Categories
Windows

Some of the php.net machines have been compromised, really??

同一記事の日本語版
Update information      Edit    Edit(Oct.2)

   Just before noon, I noticed I could not reach qa.php.net and the PHP 5.6.1 Zip was withdrawn from the site.

   What happened to the PHP official? After googling in the Internet, I found out the followings.

   Is this ShellShock’s side effect? Of course, it’s just my joking. But, what happened really? They withdrew the PHP 5.6.1 Zip, which means the file was affected by something malicious?

   When I install new files, I always check them up carefully. About the PHP 5.6.1 Zip, I did ordinary steps. However, I do check it up again. In my case, I think that is no problem but who can say it is 100% safe?

   They say nothing until now. When do they make the official announcement about it?

Edit(Oct.2):
   Now 2:05pm JST, I found the PHP 5.6.1 Zip had come back. I don’t check the difference between the old and new Zip files. I have to get going, so I’ll check them up later. The official still makes no announcement.

Categories
Windows

Updating to PHP5.6.1.

同一記事の日本語版

   They released PHP5.6.1 Windows version on Sep-25 06:28:30UTC. Recently, Windows versions release earlier than other versions. So, I updated my PHP from 5.6.0 to 5.6.1 on my Web server (Windows7HP+SP1(x86)).

   There is no difference between the two php.ini-production files except a misspelling correction. So I replaced all files and copied my php.ini file to the folder. Then I restarted the httpd.exe.

   About OPcache bug is still remaining. But the above is my ordinary steps. So I thought “That’s it.”

   Buuuuuuuuuuuuuuuuuut I had very troubles at this time. First I found the warning “PHP Startup: in Unknown on line 0” on the Apache error log. Only this. It had no module name or anything else. But it was just a warning, i.e. that was a very little problem. And when I checked up the PHP information about PHP Version 5.6.1, I found out the php_curl.dll was not loaded. Boo-hoo-hoo!

   Finally I found out the solution after hard work for all day.
   I added “x:PHP install directory” to PATH Environment Variable. I think, usually, most of PHP users added it when they first installed PHP. But I didn’t and I had no problem until today. I guessed this is the new requirement of PHP5.6.1 at the first time. However, after reading “the curl extension doesn’t load using apache” and seeing its date, I bet that this trouble maybe depends on Windows Security updates.

   Anyway, PHP5.6.1 is working well on the server.

   If you need more information for the configuration, see the post “Migrating from PHP 5.5.16 to PHP 5.6.0 on Windows“.

Categories
Windows

Migrating from PHP 5.5.16 to PHP 5.6.0 on Windows.

同一記事の日本語版

   They released PHP5.6.0 on Aug-27 21:52:22. Actually, it was about half a day earlier than the release on php.net, and time lag between the two I sometimes experience recently. So, this afternoon, I migrated from PHP 5.5.16 to PHP 5.6.0 on my Web server (Windows7 HP + SP1 (x86)). Here is its ChangeLog.

   They say “Most improvements in PHP 5.6.x have no impact on existing code. There are a few incompatibilities and new features that should be considered, and code should be tested before switching PHP versions in production environments.” and it is true. I didn’t need any changes on existing codes. However, migrating from PHP 5.5.16 to PHP 5.6.0 in my case. If migrating from more older version, you might need some changes.

   I did not change my old php.ini except about mbstring. PHP 5.6.0 has UTF-8 as its default charset, so I thought I does not need the customization about mbstring anymore. If you run production sites, you should use a php.ini based on the php.ini-production INI file that the official package includes. The php.ini-development INI file is for development environments.

   The following table shows my new configuration for the version 5.6.0. Drive_SV that is my server software partition.

  Default Custom
1 output_buffering = 4096 output_buffering = Off
2 disable_functions = disable_functions =”shell_exec, suexec, passthru, phpinfo”
3 expose_php = On expose_php = Off
4 ; extension_dir = “ext” extension_dir = “Drive_SV:PHPext”
5 allow_url_fopen = On allow_url_fopen = Off
6 ;extension=php_curl.dll extension=php_curl.dll
7 ;extension=php_gd2.dll extension=php_gd2.dll
8 ;extension=php_mbstring.dll extension=php_mbstring.dll
9 ;extension=php_mysqli.dll extension=php_mysqli.dll
10 ;extension=php_openssl.dll extension=php_openssl.dll
11   zend_extension= “Drive_SV:PHPextphp_opcache.dll”
12 ;date.timezone = date.timezone =”Asia/Tokyo”
13 ;sendmail_from = me@example.com sendmail_from = My email address
14 mysql.allow_persistent = On mysql.allow_persistent = Off
15 ;opcache.enable=0 opcache.enable=1
16 ;opcache.memory_consumption=64 opcache.memory_consumption=128
17 ;opcache.interned_strings_buffer=4 opcache.interned_strings_buffer=8
18 ;opcache.max_accelerated_files=2000 opcache.max_accelerated_files=4000
19 ;opcache.revalidate_freq=2 opcache.revalidate_freq=60
20 ;opcache.fast_shutdown=0 opcache.fast_shutdown=1

   The 1 and 14 settings might give some troubles on your server. It depends on your server environment. The 11 and 15 – 20 are values for OPcache. So if you don’t use OPcache, leave the default for them.Now 1 day after the migration. After that, php_opcache.dll was giving a lot of errors. I have stopped using OPcache until I find the solution. To change mbstring settings might give some bad effects to server performances. I am having wait-and-see attitude.

   As you see, I do not use MySQL Extension on my server anymore. I use MySQLi Extension only.

   I’ll show you my server software versions.

   I’ve almost forgot to write. This time I had a trouble which gave me an error ‘Bad Host request’. It was BulletProof Security’s fault. Ha-ha-ha. So I disabled the plugin before PHP version up. Then I enabled it again after the PHP migration. I gave it a bum-rap. It was php_opcache.dll’s fault. Hey BulletProof Security, sorry!

Categories
Windows

Memorandum #6.

同一記事の日本語版

   I don’t know why but I’m very tired. I jot down for my memory.

   My server OS is Windows7 HP SP1 (x86).

  1. PHP 5.5.15 (php-5.5.15-Win32-VC11-x86.zip)
    —> PHP 5.5.16 (php-5.5.16-Win32-VC11-x86.zip)
  2. MariaDB 10.0.12 (mariadb-10.0.12-win32.zip)
    —> MariaDB 10.0.13 (mariadb-10.0.13-win32.zip)
  3. phpMyAdmin 4.2.7 (phpMyAdmin-4.2.7-english.zip)
    —> phpMyAdmin 4.2.7.1 (phpMyAdmin-4.2.7.1-english.zip)

   My guess tells me all of them are security releases. So I’ve dealt with them promptly.

Categories
Windows

Memorandum #5.

同一記事の日本語版
Update information      Edit(Aug.28)
  1. I found their announcement of PHP 5.6.0 GA on the article about RC4, wow! I can’t wait.
  2. I updated Apache 2.4.10 (httpd-2.4.10-win32-VC11.zip) which was built with openssl-1.0.1i. The reason is this advisory, OpenSSL Security Advisory [6 Aug 2014]. I knew this news but Steffen replied “Coming days the builds here at Apache Lounge are going to be upgraded. It has not that priority and severity ~” to Jan-E. So I waited to be upgraded.
  3. I read a lot of articles about the troubles with Windows Update 2014 Aug. Though I had no trouble with my own PCs, I uninstalled the following updates that were installed on my PCs. Because I heard they suggested to uninstall KB2982791, KB2970228, KB2975719 and KB2975331 even if currently no trouble.
    • Windows8.1(x86) on NJ2100
      KB2982791
      KB2975719
    • Windows7 SP1(x64) on CF-J10
      KB2982791
      KB2970228
    • Windows7 SP1(x86) on xw4200
      KB2982791
      KB2970228
    • Windows Vista SP2(x86) on KeyPaso
      KB2982791

    In the past, Windows update gave us troubles almost every time, but I feel this was the first mess in quite a while. How about your feelings? (^_~)

Edit(Aug.28):
   Hey! We have new MS14-045 update KB2993651. See Microsoft Security Bulletin MS14-045 – Important.

Categories
Windows

Microsoft Security Advisory 2915720-#2

同一記事の日本語版

   Do you remember my post “Microsoft Security Advisory 2915720 ???”? Now August 12 is approaching, so I wonder how it’s going on. For about a week, my translation was getting down to the wire in my mind, I missed the new revision about Microsoft Security Advisory 2915720, but I suddenly found yesterday.

   To conclude is “Microsoft no longer plans to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows.” But they also say “It remains available as an opt-in feature.”

   According to the well-informed, they are keenly reminded of its severe effects than expected, and then they give it up at this time.

Categories
Windows

Updating to PHP5.5.15.

同一記事の日本語版
Update information      Edit(Aug.1)

   They released PHP5.5.15 on Jul-24 01:03:48UTC. So, I updated my PHP from 5.5.14 to 5.5.15 on my Web server (Windows7HP+SP1(x86)). ChangeLog.

   PHP 5.6.0RC3 is delayed than planned. What’s happening?

   By the way, I read “Fix a memory consumption denial of service in the WinNT MPM” on Changes with Apache 2.4.10. So I stopped using the word around. But it did not work well. On the next day, I rolled back the work around.

Edit(Aug.1):
   Finally they released PHP 5.6.0RC3. It’s two weeks later than scheduled. They say their next Release Candidate should show up on the 14th of August. Is PHP 5.6.0GA going to show up in September?

Categories
Windows

phpMyAdmin Configuration storage.

同一記事の日本語版
Update information      Edit(Jul.5)    Edit2(Jul.9)

   phpMyAdmin has an infrastructure named Configuration storage since version 3.4.2. Logging in phpMyAdmin at the first time, you have the message “The phpMyAdmin configuration storage is not completely configured, some extended features have been deactivated. To find out why click here.” because this is deactivated by default. When activated, you can use features like bookmarks, comments, SQL history, relations, PDF schema, and MIME transformations. For me, bookmarks feature is convenient. Well, I’m going to write how to activate it.
   By the way, when we install phpMyAdmin on our servers, we must consider a lot of things for secure. But I don’t write about it here. Please read Official Documentation and take full responsibility for your actions.

   At the very first time for activating this, you need to take the following three steps.

  1. Create a user and its database by create_tables.sql in MySQL.
  2. Make the above user to a control user
  3. Customize your config.inc.php.

   Now, I’ll start.

  1. Open the file create_tables.sql by a text editor and uncomment the next two lines.
    ————
    GRANT SELECT, INSERT, DELETE, UPDATE ON `phpmyadmin`.* TO
    ‘pma’@localhost;
    ————

    Log in your phpMyAdmin as a root and import the create_tables.sql. After that you have a database phpmyadmin and a user pma with no password.

    Note) In my opinion, you’d better change the names of database and user to other unique names because there are a lot of mal-attacks given clues by them. Editing the create_tables.sql before your import can makes this easy and possible.

  2. Input following statements from the phpMyAdmin SQL Query window.
    ————
    GRANT USAGE ON mysql.* TO ‘pma’@’localhost’ IDENTIFIED BY ‘pmapass’;
    GRANT SELECT (
    Host, User, Select_priv, Insert_priv, Update_priv, Delete_priv,
    Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv,
    File_priv, Grant_priv, References_priv, Index_priv, Alter_priv,
    Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv,
    Execute_priv, Repl_slave_priv, Repl_client_priv
    ) ON mysql.user TO ‘pma’@’localhost’;
    GRANT SELECT ON mysql.db TO ‘pma’@’localhost’;
    GRANT SELECT ON mysql.host TO ‘pma’@’localhost’;
    GRANT SELECT (Host, Db, User, Table_name, Table_priv, Column_priv)
    ON mysql.tables_priv TO ‘pma’@’localhost’;
    ————
    Of course, you should change ‘pmapass’ to ‘your proper controluser password’. If you use your pmadb database name and a controluser name instead of phpmyadmin and pma, you also need to edit them.
     
    Log out your phpMyAdmin.
  3. Open your config.inc.php and uncomment the following twenty lines. If you use your pmadb database name and a controluser name instead of phpmyadmin and pma, you also need to edit them. Of course, about pmapass.
    ————
    /*
    * phpMyAdmin configuration storage settings.
    */

    /* User used to manipulate with storage */
    // $cfg[‘Servers’][$i][‘controlhost’] = ”; ⇐It’s need or not depends on your environment.
    // $cfg[‘Servers’][$i][‘controlport’] = ”; ⇐It’s need or not depends on your environment.
    $cfg[‘Servers’][$i][‘controluser’] = ‘pma’;
    $cfg[‘Servers’][$i][‘controlpass’] = ‘pmapass’;

    /* Storage database and tables */
    $cfg[‘Servers’][$i][‘pmadb’] = ‘phpmyadmin’;
    $cfg[‘Servers’][$i][‘bookmarktable’] = ‘pma__bookmark’;
    $cfg[‘Servers’][$i][‘relation’] = ‘pma__relation’;
    $cfg[‘Servers’][$i][‘table_info’] = ‘pma__table_info’;
    $cfg[‘Servers’][$i][‘table_coords’] = ‘pma__table_coords’;
    $cfg[‘Servers’][$i][‘pdf_pages’] = ‘pma__pdf_pages’;
    $cfg[‘Servers’][$i][‘column_info’] = ‘pma__column_info’;
    $cfg[‘Servers’][$i][‘history’] = ‘pma__history’;
    $cfg[‘Servers’][$i][‘table_uiprefs’] = ‘pma__table_uiprefs’;
    $cfg[‘Servers’][$i][‘tracking’] = ‘pma__tracking’;
    $cfg[‘Servers’][$i][‘designer_coords’] = ‘pma__designer_coords’;
    $cfg[‘Servers’][$i][‘userconfig’] = ‘pma__userconfig’;
    $cfg[‘Servers’][$i][‘recent’] = ‘pma__recent’;
    $cfg[‘Servers’][$i][‘favorite’] = ‘pma__favorite’;
    $cfg[‘Servers’][$i][‘users’] = ‘pma__users’;
    $cfg[‘Servers’][$i][‘usergroups’] = ‘pma__usergroups’;
    $cfg[‘Servers’][$i][‘navigationhiding’] = ‘pma__navigationhiding’;
    $cfg[‘Servers’][$i][‘savedsearches’] = ‘pma__savedsearches’;
    ————

    Log in your phpMyAdmin again.

    You don’t have the message “The phpMyAdmin configuration storage is not completely configured, some extended features have been deactivated. To find out why click here.” anymore.

   That’s it!

   You can use phpMyAdmin configuration storage features now.

Edit(Jul.5):
   I forgot to write.
   At upgrades, you simply re-import the new create_tables.sql file after backing up your database, importing the file will not overwrite existing data, but will create any new tables. After that, you maybe need to edit your config.inc.php file.
   You already have your control user, so you must not uncomment the lines in the create_tables.sql file. You also keep in mind about your pmadb database name and a controluser name instead of phpmyadmin and pma.

Edit2(Jul.9):
   When I wrote the reply for くりくりさん, I suddenly thought I am scared of 1. and 2. having the time lag. My sql server doesn’t have the open port to the Internet and it has the only one user, me! So, I might have no need for such nerve. But if you have much busier server than mine, such a server has more occasion that is attacked by someone. The time lag gives attackers that they penetrate your server as the new pma with no password. This I am scared!!

   Well, at first make a controluser with password and give it the privileges. After that, import the file create_tables.sql. My guess is this is better.

   Anyway, I’ll write my controluser current privileges:
————
GRANT USAGE ON *.* TO ‘pma’@’localhost’ IDENTIFIED BY PASSWORD ‘pmapass’;
GRANT SELECT, INSERT, UPDATE, DELETE ON pma_main.* TO ‘pma’@’localhost’;
GRANT SELECT (
Host, User, Select_priv, Insert_priv, Update_priv, Delete_priv,
Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv,
File_priv, Grant_priv, References_priv, Index_priv, Alter_priv,
Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv,
Execute_priv, Repl_slave_priv, Repl_client_priv
) ON mysql.user TO ‘pma’@’localhost’;
GRANT SELECT ON mysql.db TO ‘pma’@’localhost’;
GRANT SELECT ON mysql.host TO ‘pma’@’localhost’;
GRANT SELECT (Host, Db, User, Table_name, Table_priv, Column_priv)
ON mysql.tables_priv TO ‘pma’@’localhost’;
————

Categories
Windows

How to see MySQL server status by phpMyAdmin.

同一記事の日本語版
Fig.01 Status Monitor
Fig.01 Status Monitor

   The topic “How to see MySQL log by phpMyAdmin” came up on TODOS・何でも情報交換(Japanese). I checked out this and am going to write what I understood about this.
 
   If you use phpMyAdmin 4.0(maybe) or later, you can audit a status of MySQL servers by phpMyAdmin Monitor. When you log in your phpMyAdmin and go to Status > Monitor, you can reach the graphs. If your server works normal, I think the graphs are enough for you. However, if you need more information, you can refer a slow_query_log or a general_log there.

Fig.02 Disabled
Fig.02 disabled

When you click “Instructions/Setup” at the Monitor page and have the following messages(Also see Fig.02), you have to set xxx_log to ‘ON’ and log_output to ‘TABLE’.
   slow_query_log and general_log are disabled.
   log_output is not set to TABLE.
 
   If you have enough privileges as a MySQL user, you can set the values by yourself. If not, you have to ask your system administrator. In most case only root users can set the values, if not such server circumstances are very dangerous, I bet.
   Your Server works, then I think you don’t need the general_log of your server but the slow_query_log. If you set them by yourself, you need to log in your MySQL as a root at any rate. If you can log in it as a root…
 
  To use command line interface:
   SET GLOBAL slow_query_log = ON;
   SET GLOBAL log_output= TABLE;

 
  To use phpMyAdmin:
   1.Select Variables on Menu with no database.
    Input “slow query log” to the filter form and edit the value to ‘ON’
    Save
   2.Input “log output” to the filter form and edit the value to ‘TABLE’
    Save
 
   Log out as the root.

Fig.03 Enabled
Fig.03 Enabled


   Now you can use a “slow_query_log” from the Monitor of phpMyAdmin, when you log in as a root.
 
   By the way, when you restart mysqld, these settings have gone. If you want to stay the settings eternal, you should add the following lines to my.ini/my.cnf’s [mysqld] area.
   slow_query_log = ON
   log_output = TABLE
 
   As above, you can use a “slow_query_log” from the Monitor of phpMyAdmin as a root. However, this is less convenient. Don’t you think you’ll safely use it by a WordPress MySQL account? I think so, too. I asked くりくりさん on TODOS・何でも情報交換 “What privileges should I give a normal user who can use this feature?” He told me “It’s OK only for the database”.
   The slow_log table exists on the mysql database. So I did the following command.
 
   GRANT SELECT (lock_time, start_time, rows_examined, db, rows_sent, query_time, sql_text, user_host) ON mysql.slow_log TO ‘WP-user’@’localhost’;
 
   This is very limited privileges, so I think it’s acceptable.
 
   At this time, my WordPress MySQL account has the following privileges.
————
GRANT USAGE ON *.* TO ‘WP-user’@’localhost’ IDENTIFIED BY ‘passphrase’;
GRANT ALL PRIVILEGES ON WPdatabase.* TO ‘WP-user’@’localhost’;
GRANT SELECT (lock_time, start_time, rows_examined, db, rows_sent, query_time, sql_text, user_host) ON mysql.slow_log TO ‘WP-user’@’localhost’;
————

Categories
Windows

Updating to PHP5.5.14.

同一記事の日本語版

   They released PHP5.5.14 on Jun-25 23:06:26UTC. So, I updated my PHP from 5.5.13 to 5.5.14 on my Web server (Windows7HP+SP1(x86)).

   According to ChangeLog, this includes eight CVE fixes, oh! my gosh. They also concerns about bug 67072. If you have issues related to this and need more information, you should visit their upgrading guide.

   The php.ini-production has no change. As the official PHP binary includes php5apache2_4.dll, I extract the zip archive and replace all PHP5.5.13 files with all PHP5.5.14 files except my php.ini. Then, I restart my Apache. That’s it.

   If you need how to configure PHP5.5, please see the post. It is for a mbstrings user, but the information gives some help for you.

   I used this opportunity to update to phpMyAdmin 4.2.5 and MariaDB 10.0.12. If you need more information about their configuration, Please see “phpMyAdmin 4.2.0 is released” and “MariaDB 5.5“.