройки и установки программного обеспечения для сервера.

Источник тут: https://nicola.top/kak-skachat-i-ustanovit-debian-10-buster/

libxml is great and all but like

do you know how annoying it is to have to constantly cast between xmlChar* and char*

i am in pain and i feel like this is going to break the second a file uses any unicode shit. unsigned numbers are cool and all but could you maybe not

Installation and Migration Process to Magento 2 Platform

In the previous article, we have covered the understanding of Magento migration process. We learned about the review of the Magento 1 and the importance of extension. Let us move forward with the installation process of Magento 2.

The next step is to install Magento 2. Here is the list of the system tools you will need for the successful migration process.

Operating System: Must be a Linux x86-64 distribution such as Ubuntu or Debian. Windows or Mac does not support Magento installation or migration.

Memory: Minimum 2 GB of RAM is necessary to have.

Composer: This PHP package manager is used to install Magento elements.

Web Servers: Apache 2.4 along with enabled Apache mod_rewrite and mod_version modules and Nginx 1.x

Database: You must have one of each MySQL 5.6, 5.7, NDB Cluster 7.4; MariaDB 10.0, 10.1, 10.2 and Percona 5.7

PHP Version: PHP7.2 or 7.3 will support.

PHP Extensions: ext-ctype, ext-curl, ext-dom, ext-gd, ext-iconv, ext-intl, ext-mbstring,ext-bcmath, ext-openssl, ext-hash, ext-pdo_mysql, ext-simplexml, ext-soap, ext-xsl, ext-zip, lib-libxml

SSL: It requires a valid security certificate. Magento migration will not work with the self-signed certificates

Other System Accessories: bash, gzip, lsof, nice, sed, tar

Do a Test Run

Yes, as being a Magento development company, we advise you to do the actual test run before you actually opt for the migration process. It will save the countless time of yours to go back and fix errors. It will give a dedicated Magento developer a broad idea about where he might occur error and how to solve or how to get the guidance on it without extending downtime. Do not forget to copy your Magento 1 store to the temporary server and move the copy to Magento 2 to test the process out. Also, take the back up of all the data you have got till this point. Now we will move forward to complete the Magento migration process.

Use the Data Migration Tool

The data migration tool will require access to the databases of Magento 1 and 2. So, you have to open up the necessary ports in your firewall. It will require you to stop all the activities of the Admin panel. Though, It will not disturb the order management activities like shipping, invoice generation. It will work as it was working. After that, the dedicated Magento developer will move forward to transfer your setting and data to the Magento 2 platform. The developer will install the extensions of Magento 1 you want to keep for Magento 2 priorly.

Manual Data Migration

Do not be dependent on the data migration tool for everything. It can do the rest expect the four types of data. That includes:

Media

Storefront design

Admin user accounts

Access control lists

Magento development companies India developer can copy the media files directly from Magento 1 to (root)/pub/media folder in Magento 2. There is no need to copy .htaccess files from the Magento 1 to Magento 2 as it will already be there. The coping over will overwrite the files.

The Magento migration process will end here.

Go Live!

Now your Magento store is all set with updated settings, data and media. You can make it open for your web store visitors. Follow the listed steps to make it available for your visitors.

Activate the maintenance mode of Magento 1 to kick off the downtime of the website.

Move to data migration tool window and press CTRL +C. It will stop the incremental updates.

Go to Magento 2 platform and start all your scheduled jobs, reindex the stock indexer and cache the pages.

For the final step, Point your DNS, load balancers, etc. to your new production hardware.

Now, end the downtime as Your Magento 2 store is all ready to manage the visitor and your daily actions. For more information on migrating to Magento 2, contact top Magento development company India today.

I’ve used XML::XPath whenever I need to process XML, including RSS, OPML, Apache configuration...

How to migrate from Magento 1 to Magento 2 Five Easy Steps?

Everyone in the e-commerce world is in a frenzy. Now, that the June 2020 deadline is near, businesses are scrambling to move from Magento 1 to the latest Magento 2 version. Even though more than 250,000 websites work on Magento, only a handful websites run on the current Magento 2 version. If you are planning to move to Magento 2, you have made the right decision. Planning a migration helps in avoiding downtime and data loss. Making strategic decisions and creating a solid Magento migration plan will keep your store up and running without any issues.

How do you move your Store from Magento 1 to Magento 2?

Here’s a step by step procedure for migrating your store to Magento 2:

1. Hardware and Software Compatibility

Once you are sure of how you want your new Magento 2 store to look and function, you must consider the software and hardware issues. Remember Magento 2 won’t function efficiently if you run it on outdated software.

1. Operating Systems – Linux x86-64 2. Web Servers – Apache 2.2 or 2.4 and nginx 1.x 3. Database - MySQL 5.6, 5.7 or MariaDB 10.0, 10.1, 10.2, Percona 5.7 and other binary-compatible MySQL technologies. 4. Supported PHP versions include 7.1.3+ or 7.2.0+ 5. Required PHP Extensions: bc-math, ctype, curl, dom, gd, hash, intl, iconv, mbstring, mcrypt, openssl, PDO/MySQL, SimpleXML, soap, spl, libxml, xsl, zip, json. 6. Verify PHP OPcache and PHP configuration settings including memory_limit. 7. Valid SSL certificate for HTTPS 8. System Tools – bash, gzip, lsof, mysql, mysqldump, nice, php, sed, tar 9. Mail Server - Mail Transfer Agent (MTA) or an SMTP server 10. If you are running Magento 2 extension on a system with less than 2GB of RAM, your upgrade might fail.

2. Install Magento 2 Software

The real process of migrating to Magento 2 starts here. You need to download the latest Magento 2 Open Source software from the official website. If you have the required hardware and software ready, the installation process will be quick & easy and the “Success” message will appear on the screen. If there are any issues, make sure you install the missing software. Once the installation process is over, it’s time to start migrating your store to M2.

Before you begin the migration process, make sure to back up database and files to avoid data loss later. In order to avoid any errors, you can also opt for a staging environment to test-drive the entire process.

3. Install and Configure Data Migration Tool

The official Data Migration Tool makes data transfer from Magento 1 to Magento 2 easy. The tool is command-line interface (CLI) that allows you to migrate store settings, configurations, bulk databases and incremental data updates as required. Once you install and configure the tool, you should start migrating the settings from Magento 1 to Magento 2. It is recommended that you stop all Magento 1.x cron jobs for easy migration. You can also use the Data Migration tool for migrating products, wishlist products, customer orders, customers, categories, ratings, reviews and more.

Remember that you must avoid creating new products, attributes and categories in Magento 2 store before migrating data. The tool will overwrite new entities and thus, you will have to spend time in rework. It is essential that you run a test so that you do not miss out on any important element.

4. Migrate Themes, Extension and Customization

You need to check whether the Magento 1 theme is compatible with the latest Magento 2 standards. If it is not compatible, you will have to buy a new theme from the Magento market place or build a custom theme to fulfill M2 requirements. Using a theme compatible with Magento 2 is important because the old XML structure won’t work with the latest version.

You must also consider the third-party extensions. Make a list of extensions that are absolutely essential to you. Discuss your requirements with a Magento extension developer to customize your extensions or buy extensions that are compatible with Magento 2.

Do not worry about customization. With a Magento code migration tool, you can convert the custom Magento 1.x code to Magento 2 and save time as well as eliminate errors. You can use the tool to migrate specific files such as Layout XML files, Config XML files, PHP files, etc. However, you may have to undertake some editing manually.

5. Run Tests before you go Live

After migrating all store data, themes, extensions and customization, make sure that you run multiple tests to ascertain the proper functioning of the website. Check all the aspects of the website in detail. Migrating from Magento 1 to Magento 2 is not a simple task. Any mistake can lead to additional downtime and data loss.

If you have made any manual changes to the data, there are chances of errors in the incremental data migration. So, test your Magento 2 store for any problems or errors. Once you are sure that the new store is functioning properly, you can put your Magento 1 system in maintenance mode. Stop incremental updates and begin Magento 2 cron jobs. Replace DNS and load balancers to make your Magento 2 store go live.

All the best!

If you are new to Magento or simply want the migration process done faster, hire a Magento migration expert. A professional will ensure that you migrate from Magento-1 to Magento-2 in a safe, stress-free manner. It will mean zero data loss and minimal downtime.

HACKING WEBSITES WITH W3AF

What is W3af?

W3af is a tool used in auditing and exploitation of web applications. It’s an open source python based web vulnerability scanner. The tool also has GUI version.

Ethical hacker of iicybersecurity has found that w3af is used in exploiting many big tech companies privacy which shows the information that is not publicly available.

W3af does not come pre installed in kali linux, so for installing use the following steps:

How to install w3af in kali linux?

Type git clone https://github.com/andresriancho/w3af in linux terminal.

After cloning the w3af in kali linux, it will create a folder with w3af name. Now go to w3af directory and type ./w3af_console.

When you run ./w3af_console, you might get error to install missing packages, as shown below:

iicybersecurity@kali:~/w3af$ ./w3af_console

Your python installation needs the following modules to run w3af:

pybloomfilter phply nltk tblib pdfminer ndg lxml guess_language cluster ntlm Halberd darts .lib.utils vulndb markdown psutil ds_store mitmproxy ruamel.ordereddict Flask yaml tldextract pebble acora esmre diff_match_patch bravado_core lz4 vulners

After installing any missing operating system packages, use pip to install the remaining modules:

sudo pip install pybloomfiltermmap==0.3.14 phply==0.9.1 nltk==3.0.1 tblib==0.2.0 pdfminer= =20140328 ndg-httpsclient==0.4.0 lxml==3.4.4 guess-language==0.2 cluster==1.1.1b3 python-ntlm= =1.0.1 halberd==0.2.4 darts.util.lru==0.5 vulndb==0.1.0 markdown==2.6.1 psutil==2.2.1 ds-store ==1.1.2 mitmproxy==0.13 ruamel.ordereddict==0.4.8 Flask==0.10.1 PyYAML==3.12 tldextract==1.7.2 pebble==4.3.8 acora==2.1 esmre==0.3.1 diff-match-patch==20121119 bravado-core==5.0.2 lz4==1.1 .0 vulners==1.3.0

External programs used by w3af are not installed or were not found.Run these commands to install them on your system:

npm install -g retire

A script with these commands has been created for you at /tmp/w3af_dependency_install.sh

When we run ./w3af_console it will ask you to run npm install -g retire command. But before executing the npm install -g retire you must ensure that npm is installed in kali linux.

For installing npm package type apt-get install npm.

If npm package is already installed, skip the last step. After installing npm packages type npm install -g retire and output will be something like:

npm install -g retire

/usr/local/bin/retire -> /usr/local/lib/node_modules/retire/bin/retire

+ [email protected]

added 84 packages from 83 contributors in 15.165s

After executing the above command type ./w3af_console again. It might show another error:

root@kali:/home/iicybersecurity/w3af# ./w3af_console

Your python installation needs the following modules to run w3af:

pybloomfilter phply nltk tblib pdfminer ndg lxml guess_language cluster ntlm Halberd darts.lib.utils vulndb markdown psutil ds_store mitmproxy ruamel.ordereddict Flask yaml tldextract pebble acora esmre diff_match_patch bravado_core lz4 vulners

After installing any missing operating system packages, use pip to install the remaining modules:

sudo pip install pybloomfiltermmap==0.3.14 phply==0.9.1 nltk==3.0.1 tblib==0.2.0 pdfminer==20140328 ndg-httpsclient==0.4.0 lxml==3.4.4 guess-language==0.2 cluster==1.1.1b3 python-ntlm==1.0.1 halberd==0.2.4 darts.util.lru==0.5 vulndb==0.1.0 markdown==2.6.1 psutil==2.2.1 ds-store==1.1.2 mitmproxy==0.13 ruamel.ordereddict==0.4.8 Flask==0.10.1 PyYAML==3.12 tldextract==1.7.2 pebble==4.3.8 acora==2.1 esmre==0.3.1 diff-match-patch==20121119 bravado-core==5.0.2 lz4==1.1.0 vulners==1.3.0

A script with these commands has been created for you at /tmp/w3af_dependency_install.sh

As asked in error message, type /tmp/w3af_dependency_install.sh. During installation you might get one more error as shown below:

In file included from src/lxml/lxml.etree.c:239:0:

/tmp/pip-build-uH3XZ6/lxml/src/lxml/includes/etree_defs.h:14:10: fatal error: libxml/xmlversion.h: No such file or directory

#include “libxml/xmlversion.h”

^~~~~~~~~~~~~~~~~~~~~

compilation terminated.

error: command ‘i686-linux-gnu-gcc’ failed with exit status

Can’t rollback lxml, nothing uninstalled.

Command “/usr/bin/python -u -c “import setuptools, tokenize;__file__=’/tmp/pip-build-uH3XZ6/lxml/setup.py’;f=getattr(tokenize, ‘open’, open)(__file__);code=f.read().replace(‘\r\n’, ‘\n’);f.close();exec(compile(code, __file__, ‘exec’))” install –record /tmp/pip-DgrWhh-record/install-record.txt –single-version-externally-managed –compile” failed with error code 1 in /tmp/pip-build-uH3XZ6/lxml/

To get rid of this error install w3af dependencies, now run sudo apt-get install libxml2-dev libxslt1.dev because libxml development file (libxml/xmlversion.h:) is missing and it comes with these dev packages.

Now we have almost installed everything needed to run w3af smoothly, now type ./w3af_console in linux terminal. On running this command successfully, you will get below screen to start your penetration testing with w3af.

In w3af, first attacker has to set the target and then check for the plugins and then start the w3af scan:-

After opening w3af console in linux terminal.

Type target and then type set target http://testphp.vulnweb.com/

Type back for returning to the main linux shell of w3af.

w3af>>> target

w3af/config:target>>> set target http://testphp.vulnweb.com/

w3af/config:target>>> back

Type plugins and then type audit all

Type back for returning to the man linux shell of w3af.

The configuration has been saved.

w3af>>> plugins

w3af/plugins>>> audit

And then type start:-

w3af/plugins>>> audit all

w3af/plugins>>> back

w3af>>> start

Once the scan is started, you will get something as shown below:

Favorite tweets: God. Libxml bugs were the reason for my ugly and long standing divorce from PHP in 2005. Only recently have we gotten back together for the occasional lunch— Baron Chandler (@msthebaron) June 8, 2018

http://twitter.com/msthebaron

CentOS常用环境

mysql5.6

wget http://dev.mysql.com/get/mysql-community-release-el7-5.noarch.rpm

rpm -ivh mysql-community-release-el7-5.noarch.rpm

yum install mysql mysql-server -y

附加组件安装 yum install opessl-devel \ yum install pcre-devel \ yum install gd-devel \ yum install ncurses-devel -y \

yum -y install net-snmp-devel \ yum -y install readline-devel \ yum -y install aspell-devel \ yum -y install unixODBC-devel \ yum -y install libicu-devel \ yum -y install libc-client-devel \ yum -y install freetype-devel \ yum -y install libXpm-devel \ yum -y install libpng-devel \ yum -y install libvpx-devel \ yum -y install enchant-devel \ yum -y install libcurl-devel \ yum -y install libc-client-devel \ yum -y install openldap-devel \ yum -y install postgresql-devel \ yum -y install curl-devel \ yum -y install libxslt-devel \ yum -y install pcre-devel \ yum -y install bzip2-devel \ yum -y install curl-devel \ yum -y install db4-devel \ yum -y install libjpeg-devel \ yum -y install libpng-devel \ yum -y install libXpm-devel \ yum -y install gmp-devel \ yum -y install libc-client-devel \

nginx编译:

nginx1.8 ./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/usr/local/nginx/log/erro.log --http-log-path=/usr/local/nginx/log/access.log --pid-path=/usr/nginx/nginx.pid --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/usr/local/nginx/cilent --http-proxy-temp-path=/usr/local/nginx/proxy --http-fastcgi-temp-path=/usr/local/nginx/fcgi --with-http_ssl_module

网站标配

server { listen 80; server_name test.ttlsa.com; access_log /data/logs/nginx/test.ttlsa.com.access.log main;

index index.php index.html index.html; root /data/site/test.ttlsa.com;

location / { try_files $uri $uri/ /index.php?$args; }

location ~ .*\.(php)?$ { expires -1s; try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass 127.0.0.1:9000;

} }

php.5.6 :phpf-fpm版本 ./configure --prefix=/usr/local/php/fpm/5.6 --enable-fpm  --enable-soap --with-libxml-dir  --with-openssl  --with-mhash --with-pcre-regex  --with-zlib --enable-bcmath --with-iconv --with-bz2  --with-curl --with-cdb --enable-dom  --enable-filter --with-pcre-dir --enable-ftp  --with-openssl-dir  --with-png-dir --with-zlib-dir --with-freetype-dir --enable-gd-native-ttf --enable-gd-jis-conv  --with-gmp --with-mhash  --enable-mbstring --disable-mbregex --disable-mbregex-backtrack --with-libmbfl --enable-pdo --with-pdo-mysql --with-zlib-dir  --enable-session --enable-shmop --enable-simplexml --enable-sockets --enable-sysvmsg --enable-sysvsem --enable-sysvshm --enable-wddx --with-libxml-dir --with-xsl --enable-zip --with-pear --with-mysql --with-gd

模块化版本 ./configure --prefix=/usr/local/php/moudle/5.6 --enable-soap --with-libxml-dir  --with-openssl  --with-mhash --with-pcre-regex  --with-zlib --enable-bcmath --with-iconv --with-bz2  --with-curl --with-cdb --enable-dom  --enable-filter --with-pcre-dir --enable-ftp  --with-openssl-dir  --with-png-dir --with-zlib-dir --with-freetype-dir --enable-gd-native-ttf --enable-gd-jis-conv  --with-gmp --with-mhash  --enable-mbstring --disable-mbregex --disable-mbregex-backtrack --with-libmbfl --enable-pdo --with-pdo-mysql --with-zlib-dir  --enable-session --enable-shmop --enable-simplexml --enable-sockets --enable-sysvmsg --enable-sysvsem --enable-sysvshm --enable-wddx --with-libxml-dir --with-xsl --enable-zip --with-pear --with-apxs2=/usr/local/apache/bin/apxs

Babe Music Player, un nuevo reproductor de audio Qt #KDE

Hoy os quiero presentar a Babe Music Player, un nuevo reproductor de audio Qt creado por Camilo Higuita y que pretende convertirse en uno de las aplicaciones que habitan siempre en nuestros dispositivos más o menos libres. ¿Quieres saber más de Babe? Sigue leyendo.

Babe Music Player, un nuevo reproductor de audio Qt

Babe Music Player es una aplicación musical escrita en Qt que pretende mantener siempre a tu disposición tus canciones favoritas, bien sea de tu disco duro o de tu servicio de internet favorito, gracias a las diversas fuentes con las que puedes alimentar la aplicación. No se trata de una aplicación nueva, pero si joven, ya que fue anunciada este pasado abril en KDE.News.

Las características generales de Babe son las siguientes:

Posibilidad de filtrar por artista, título, álbum, género, fecha o localización.

Añade tus canciones favoritas de youtube utilizando la extensión para Chromium

Varias formas de visualizar tu lista de reproducción: Mini, Playlist  y modo collection.

Menú contextual con información sobre la pista reproducida

Integración perfecta con el escritorio Plasma: notificaciones, controles mpris, interacción con kde connect y control vía acciones de krunner.

Aunque lo mejor es que lo veáis en directo gracias al siguiente vídeo-análisis realizado por quidsup

Cómo instalar Babe Music Player en distribuciones basadas en Ubuntu

Según podemos leer en el blog How to install program on Ubuntu, podemos instalar fácilmente en nuestra variante de Ubuntu 16.04 o superior.

De esta forma basta con abrir una consola y escribir en ella:

$ git clone http://ift.tt/2q2En7K

$ cd babe-music-*

$ sudo apt-get install valac libgee-0.8-dev libgtk-3-dev libsoup2.4-dev libtagc0-dev libtag1-dev libges-1.0-dev libnotify-dev

$ sudo ln -s /usr/share/vala/vapi/gee-0.8.vapi /usr/share/vala/vapi/gee-1.0.vapi

$ valac –pkg gstreamer-1.0 –pkg gtk+-3.0 –pkg taglib_c –pkg gee-1.0 –pkg libxml-2.0 –pkg libsoup-2.4 –pkg libnotify babe.vala stream.vala lastfm.vala widgets.vala LyricFetcher.vala list.vala playlist.vala

$ ./babe

Y, si todo ha ido bien, te aparecerá ya el reproductor Babe.

Y para finalizar, compartir la entrevista que tuve el gusto de realizar el pasado en la pasada Akademy 2017 de Almería a Camila Higuita, su creador.

Más información: Babe | How to install program on Ubuntu | Presentación en KDE.News from Babe Music Player, un nuevo reproductor de audio Qt

Monitorix Open Source Systemüberwachung

Monitorix ist ein Systemüberwachungs-Tool, das entwickelt wurde, um so viele Dienste und Systemressourcen wie möglich zu überwachen. Es besteht hauptsächlich aus zwei Programmen: einem Collector namens monitorix, einem Perl-Daemon, der wie jeder andere System-Service automatisch gestartet wird, und einem CGI-Skript namens monitorix.cgi. Seit der Version 3.0 enthält Monitorix einen eigenen integrierten HTTP-Server, so dass ihr keinen Webserver für die Verwendung installieren müsst.

Wie man Monitorix installiert?

Installation auf einem Fedora Linux

Benutzer neuerer Fedora-Versionen können Monitorix direkt über die offiziellen Repositories installieren. Daher sollte ein einfacher Befehl wie der folgende genügen: # yum install monitorix https://www.youtube.com/watch?v=QN1QbkuzAQQ

Installation auf einem RedHat / CentOS Linux

Installiert zuerst das EPEL-Repository und dann Monitorix mit yum: # yum installiere epel-release # yum installiere monitorix Wenn yum bei der Installation eines der Pakete fehlschlägt (wahrscheinlich nur in EL4 oder EL5), könntet ihr versuchen, sie manuell aus diesem zusätzlichen Repository zu beziehen:      Repoforge Repository für Red Hat, CentOS und Fedora Obwohl diese Repositories von vielen in der Community als stabil und sicher angesehen werden, folgt bitte diesen Empfehlungen: Halten Sie Ihre Systeme von permanenten Installationen von Drittanbieter-Repositories fern. Bewahren Sie diese Repositorys immer als deaktiviert auf und aktivieren Sie sie nur bei Bedarf. Wenn die Installation erfolgreich war, schaut bitte in die Konfigurationsdatei /etc/monitorix/monitorix.conf, um die Optionen für euer System einzustellen und Graphen zu aktivieren oder zu deaktivieren. Startet Monitorix schließlich mit: # service monitorix start An diesem Punkt beginnt Monitorix mit der Erfassung der Systeminformationen basierend auf eurer Konfiguration. Nach einigen Minuten solltet ihr  die Ergebnisse in eurem  Browsers sehen können. Unter  http: // localhost: 8080 /monitorix /  könnt ihr Monitorix aufrufen. https://www.youtube.com/watch?v=xbJTOnTbfRw Monitorix Installation unter Debian Die Installation ist etwas aufwendiger als normal, da es noch kein Packet in der offiziellen Debian Repository gibt: apt-get update apt-get install rrdtool perl libwww-perl libmailtools-perl libmime-lite-perl librrds-perl libdbi-perl libxml-simple-perl libhttp-server-simple-perl libconfig-general-perl libio-socket-ssl-perl Nach diesem Schritt wird eventuell ein apt-get -f install benötigt. Danach laden wir noch das aktuelle “.deb” File von der Homepage: wget http://www.monitorix.org/monitorix_3.6.0-izzy1_all.deb dpkg -i monitorix_3.6.0-izzy1_all.deb und danach installieren wir es noch schnell mit: dpkg -i monitorix_3.6.0-izzy1_all.deb Die Installation ist nun abgeschlossen, jetzt müssen wir noch ein wenig die Konfiguration anpassen. Zuerst bearbeiten wir das File unter /etc/monitorix/monitorix.conf Hier deaktivieren wir den integirerten Webserver der mit Monitorix daher kommt. enabled = n “hostname” und “title” können je nach belieben angepasst werden. Das File speichern und Monitorix mit service monitorix restart neu starten. Jetzt noch einen Apache2 vhosts anlegen vim /etc/apache2/sites-available/monitorix   hier könnt ihr dieses Template verwenden und für euch anpassen: Alias /monitorix /var/lib/monitorix/www ScriptAlias /monitorix-cgi /var/lib/monitorix/www/cgi # Apache 2.4 Require all denied Require ip 127.0.0.1 # Apache 2.2 Order deny,allow Deny from all Allow from 127.0.0.1 Allow from all DirectoryIndex monitorix.cgi Options ExecCGI Read the full article