Month: December 2018

2018 A Year of Victories!

2018 A Year of Victories!

Happy holidays & Happy New Year, readers! We are thrilled to announce 2018 has been an unprecedented year for and a great time to be a book-lover. Without skipping a beat, we can honestly say we owe our progress to you, our dedicated community of volunteer developers, designers, and librarians. We hope you’ll join us in celebrating as we recap our 2018 achievements:

Highlighted Victories

New Features

Teamwork Makes the Dream Work

In 2018, 45 members of our community helped fix over 300 issues, contributing over 100,000 lines of code improvements to and eliminating 95,000 lines of old code.

October was an especially monumental month for our community. Thanks to the organizational efforts of Salman Shah and Tabish Shaikh, Open Library participated in the Hacktoberfest challenge, attracting attention and interest from all around the globe. During this period, 22 members of our community submitted 125 bug fixes and improvements.

The Faces of Open Library

2018 A Year of Victories! 1Of the many deserving, we’re proud to feature Charles Horn for his contributions to our Open Library. Charles dedicated three years volunteering as a core developer on before enthusiastically joining Internet Archive as a full-time staff member this year. Charles has written bots responsible for correcting catalog data for millions of books and tens of thousands of authors. Not only has Charles been a foundational member of the community, running stand-ups and performing code reviews, he’s also designed technology which allows us to fight spam and has designed plumbing which allows millions of new book records to flow into our catalog.

2018 A Year of Victories! 2Drini Cami sprung into action during a time when the Open Library’s future was most uncertain and he has left an enormous impact. Drini has written mission critical code to improve our search systems, he’s written code to merge catalog records, fixed thousands of records, worked on linking Open Library records to Wikidata, repaired our Docker build on countless occasions, and has been a critical adviser towards making sure we make the right decisions for our users. We can’t speak highly enough about Drini and our gratitude for the positive energy he’s brought to our Open Library. 

2018 A Year of Victories! 3

Jon Robson has nearly single-handedly brought order to Open Library’s once sprawling front-end. In just a handful of weeks, Jon has re-organized over 20,000 lines of code and eliminated 1,000 unneeded lines in the process! He is the author and maintainer of Open Library’s Design Pattern Library — the one-stop resource for understanding Open Library’s front-end components. Jon brings with him a wealth of experience in nurturing communities and designing front-end systems that he has earned while leading mobile design efforts at Wikipedia. We all feel extremely lucky and grateful Jon is in on team Open Access! 

2018 A Year of Victories! 4

Tabish Shaikh is one of Open Library’s most dedicated Open Library contributors, attending community calls at 12am. He’s brought an infectious enthusiasm and passion to the project and has made major contributions, including leading a redesign of our website footer, designing a mobile login experience, making numerous front-end fixes with Jon, and helping with Hacktoberfest coordination.

2018 A Year of Victories! 5Salman Shah was Open Library’s 2018 resident Google Summer of Coder and community evangelist. In addition to importing thousands of new book records into Open Library, he also has been a driving force in organizing Hacktoberfest and improving our documentation. He’s a key reason so many volunteers have flocked to Open Library to help make a lasting difference.


2018 A Year of Victories! 6

“On the internet nobody knows you’re a dog”. For several years, LeadSongDog has anonymously championed better experiences for our users, opening more than 40 issues and participating in discussion for twice that number. Few people have consistently poured their energy into improving Open Library — we’re so grateful and lucky for LeadSongDog’s librarian expertise and conviction.


2018 A Year of Victories! 7

Lisa Seaberg (@seabelis), is not only an amazingly prolific Open Librarian, but one of our trusted designers for the website. Lisa fixed hundreds of Open Library book records, has redesigned our logo, and actively participates in design conversation within our github issues.



2018 A Year of Victories! 8

Tom Morris is one of our longest-time contributors of Open Library. He serves as a champion for high-quality metadata, linked data standards, and better search for our readers. Tom has been instrumental during our Community Calls, advising us to make the right decisions for our patrons.



2018 A Year of Victories! 9

Christian Clauss is leading the initiative to migrate Open Library to Python 3 by the end of 2019. He’s already made incredible progress towards this goal. Because of his work, Open Library will be more secure, faster, and easier to develop.



2018 A Year of Victories! 10Gerard Meijssen, one of our liaisons from the wikidata community, has coordinated efforts which have helped Open Library merge over 90,000 duplicate authors in our catalog. He has also been a champion for internationalization (i18n).



2018 A Year of Victories! 11

James Ford paved the way for further design progress on Open Library by consolidating tens of colors in our pallet to a manageable handful, and converting them to less css.




2018 A Year of Victories! 12

You can thank Maura Church for adding average star ratings and reading log summary statistics to all of our books:2018 A Year of Victories! 13




2018 A Year of Victories! 14

Galen Mancino collaborated with the Open Library team on the Book Widget feature which you can read more about here! In addition to his love for books, Galen is passionate about sustainable and local economic growth, revitalization, and how technology can bring us there.



2018 A Year of Victories! 15Oh hi, I’m I feel extremely privileged to serve as a Citizen of the World for the Internet Archive’s Open Library community. In 2018, I contributed thousands of high-fives and hundreds of code reviews to support our amazing community. I’m proud to work with such a capable and passionate group of champions of open access. I’m hopeful, together, we can create a universal library, run by and for the people.

… And over 40 others including Num170r, html5cat, thefifthisa, linkel, GLBW, Alexis Rossi, Jessamyn West, et al who have no less significantly worked tirelessly to make Open Library an inclusive, safe, useful place where readers can thrive!

Thank you and here’s to a wonderful 2019!

How to Create a WHM Reseller Without an Associated Domain?


One can create additional administrative user accounts in WHM not corresponding to a cPanel account. It allows one’s employees to perform the following tasks, namely, Review bandwidth reports, Reset passwords, Configure mailboxes, Suspend and unsuspend accounts, and Manage DNS entries.

Create a WHM Reseller Account Without an Associated Domain

The username represents the desired account username in these following steps.


  1. Firstly, one can log as the root user in to the server via SSH.
  2. One can run this command in order to create a new user:

                   adduser username

  1. One can run this command in order to set a password for the new user:

                   passwd username

  1. In order to set the permissions for the new user’s home directory, run this command:

          chmod -v 711 /home/username

  1. The /var/cpanel/resellers file helps in defining the users possessing the reseller status and the permissions they possess. One can run this command to create an entry in the resellers file granting the user full permissions and lists the user in the WHM interface:

echo “username:all” >>       /var/cpanel/resellers

  1. Run this command to create a user file in the /var/cpanel/users directory:

cp /var/cpanel/users/system /var/cpanel/users/username

  1. One can open the /var/cpanel/users/username file with a text editor to remove the following line:


  1. Then log in to WHM as the root user.
  2. One can navigate to WHM’s Edit Reseller Nameservers and Privileges interface (WHM >> Home >> Resellers >> Edit Reseller Nameservers and Privileges).
  3. Then, from the menu, one can select the username.
  4. Thereafter, click on Submit.
  5. Then, select the checkboxes corresponding to the desired user permissions.
  6. Finally, click on Save.


The whole fruitful information about how to create a WHM reseller without an associated domain is outlined in this article.c

The post How to Create a WHM Reseller Without an Associated Domain? appeared first on BuycPanel.

How can we Configure ‘Common Mail Providers’ in Greylisting Interface?


One can navigate to (WHM >> Home >> Email >> Greylisting) for proper working on this feature. Greylisting is for cPanel and WHM version 64. One needs to navigate to (Home >> Email >> Greylisting) interface for properly configuring it.

This interface allows one to configure Greylisting, protects one’s server against unwanted email or spam. The mail server temporarily rejects any email from a sender that is not recognized by a server. The originating server tries to send it again after a delay in case it is a legitimate email. The server accepts the email after some time.

Greylisting identifies incoming email by triplets which is a collection of three pieces of data, that is, the IP address, the sender’s address, and the recipient’s address. Greylisting filters spam, allows legitimate email a second chance to pass through by delaying the unknown triplets.

One can access the Greylisting Configuration Settings, Trusted Hosts, and Reports sections of the interface. But before that, one must click on or off so as to enable the Greylisting feature.

Enable Greylisting

This interface displays only an On/ Off toggle if Greylisting is disabled on the server. One can click on the toggle to change it to On and enable Greylisting.

Common Mail Providers

This tab specifies common mail providers where greylisting will not delay mail.

Trust Incoming Mail From Common Mail Providers

The proper mail arrives from well-known mail service providers. To ensure that Greylisting’s role in delaying this mail, one can choose to rely upon these mail providers with a few clicks rather than entering their IP addresses into the Trusted Hosts list.

Some mail services like Google Apps™, allow customers owning their domains to relay email through their mail servers. If there is a trust with the mail providers, Greylisting will not delay this mail, even if those customers’ domains did not properly configure the SPF records for their mail service.

One can select Automatically trust newly added mail providers in order to trust new mail providers added to this list.


  1. Firstly one needs to select the Common Mail Providers
  2. Then one needs to select the Trustcheckbox for each mail provider one want’s to trust.
  3. Thirdly one can select the Auto Updatecheckbox to automatically trust any new IP addresses assigned to that mail provider.
  4. Lastly one can click on Saveto implement the changes.


In order to select or deselect Trust and Auto Updatefor all of the mail providers, one can click on the gear icon there on the top right of the list.

cPanel helps in maintaining the list of common mail providers based on current mail server statistics. One can read our Common Mail Service IP Addresses list to see the IP addresses associated with the common mail providers.


This feature can be used by the users with certain technical steps as reviewed in the article.

The post How can we Configure ‘Common Mail Providers’ in Greylisting Interface? appeared first on BuycPanel.

What is the Configuration Cluster in WHM?


The Configuration Cluster interface allows to link a master server to one or more additional servers in the configuration cluster. It can be selected to copy server configuration settings from WHM’s Update Preferences interface (WHM >> Home >> Server Configuration >> Update Preferences ) to the configuration cluster’s servers. As we deprecated WHM’s Remote Access Key feature in cPanel and WHM version 64 and it is recommended to use API tokens instead. Select Send my settings to all configuration cluster servers checkbox in WHMs Update Preferences interface (WHM >> Home >> Server Configuration >> Update Preferences).

Configuration Cluster

Before setting up a configuration cluster in the Configuration Cluster interface, one needs to log in as a root-level user on the server that needs to use as the master server. One must also log in to the master server as a root-level user to make any configuration changes to copy to the configuration cluster’s servers.

The Configuration Cluster interface displays a list of all of the servers that is linked to the currently-authenticated server.


  • Server: Server’s IP address, name that is assigned to the server (
  • User: Username of the server’s root-level account. This value is default to the root user.
  • Remote Access Key: Signature version of the server’s remote access key or API token.

Add a Server


  1. Firstly click on Create at the top right or bottom right corner of the interface.
  2. Then enter the server name in the Servertext box.
  3. In the User text box, one can enter the server’s root-level account username.

This value is default to the root user.

  1. In the Remote Access Key text box, one can paste the server’s remote access key or API token.
  • By generating a remote access key in WHM’s Remote Access Key interface (WHM >> Home >> Cluster >> Remote Access Key).
  • By generating API token in WHM’s Manage API token interface (WHM >> Home >> Development >> Manage API Tokens).
  1. Lastly click on Save. The server will thereafter appear in the configuration cluster servers table.


Edit a Server’s Remote Access Key or API Token


  1. Firstly click on the arrow icon corresponding to the server for to modify the remote access key or API token.
  2. Any desired changes can be made in the Usertext box.
  3. Then any desired changes can be made in the Remote Access Keytext box. This key displays either the current access key signature or API token. To make changes, one must enter the entire remote access key or API token.
  4. Click on Save.

Delete a Server


  1. Firstly click on the trash icon corresponding to the server that needs to be deleted.
  2. Thereafter a confirmation window will appear. Then click on Continue.


Users can make a use of configuration cluster in certain ways as outlined in the review.

The post What is the Configuration Cluster in WHM? appeared first on BuycPanel.

What is the Metrics Editor in cPanel?


One needs to navigate to (cPanel >> Home >> Metrics >> Metrics Editor) to work on this feature. It allows one to select the metrics programs in order to process one’s log files and provide the traffic analysis for one’s account’s domains.

Select Programs

One’s hosting provider has the task to control the selection of a statistics program in WHM’s Statistics Software Configuration interface (WHM >> Home >> Server Configuration >> Statistics Software Configuration). If it fails to allow the selection of a statistics program, the interface will display a lock icon.

Selection of Metrics


  • One needs to select the checkbox for each metrics program that one wishes to use for each domain on one’s account. It can be selected from the following programs:
    • Webalizer
    • Analog Stats
    • AWStats
  • Then click on Save.

Small Introductions to Webalizer, Analog Stats and AWStats

  • Webalizer: One can navigate to (cPanel >> Home >> Metrics >> Webalizer) to work on this feature. This Webalizer interface helps a user in displaying the traffic statistics from the Webalizer statistics program. To know more about Webalizer, one can visit the Webalizer website and get more detailed information. One can the read Webalizer’s Configuration Files documentation so as to view all of the possible configuration options for Webalizer.
  • Analog Stats: One can navigate to (cPanel >> Home >> Metrics >> Analog Stats) to work on this feature. This Analog Stats interface allows one to access data from the Analog traffic statistics software. Analog helps in compiling traffic statistics for one’s domain, and organizes the data by month to make it more easy to manage and interpret. To show additional categories, the software also presents the data for each month in graphs.
  • AWStats: One can navigate to (cPanel >> Home >> Metrics >> Awstats) to work on this feature. This Awstats interface helps in displaying traffic statistics from the Advanced Web Statistics (AWStats) software, compiling information about how users access one’s website.


Users can work on metrics editor as reviewed in the article.

The post What is the Metrics Editor in cPanel? appeared first on BuycPanel.

What is the ‘Reserved IP Address Editor’?


One’s system configures Apache by default to respond to any request on any IP address that one can add to the server. The Reserved IP Address Editor  interface allows one to configure Apache to ignore HTTP requests on certain IP addresses and also, the system will not assign those IP addresses to new accounts.

It is to note that in order to reserve an IP address, the IP address must exist on the server from before hand. One can add IP addresses to the server with WHM’s Add a New IP Address interface (WHM >> Home >> IP Functions >> Add a New IP Address).

Add an IP Address

  • One can select the Reserved checkbox for to the IP address that one wishes to reserve.
  • Then one can click on Save.

Apache will not use the IP addresses that is selected by the user.

Restart Apache

  • One can click on Rebuild Configuration and Restart Apache in order to rebuild and restart Apache instantly.
  • One can use WHM’s HTTP Server (Apache) interface (WHM >> Home >> Restart Services >> HTTP Server (Apache)) in order to rebuild and restart Apache a bit later.


This feature helps the user in certain ways as reviewed in the article.

The post What is the ‘Reserved IP Address Editor’? appeared first on BuycPanel.

How To Stop XML-RPC attack on WordPress site

How To Stop XML-RPC attack on WordPress site

WordPress is the world’s biggest content management system. What gains the popularity is the easiness of its use, free and open-source nature. Recent studies says, WORDPRESS IS POWERING 26% OF THE WEB, it’s a huge number when we consider the number of sites that is live today. So let’s get started on How to stop XML-RPC attack on WordPress site..

And with such an incredible popularity comes one big problem – hacks. WordPress is a prime target for hackers, everyday hundred thousands of wordpress sites are getting hacked.

This blog is an effort to identify and stop a specific type of attack, XML-RPC attack in WordPress site while discussing about what is XML-RPC.

Brute Force Attacks

A very common and one of the oldest form of attack is brute force attacks. Brute force attacks can be done using protocols like SSH, FTP, etc. Usually, brute force attacks are easy to stop, but they still remain popular. The popularity of the brute force attack can be attributed to the abundance of weak passwords or to the lack of good access control habits. This also means that brute force attacks though easy to stop are still successful.

When a brute force attack occurs, commonly for an attacker to try different passwords they would have to attempt different login attempts. The larger the number of passwords they want to try, larger the number of login attempts with each attempt being logged in the server as a request. This makes preventing such an attack fairly easy as each attempt will be logged and can be blocked once the requests reach certain number or limit. The XML-RPC attack is a form of brute force attack in which the attacker uses XML-RPC specification to perform the brute force.

What is XML-RPC and Why is it used:

The XML-RPC in WordPress is used to standardize the communications between different systems. It is a specification that uses HTTP for the transport mechanism and XML as its encoding mechanism. World Wide Web used HTTP as its underlying protocol and it is used to determine the formatting of messages, how they are transmitted, responses of web browsers and web servers with regards to various commands, etc.. XML, (stands for Extensible Markup Language) is a markup language similar to HTML and is used commonly in data transfer. XML provides a set of rules for encoding which allows a platform independent, intermediate format. Thus, XML-RPC specification allows for the transmission of a wide range of data.

XML-RPC has been a part of WordPress from its start. WordPress itself is forked from another blogging software by the name b2 or cafelog. The logic of the XML-RPC is contained in a file by the name xmlrpc.php. Initially, the XML-RPC was off by default and was activated manually if needed from the Settings. But since WordPress version 3.5 it has been turned on by default.

It is used to communicate with different systems. WordPress may require to communicate with other systems( like other blogging systems ) and this is where XML-RPC comes into play. XML-RPC also plays an important role when posting from desktop clients or mobile apps.

The XML-RPC specification allows a client to place a remote procedure call using a HTTP request sent to a server which implements XML-RPC and to receive an HTTP response. The remote procedure call sent this way can include more than one parameters.

Brute Force Amplification

The disadvantage of a brute force attack stems from its one to one relationship between the requests and the log entries. Brute force amplification allows it to have a one to many relationship. Such an attack will be able to fit perform multiple requests in one shot, like for example, a request that is able to try hundreds of passwords.

Brute force amplification is harder to mitigate than traditional brute force attacks. Where brute force attacks will have huge number of login attempts, the attacker could reduce the number of login attempts to a very low number and still guess hundreds of passwords with each request. This is why the mitigation of brute force amplified attacks is much harder than normal brute force attacks

What is XML-RPC attack?

An XML-RPC attack is a form brute force amplification. By using the XML-RPC functionality, in a very short time an attacker will be able to sent numerous brute-force attacks against a WordPress installation. The attacker will try to use xmlrpc.php script to try and login using different username/password combinations. Hundreds of password/username combinations can be guessed with as little as 3 or 4 HTTP requests. As the XML-RPC specification will allow the attacker to try a large number of passwords with a comparatively less number of requests, it leads to high load on the database. This high load in turn could cause the site to be down with errors like “Error establishing database connection”.

How to recognize a XML-RPC attack:

  • The WordPress site will show “Error establishing database connection” which is caused by high load on the database due to the large number of requests.
  • Resource usage of the domain will be high.
  • Web Console displays “Out of memory” error.
  • Web server error log displays “Cannot open the file no such file/directory” error.
  • Access log in web server for the domain will populated with “POST /xmlrpc.php HTTP/1.0” error.

How to search for xml-rpc attacks on different Linux/Web server combinations?

For a CentOS machine running Apache web server use the command:

grep xmlrpc /var/log/httpd/access.log

For an Ubuntu machine running Apache web server use the command:

grep xmlrpc /var/log/apache2/access.log

For a server running Nginx:

grep xmlrpc /var/log/nginx/access.log

For a server that is running cPanel:

grep xmlrpc /home/access-logs/
grep xmlrpc /home/access-logs/

In case of a XML-RPC attack on the WordPress installation the above commands will show the following:

“POST /xmlrpc.php HTTP/1.0” 200 674 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”

Most of the Linux servers will show a result when the above commands are run as there will be legitimate XML-RPC But one can only say if there is an attack if the time frame the logs made are too often. If there is only seconds or milliseconds difference, then usually that might be a brute force attack.

How To Stop XML-RPC attack on WordPress site 16

How To Stop XML-RPC attack on WordPress site 17

How to prevent XML-RPC attacks?

XML-RPC attacks can be prevented or blocked using the following ways:

  • WordPress has lot of plugins that extend or fix the issues relating to XML-RPC. Installing these plugins will help to deal with attacks involving xmlrpc.php
  • It is also possible to block the IP from which the XML-RPC attacks originate in the server firewall. The IP can be easily identified from the access logs. This however is not a efficient solution as XML-RPC attacks can still occur from other IPs.
  • Blocking all requests to the xmlrpc.php script can stop XML-RPC attacks entirely. It should be noted that there are some plugins and functionalities that rely on xmlrpc.php and this may cause some issues with them.

To block the requests the following methods can be used:

    • In Apache web server, the following code can be added to the .htaccess file in the WordPress installation document root to stop the requests:

< Files xmlrpc.php >
order deny,allow
deny from all
< /Files >

How To Stop XML-RPC attack on WordPress site 18

    • Adding the following code to the configuration file of Apache/Nginx will also block the requests:

a) In the Apache configuration file, add:
< VirtualHost >
< files xmlrpc.php >
order allow,deny
deny from all
< /files >
< /VirtualHost >

b) In the Nginx configuration file, add:
server {
location /xmlrpc.php {
deny all;

That’s it, I hope this article is informative for you, thanks.

Do you need any expert advice on How To Stop XML-RPC attack on WordPress site?

We have an expert team to guide you

Thanks for dropping by. Ready for the next blog?

Hyper V to VMware And Physical to VMware Migration

The post How To Stop XML-RPC attack on WordPress site appeared first on Sysally.

What are the Daily Process Logs?


This feature is for cPanel and WHM version 68. One can navigate to (WHM >> Home >> Server Status >> Daily Process Log) to work on this feature.

It displays information about one’s server’s consumption of memory and processing power. The processes running on one’s server depend on the following factors:

  • One’s WHM configuration.
  • One’s installed daemons and applications.
  • Users’ installed daemons and applications.

Select The Day

This interface displays yesterday’s, today’s, and tomorrow’s dates. In order to view information for a date, one can click on the appropriate link.

Usage By User

This table will display the usage for each user on the server.


  • User: Has the name of the user.
  • Domain: Contains the primary domain for the user.
  • %CPU: Contains the average daily percentage of the CPU’s processing power consumed by the user.
  • %MEM: Contains the average daily percentage of RAM consumed by the user.
  • MySQL Processes: Contains the average number of MySQL® processes for the user.

Top Processes

This table displays information about how much the CPU was consumed by the individual processes on that day.


  • User: Contains the name of the user who runs the process.

Example: If one log in to the server as the root user, this column will display root  for any processes that was initiated.

  • Domain: Contains the user’s primary domain.

Example: The column will only display domains for users which are cPanel accounts. Generally when the user is a daemon or a system user, the column remains empty.

  • %CPU: Contains the highest percentage of the CPU that this process had used.

Example: This column will display 19% CPU for a process that was made run for three seconds and had used the following amounts of processing power:

  • 1% CPU in the first second.
  • 19% CPU in the second second.
  • 3% CPU in the third second.
  • Process: Contains the process, as exactly appearing in the process list.


This feature shows details about one’s server consuming processing power and memory through certain technical ways as outlined in the review.

The post What are the Daily Process Logs? appeared first on BuycPanel.

Wormable Stored XSS on

Introduction Finding a critical vulnerability in one popular WordPress plugin and exploiting it in the wild could allow attackers to easily hijack thousands to millions of websites. An example of this could be observed lately in the case of the popular plugin WP GDPR Compliance. One plugin thus represents a single point of failure for all the websites using it. However, in matters of risk to the WordPress ecosystem, there is something more outreaching than the security of popular plugins: the security of WordPress.

CVE-2018-18629: Keybase Linux privilege escalation

Recently I started using Keybase which is a Slack like application but provides end-to-end encryption. Version is vulnerable to a privilege escalation vulnerability allowing a low privileged user to execute arbitrary commands as root.

After executing the application using a low privileged account I noticed a process named keybase-redirector running as root. I was interested and wanted to understand how this worked. After checking the file permissions I found that the keybase-redirector was setuid root. I enjoy the challenge of finding vulnerabilities in privileged binaries so I started my research.

One of the first techniques I use when attacking setuid binaries is to test for PATH injections. The PATH environment variable is a colon separated list of directories that is searched when executing a command by name. As a test I reset the PATH environment variable to a unique value while executing keybase-redirector.  Using the env command  inline ensures that the PATH is only set for the execution and the current value of PATH is unmodified.

[user1@localhost ~]$ env PATH=/foobar /usr/bin/keybase-redirector /keybase
Mount error, exiting cleanly: fusermount: exec: “fusermount”: executable file not found in $PATH

The descriptive error message immediately caught my attention. To confirm the potential vulnerability I executed the strace(1) utility. strace traces system calls and has a variety of options. The common options that I use are -f(follow forks), -s (maximum string size to print) and -u [username]. strace generates verbose output so this is where the unique PATH string becomes useful. We can quickly search the output for that string to find potential injection points. When tracing a setuid binary, strace must be executed from root because privileges are dropped. In some cases the error message may not provide any clues. Regardless of the output I always run strace to verify. As you can see in the below output, the newfstatat() call is checking if /foobar/fusermount exists.

[root@localhost ~]# env PATH=/foobar /usr/bin/strace -u user1 -f /usr/bin/keybase-redirector /keybase 2>&1|grep foobar
[pid 4890] newfstatat(AT_FDCWD, “/foobar/fusermount“, 0xc420070858, 0) = -1 ENOENT (No such file or directory)

Now that it appears the program trusts the value of PATH we can try to exploit it. I crafted a fusermount binary to create the /w00t file. View the original PoC in the Hackerone report 426944. Since then I created a new PoC to get an interactive root shell. Updated PoC can be found at my Github repo

PoC screenshot for CentOS 7.4.1708.


Setuid programs should reset the PATH environment variable prior to executing any external binaries. Fully qualified paths can also be used. The response from Keybase was amazing and I really enjoyed the partnership. @maxtaco committed the fix to the master branch within one hour of receiving the report! I appreciate their transparency and technical write-up in the advisory.