search

google-code-export / web-shell

Automatically exported from code.google.com/p/web-shell
1 stars 1 forks source link

make_certificate.sh does not work as intended on Linux #33

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. unzip WebShell-0.9.5.zip
2. issue ./make_certificate.sh

What is the expected output? What do you see instead?
Expected output:
1913 semi-random bytes loaded
Generating a 1024 bit RSA private key
.........++++++
................++++++
writing new private key to 'webshell.pem'
-----

Output:
gzip: /var/log/system.log: No such file or directory
0 semi-random bytes loaded
rm: cannot remove `random.dat': No such file or directory
Generating a 1024 bit RSA private key
............................++++++
.....++++++
writing new private key to 'webshell.pem'

What version of the product are you using? On what operating system?
WebShell 0.9.5
Debian GNU/Linux 3.1 and 4.0

Please provide any additional information below.

This can easily be fixed:

#! /bin/sh
if [ -r /var/log/system.log ]; then
        gzip -c --best /var/log/system.log > /tmp/random.dat
elif [ -r /var/log/syslog ]; then
        gzip -c --best /var/log/syslog > /tmp/random.dat
else
        echo "Could not read /var/log/system.log or /var/log/syslog"
        exit
fi
openssl rand -rand file:/tmp/random.dat 0
if [ -w /tmp/random.dat ]; then
        rm /tmp/random.dat
else
        echo "could not remove /tmp/random.dat"
fi

openssl req  -config "make_certificate.cfg" -keyout "webshell.pem" -newkey
rsa:1024 -nodes -x509 -days 365 -out "webshell.pem"

Original issue reported on code.google.com by cmccar...@gmail.com on 20 Aug 2007 at 1:50

GoogleCodeExporter commented 9 years ago 
I'm getting this:

$ webshell.py -i 192.168.1.100 -p 8022
--ssl-cert=/usr/local/src/WebShell-0.9.5/webshell.pem
WebShell (https) at 192.168.1.100, port 8022
----------------------------------------
Exception happened during processing of request from ('192.168.1.101', 4251)
Traceback (most recent call last):
  File "/usr/lib/python2.4/SocketServer.py", line 222, in handle_request
    self.process_request(request, client_address)
  File "/usr/lib/python2.4/SocketServer.py", line 241, in process_request
    self.finish_request(request, client_address)
  File "/usr/lib/python2.4/SocketServer.py", line 254, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python2.4/SocketServer.py", line 521, in __init__
    self.handle()
  File "/usr/lib/python2.4/BaseHTTPServer.py", line 316, in handle
    self.handle_one_request()
  File "/usr/lib/python2.4/BaseHTTPServer.py", line 310, in handle_one_request
    method()
  File "/usr/local/bin/webshell.py", line 1281, in do_GET
    content_data = files[f]
KeyError: 'webshell.html'
----------------------------------------

Original comment by pdt...@gmail.com on 5 Sep 2007 at 7:51

GoogleCodeExporter commented 9 years ago 
Thanks!

Original comment by mre...@gmail.com on 19 Sep 2007 at 5:43

GoogleCodeExporter commented 9 years ago 
Same problem, a different solution.  Instead of trying to find a handy file, I 
create
one filled with random numbers.

Find attached

Original comment by timc...@earthlink.net on 23 Nov 2007 at 3:11

Attachments:

GoogleCodeExporter commented 9 years ago 
Please, read this article about importance of truly unpredictable random 
numbers for
secure encryption:
http://seifried.org/security/cryptography/20000126-random-numbers.html

You're using predictable seeds for pseudo random number generation, this 
effectively
beats the purpose of using cryptography!

Gzipping is a BAD idea for PRNG seeding, it doesn't produce random data - 
stream of
gzip compressed data has a _structure_! Especially if one can make assumptions 
about
the kind of data being compressed (like timcera's example which involves a 
series of
10000 digit-only lines, maximum 5 characters in length, on separate lines).

Please, stop breaking OpenSSL's random number handling. People were working 
hard for
years to get its random number handling to high quality standards and you simply
override it.

Or maybe disable encryption completely so that people don't get false sense of
security when using web-shell!

Original comment by aleksand...@gmail.com on 29 Sep 2008 at 10:54

GoogleCodeExporter commented 9 years ago 
BTW, a hint: UNIX-like operating systems have /dev/*random devices for a 
purpose.

Original comment by aleksand...@gmail.com on 29 Sep 2008 at 10:57

GoogleCodeExporter commented 9 years ago 
BTW, also read this:

http://www.schneier.com/blog/archives/2007/11/the_strange_sto.html

Very interesting stuff.

Original comment by aleksand...@gmail.com on 29 Sep 2008 at 11:15

GoogleCodeExporter commented 9 years ago 
This issue has been made irrelevant by the fix to issue 42
(http://code.google.com/p/web-shell/issues/detail?id=42).

Please test.

Original comment by aleksand...@gmail.com on 21 Oct 2008 at 9:30