Oke my knowledge of that stuff is limited but even i was like web based, PHP for setting up raid WAIT WUT??? the login screen was enough to make me LOL.
To me it sounds like someone wanted to make a GUI for remote access… Why else would you go web based.
What’s the best thing to write in for something like that? C++? i am just curious.
While I didn’t understand everything fully and sure as heck couldn’t sit down and do what you did I liked the video. I get the main purpose of it. I enjoy watching your content but it is unfortunate that when I come on back to the forums certain people have to set things on fire.
I cringe at pfSense having a PHP based UI that most people leave accessible from internal network and never use the logout option on, but a Windows airquotes driver /airquotes, they could’ve built an electron app to manage stuff just as easily.
Lol at @wendell grepping in the CMD prompt You could install bash for windows, but then you’d have an open SSH port all the time damn!
Interesting video. Good set of techniques that shouldn’t be beyond anyone to check out what is happening on their computer. Is it fair to say NVME RAID on Threadripper is still in beta and they haven’t put the full QA into the drivers?
I usually get a bit suspect when programs install a webserver, operates via a webpage, and then act like it is normal… There is a time and place for this sort of thing. In a jail.
@wendell how long since you’ve let your AMD peeps know?
Otherwise I must concede that you’ve possibly goofed it a bit. But not in a bad way.
In all honesty it’s not as serious of an issue as some might think since threadripper NVMe isn’t all that widespread. I would expect that most people setting it up would be tech savvy enough to notice the apache + xampp listening on 0.0.0.0
The XAMPP version 1.8.0 is also REALLY REALLY old. It’s like they shipped it with whatever random version a Johnny developer had left in his downloads folder.
@wendell Good video, I like the short format dealing with one problem at the time, this format of info sharing could keep less tech-savy people ,like me, out of trouble when attempting something new. (never done any serious raid stuff)
As far as AMD goes, maybe they assumed that people on threadripper, doing a raid array would know that they needed to kill the xamp and php process afterwards
Emailed board partners about it over 45 days ago. “We will pass it along”. Emailed @amd contacts twice, no reply, oldest of which more than a month ago…
ASrock provided the drivers early and I sent a warning then which was well before even the September 25 original planned release. Hoping the public release would address the issue, since the drivers were not in wide release. AMD did delay the drivers a week or so, but I think that was because the drivers clobber existing sata arrays
I would also point out this is an obvious configuration problem, not a problem with binaries, a buffer overflow, etc. The issues would be obvious even to script kiddies imho. I didn’t set out to do a security evaluation here… I just installed the drivers and noticed Apache running as system. So I don’t think a normal disclosure process would really apply, but I followed it anyway.
This is very different. It is not meant to be a remote interface, for starters. Things like pfSense are running php as a legitimate website, not as a desktop tool. And things are configured properly. I haven’t looked at this specific php code, but as noted, at least it has a password on it. The apache misconfiguration is probably the more severe risk (and, depending on how the password was handled, may compromise that as well — the bits of php shown in the video were a bit cringy).
Another thing to think about is that XAMPP, while an awful and completely misguided tool, is popular with web devs (and especially so among beginners). The fact that it’s already (maybe unexpectedly) running means it might interfere with other usage — and what would happen if someone tried to install their own copy? or upgrade / uninstall it? Maybe they thought of these problems (though ?? i wouldn’t be surprised), but it just underscores how unsuitable a solution this is for the problem.
This is good to hear. Probably should have stuck it in the video, at the beginning.