CMS Bulletin - April 2019

WordPress released 5.1.1

WordPress 5.1.1 is now available; this is a Security Release that does not introduce new particular functions but focuses on solving security problems and improving the current system.
In particular it proposes 14 improvements and bugfixes (available here), including functions to facilitate the transition to the minimum version of PHP that will be requested by WordPress 5.2 (released in late April) and a sanitization of the comments stored in the database in order to prevent Cross-Site Scripting attacks.

Joomla 3.9.4 is available
Joomla has released version 3.9.4 of the popular CMS.
Version 3.9.4 is a security release that does not introduce functional innovations but a system of problems. Among the improvements of this version we report the remediation of 3 Cross-Site Scripting (XSS) vulnerabilities, the addition of plugins for Terms of Use and Privacy Consent, functions tracked for User Action Logs, adding subtitles to featured articles.
More details are available in this Joomla blog post.

Read more ...

Git client: the fundamental tool take advantage of versioning

In the last two issues of GURU advisor we covered advantages and use cases of Git. An important aspect to take the best out of this technology is the choice of the client to use.

So we’ve decided to test a selection of Git clients with a graphical interface by trying a typical sequence of operations, always the same one, to simulate a typical use experience.

Selection and Procedure

There are plenty of Git clients, but our selection covers eight of them; such a wide assortment indicates a certain attention from the development world on this tool, which cover anything between important projects like GitKraken and simplified tools like TortoiseGit.
Apart from UnGit which is Web-based, the remaining tools are available on both Windows and Mac, while Linux support is not offered by all of them.
The sequence of operations we just talked about is pretty basic, yet it coverS every fundamental operation that can be done with these tools, regardless of advanced capabilities that, however, many of these tools support. The first phase is cloning a repository, followed by an overview of the dashboard, then adding a branch and commit it.

comparison evo

Read more ...

Using GitLab: first steps

Intro article -> An introduction to GitLab

GitLab’s homepage is as follows, with a toolbar in the upper part and an activity box on the left (referred to the actual repository) with access to branches. Clicking Commits shows the related chronology in addition to the state of branches with the homonymous section. The commit feature is used to individuate users and activities on files (addition, modification, deletion).

GitLab: creating a repository

You must register at gitlab.com and create an account in order to use GitLab; then you’ll be redirected to the main projects page, which can be reached by the Projects item in the toolbar. The best way to start a project is to create a group to define users, permissions and repos, then hit Create a Project.
This is when you can decide wether to start a project from scratch, from a template or to import it. In the Visibility Level section you can define the access to the project: private, internal (whoever is logged in gitlab.com) or public. The latter is the case where anybody can partecipate in, while Internal is the ideal solution when GitLab in installed on an on-premises platform.
The main management window has the commands to start working with a plain project.

Read more ...

An introduction to Ansible: discovering the essentials

Previous article: intro to Ansible

Here we are with our journey in the Ansible world, this time we’ll look at the other fundamental features of its structure and use.

Play and playbook: what is the difference?


An example of playbook is portrayed in the image below, which shows the content of a YAML file which constitutes the playbook itself. This particular one actually contains a single play: this is the limit-case where play and playbook are the same thing.

ansible create playbook

The play contains two tasks with the definition of the destination hosts (host: web), the become command (with the -yes parameter stating that hosts become so after the installation) and the variables the we want to define with the -var parameter.

Read more ...

LA PRIVACY BY DESIGN NEL NUOVO REGOLAMENTO EUROPEO 2016/679.

La data protection by design è uno dei criteri fondamentali indicati dall’ormai noto GDPR che un titolare di un trattamento di dati personali deve rispettare, sia al momento di determinare i mezzi di quel trattamento sia all’atto del trattamento stesso, nell’adempimento del suo dovere di responsabilizzazione (“accountability”). Anche la tecnologia deve essere progettata per operare nel rispetto della privacy by design, e, dunque, nel rispetto dei diritti fondamentali delle persone fisiche i cui dati vengono trattati.

La c.d. privacy by design, ovvero, protezione dei dati fin dalla progettazione, è uno dei capisaldi del GDPR e fa riferimento all’approccio da utilizzare, nel momento in cui viene pensato un trattamento di dati personali e prima ancora che venga iniziato, ovvero alle modalità tecniche ed organizzative da adottare nell’organizzazione di quel trattamento di “dati personali”  - che, si ricorda incidentalmente, sono definiti ex art.4, n.1 come “qualsiasi informazione riguardante una persona fisica identificata o identificabile («interessato»)”.

Read more ...

An introduction to Gitlab

Software development doesn’t include the knowledge of programming languages, debug techniques and how to optimize the code only, it also deals with a proper and coherent management of the different versions of the same code: versioning.

Be it the work of a single developer or of a team distributed on different geographic areas, versioning is an essential aspect of software development, due to large codebases to manage as well. In order to face the challenge, several platform were designed, with Git standing on top: Git is a versioning engine that can be managed via CLI or graphical interface, locally or via Web. 
Git is also at the basis of many products/services, with GitHub and BitBucket being the most used.

git logo

In this article we are going to get acquainted with Git by leveraging Gitlab as a testing environment to discover its fundamental aspects: what is Git and how it works, what commits, repositories and branches are, and the main differences between on-premises and Cloud versions.

Read more ...

Openmediavault: it could be a FreeNAS alternative?

We at GURUadvisor we’ve often talked about FreeNAS as a strong and evaluated open-source platform for the realization of NAS systems (even with non-dedicated hardware). We’ll now analyze an interesting alternative, open-source too, by discovering key features and weaknesses.

Openmediavault -or OMV for the sake of brevity, is a Debian based operating system, optimized and customized for the implementation of Network Attached Storage solutions: its main field of use is in labs, homes and SMBs. The main features include the support to the main network services (SSH, FTP, SMB/CIFS, Rsync and so forth), logic volumes management, S.M.A.R.T. checks on disks, email notifications, link aggregation and plugins to further expand its features.

Read more ...

An introduction to Ansible

Ansible is an open source software conceived to help sysadmins to manage the automation and a centralized orchestration of configuration procedures on Unix-like architectures. Its main characteristic is a mix of richness in features and an easy learning curve.

Ansible leverages two structured elements: node and control machines. As the name suggests, the latter are the computers that actually realize orchestration by means of commands for the underlying nodes via SSH and JSON. A very important point of strength of Ansible is being comprehensible without particular development skills (a prior knowledge of syntax and constructs is not required), tied with a sequential execution of control tasks. 
Its main uses are application deployment, distributed configuration management and work fluxes orchestration.

Read more ...

CMS Bulletin - July 2018

WordPress 4.9.7 is now available

WordPress has released version 4.9.7.

Being a "security and maintenance release", no new significant functions are introduced, rather some critical issues and problems are fixed, among which:

  • Fixed library bug that allows a user with certain permissions to delete files out of the media folder
  • Taxonomy: improved cache management for queries
  • Post and type of post: on logout, deleted cookie password
  • Widget: basic html tag in the description in sidebar
  • Community events Dashboard: Always show the nearest WordCamp
  • Privacy: the default content of the privacy policy no longer causes an error when you delete the rewrite rules

    Read more ...

Windows Server 2019: the future is here

It has been just a few issues when we described the Technical Preview release of Windows Server 2016, and here we are talking about Microsoft’s next server operating system.

Windows Server 2019 maintains the solid basis of the previous release, which is Microsoft’s server OS whose diffusion has been the fastest, whose release is expected in the second semester of this year. It will be an LTSC edition (Long Term Servicing Channel), so the distribution channel will have a release update every 2/3 years, unlike the typical SAC model (ie Windows 10).

The key points of the development are four, and they come from the analysis of future trends and requests received by Microsoft from clients’ feedback channels: security, hybrid Cloud, application platforms and hyper-convergent environments.

Microsoft naturally worked a lot on the first of these aspects in order to offer a system that can face and resist to the ever growing number of threats. The security approach is based on three specific macro-areas: Protection, Identification and Response. In terms of protection, now Linux VMs can leverage Shielded VMs (introduced in Windows Server 2016), thus being protected against illicit and undesired activities. Add to that the introduction of Encrypted Networks, which will allow sysadmins to encrypt data traffic on whole network segments thus protecting the communication between nodes.

Read more ...

An introduction to Docker pt.3: Storage and Networking

Previous article -> An introduction to Docker pt.2

The Docker introduction series continues with a new article dedicated to two fundamental elements of a containers ecosystem: volumes and connectivity.
That is, how to let two containers communicate with each others and how to manage data on a certain folder on the host.

Storage: volumes and bind-mounts

Files created within a container are stored on a layer that can be written by the container itself with some significant consequences:

  • data don’t survive a reboot or the destruction of the container.
  • data can hardly be brought outside the container if used by processes.
  • the aforementioned layer is strictly tied to the host where the container runs, and it can’t be moved between hosts.
  • this layer requires a dedicated driver which as an impact on performances.

Docker addresses these problems by allowing containers to perform I/O operations directly on the host with volumes and bind-mounts.

Read more ...

CMS Bulletin - April 2018

PrestaShop 1.7.3 is now available

PrestaShop announces the new 1.7.3 version, which includes improvements and new features.
Among the new features introduced we find:

  • PrestaTrust, a function which authenticates the code of the modules with PrestaTrust support and records the license information in the block-chain.
  • Right-to-left support: support for right-to-left languages (RTL) is added, such as Arabic, Hebrew, and Persian.
    A new set of demo products
  • UI kit for modules, core and back-end, with support for Bootstrap 4 jQuery 3.
  • Symfony: three new pages have been migrated to the popular PHP framework
  • Other features and improvements, such as setting delivery times, sending alerts when a product reaches low availability in stock, bulk actions in the stock, added localization in Icelandic and installation wizard in Japanese.

PrestaShop 1.7.3 is available at this address.

Read more ...

Introduction to Docker - pt.2

Previous article -> Introduction to Docker - pt.1

Images and Containers

An image is an ordered set of root filesystem updates and related execution parameters to be used in a container runtime; it has no state and is immutable.
A typical image has a limited size, doesn’t require any external dependency and includes all runtimes, libraries, environmental variables, configuration files, scripts and everything needed to run the application.

A container is the runtime instance of an image, that is, what the image actually is in memory when is run. Generally a container is completely independent from the underlying host, but an access to files and networks can be set in order to permit a communication with other containers or the host.

docker image rm

Conceptually, an image is the general idea, a container is the actual realization of that idea. One of the points of strength of Docker is the capability of creating minimal, light and complete images that can be ported on different operating systems and platforms: the execution of the related container will always be feasible and possible thus avoiding any problem related to the compatibility of packages, dependencies, libraries, and so forth. What the container needs is already included in the image, and the image is always portable indeed.

Read more ...

FreeNAS 11.1: welcome new UI!

A few months ago we talked about the troubled release of the last two FreeNAS versions, which involved a new graphical interface, the premature dismissal of Corral and finally the development of the 11.0 version with the return of the classic UI.

But IXSystems didn’t discourage and kept on developing its NAS system and eventually released the all-new 11.1 version.

Not just a new appearance, but also new features

Let’s start with the aspect that usually draws most of the attention of a system, otherwise quite traditional in terms of features: the new graphic interface.
The dark and edgy theme portrayed in a previous review, developers chose a more comfortable theme based on light colours with a tidier and neatter graphical organization. The overall design resembles the one on latests generations Android systems, quite flat and with icons and volumes characterized by circular contours and vivid colours.

Free11 dash

The upper horizontal menu finally disappears, replaced by a lateral float-out unit which contains the usual features. The organization of voices has been revised and rearranged too, still being coherent with the classic one we’re used to. Another new feature of the UI is a proper visualization on mobile devices too, something the previous releases didn’t accomplish well.

Read more ...

Project Honolulu: a web-based management control for Windows Server by Microsoft

Announced last 14th September with a TechNet blog post, Project Honolulu is the free, Web-based HTML5 platform for centralized management of hosts and clusters that allows to control, manage and troubleshoot Windows Server environments from a single panel. Today is available as a “technical preview”.

Typically, the administration Windows server environments relies upon MMC (Microsoft Management Console) and other graphic tools, in addition to PowerShell, which guarantees a powerful and complete scripting system capable of an high level of automation.
Project Honolulu can be compared to VMware vCenter’s Web Client (albeit some differences), is a centralized management solution for Windows Server hosts and clusters, conceived not as a replacement for System Center and the Operations Management Suite, but as a complementary tool.

Projet Honolulu is the natural evolution of Server Management Tools (SMT is the analog tools retired a few months ago because as it ran on Azure, it required a constant Internet connection that sometimes it can’t be guaranteed) and represents its local, on-prem version. It’s not a substitute for MMC.
During last Ignite, Microsoft introduced the project with two demo sessions (one and the other), and covered the topic with a blog post.

 

project honolulu architecture

Read more ...

Chocolatey, a package manager for Windows

Chocolatey is a package manager similar to Linux apt and yum to create, update, distribute and remove software packages in a centralized and automated manner.

Two are the platforms at its basis: NuGet and Windows PowerShell. The former is a .NET package manager on its turn, and the former is the well-known integrated shell of the Microsoft Windows world. Available both as a command line tool and with a GUI, Chocolatey is an open source project with three licensing models: free, Pro and Business, with the additional MSP and Architect plans for specific uses.

Read more ...

CMS Bulletin January 2018

CMS

Joomla 3.8.3 is now available
Joomla 3.8.3 is now available; this is a security release that doesn’t introduce any new feature, rather it fixes security issues and improves performances.
In particular, this release adds support for PHP 7.2 multiple download sources on update servers (AKA download mirrors), TinyMCE has been updated to version 4.5.8, improvements for multilingual support and search performances for big sites. A complete list of fixes is available at this address.
This version is available within the admin console or at this address.

Meanwhile, the Alpha 1 version of the upcoming Joomla 4.0 is available. The preview include new Bootstrap 4 templates, removal of obsolete functions, a new installation wizards, integration of Joomla Framework packages and a renewed Application for Consoles.

WordPress 4.9 is now available
WordPress 4.9, nicknamed “Tipton”, is now available. This version introduces several new features, including a Customizer with new features, improvements to the system code, new widgets and several new features for developers like improved JavaScript API customizer, CodeMirror (a new library for code revision), MediaElement.js update to version 4.2.6 and other improvements to plugin and translation files management.
This version is available in the administration console or at this address.
Version 4.9.1 is available as well. This is a security release that doesn’t introduce any new feature, rather it fixes security issues. Improvements of this release include a properly generated hash for the newbloguser key instead of a determinate substring, addition of escaping to the language attributes used on html elements, ensuring the attributes of enclosures are correctly escaped in RSS and Atom feeds and removal of the ability to upload JavaScript files for users who do not have the unfiltered_html capability.
Eleven additional bugs have been fixed, including issues relating to the caching of theme template files, a MediaElement JavaScript error preventing users of certain languages from being able to upload media files and the inability to edit theme and plugin files on Windows based servers.

Further information about this version are available at this address.

Read more ...

An introduction to Docker

You have heard about it for sure, it’s one of the hottest technologies of the moment and it’s gaining momentum quickly: the numbers illustrated at DockerConf 2017 are about 14 million Docker hosts, 900 thousands apps, 3300 project contributors, 170 thousands community members and 12 billion images downloaded.
In this series of articles we’d like to introduce the basic concepts in Docker, so to have solid basis before exploring the ample related ecosystem.

The Docker project was born as an internal dotCloud project, a PaaS company, and based on the LXC container runtime. It was introduced to the world in 2013 with an historic demo at PyCon, then released as an open-source project. The following year the support to LXC ceased as its development was slow and not at pace with Docker; Docker started to develop libcontainer (then runc), completely written in Go, with better performances and an improved security level and degree of isolation (between containers). Then it has been a crescendo of sponsorships, investments and general interest that elevated Docker to a de-facto standard.

It’s part of the Open Container Project Foundation, a foundation of the Linux Foundation that regulates the open standards of the container world and includes members like AT&T, AWS, DELL EMC, Cisco, IBM Intel and the likes.

Docker is based on a client-server architecture; the client communicates with the dockerd daemon which generates, runs and distributes containers. They can run on the same host or on different systems, in this case the client communicates with the daemon by means of REST APIs, Unix socket or network interface. A registry contains images; Docker Hub is a public Cloud registry, Docker Registry is a private, on-premises registry.

 

docker architecture

Read more ...

CMS Bulletin October 2017

WordPress 4.8.2 is now available

WordPress release version 4.8.25.
This is a “Security and Maintenance Release” which introduces no new features, instead it fixes some security and performance issues of the most used CMS worldwide.
In particular these 9 problems are fixed, in addition to 6 performance fixes:

  • $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.
  • A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery. 
  • A cross-site scripting (XSS) vulnerability was discovered in the visual editor.
  • A path traversal vulnerability was discovered in the file unzipping code.
  • A cross-site scripting (XSS) vulnerability was discovered in the plugin editor. 
    An open redirect was discovered on the user and term edit screens.
  • A path traversal vulnerability was discovered in the customizer.
  • A cross-site scripting (XSS) vulnerability was discovered in template names.
  • A cross-site scripting (XSS) vulnerability was discovered in the link modal. 

The update is available within the dashboard or at this address.
Who wants to preview the upcoming new release, can test WordPress 4.9 beta 3. Obviously it’s only for testing purposes and must not be installed in production environments.

Read more ...

Business email: a comparison of services

Emails are a powerful tool for businesses of all kind -Freelancers, Small and Medium Businesses and Big Corporates- to manage it in an efficient manner. In this article we will analyze email services offered by the main providers.

Emails are one of the main vectors of communication in the business world: they’re used for internal, informal, official and even international communications. Its use has, in several cases, ditched verbal communication and, because of that, each user expects this service to be quick, easy and -most of all- reliable. Beside sending and receiving messages, there’s a number of other activities that have merged together with them: calendars, address books, mobile synchronization, and so forth.

Read more ...

GFI LanGuard: network security scanner and patch management

Properly keeping an IT infrastructure updated is a costly and weary activity: GFI’s LanGuard is a product conceived to structure and automate management process in a complete safety.

An example how dangerous is to have non updates systems is clearly shown by the very recent wave of infections by WannaCry, the ransomware that -albeit being targeted to a restricted number of users (they could have been way more had some remedies not been found promptly)- attacked Microsoft-based infrastructures in more than 150 countries. The ransomware exploited the EternalBlue vulnerability, which is available only on non-patched version of the operating system. Yet imagine what the outcome would have been if it targeted all Windows systems.

Read more ...

CMS Bulletin - July 2017

WordPress 4.8 is now available
WordPress 4.8 is now available, and this version introduces some new features: image, audio and video widgets, rich text widget for visual editing, improved link management and a new news section in the dashboard with all related WordPress events near you.
Further information are available in this post on the WordPress blog.

The update is available in the admin dashboard, we suggest to update as soon as possible but after doing a backup (just in case).

Joomla 3.7.3 is now available
Joomla has now reached version 3.7.3Joomla has now reached version 3.7.3, which is a minor release of version 3.x.
This release doesn’t introduce any new function, rather it fixes bugs and solves security issues.
In particular 2 XSS (Cross Site Scripting) and Information Disclosure vulnerabilities are fixed, which could pose a threat in terms of security.

The update is available directly within the admin dashboard.
Joomla 3.8 is expected at the end of July.

WordPress WP Statistics plugin is vulnerable to SQL Injection attacks
Suuri researchers discovered a vulnerabilitySuuri researchers discovered a vulnerability in the famous WP Statistics plugin for WordPress which permits SQL Injection attacks.
Version 12.0.9 of the plugin solves the issue, therefore we highly recommend to update the plugin as soon as possible.

Read more ...

FreeNAS 11: the new features and some talks about Corral

After a false start of the long awaited FreeNAS 10, the iXsystems development team a few weeks ago released the latest stable release of the operating system for NAS solutions.

We’ve extensively covered FreeNAS in previous issues by analyzing structure, functioning and advantages. We expect a high level of stability and reliability from such an operating system, yet we waited for almost a year the revolutionary release 10, code named Corral.

FreeNAS 10 “Corral”: something went wrong
The two main news would have been a new graphical interface and native support to multi-platform virtual machines.
However the release of Corral didn’t go as expected: after being available for 48 on the official FreeNAS website, it mysteriously disappeared and replaced by the previous 9.10 version. For some weeks nobody had a clue of what was going on, as it was still downloadable from the official repository; then it appeared in the Tech Preview section. A communicate was released on the FreeNAS forum on the 12th of April stating the motivations of the retirement of the release.

Read more ...

Wordpress Security

According to W3Techs, WordPress is used in 28,1% of the existing Internet websites, and it accounts for 59% of those based on a CMS (Content Management System), and the adoption rate is ever increasing. These numbers alore are enough to understand the great diffusion of WordPress: its easy installation and customization make it suitable to several use cases, eCommerce shop included.
But such popularity brings a downside: it’s one of the most attractive platforms to hackers. Luckily damages of an hacking attack can be prevented and limited with techniques and best practices that we will discuss in this article.

Read more ...

CMS Bulletin - May 2017

WordPress 4.7.5 - Security and Maintenance Release is now available
While waiting for the release of version 4.8, expected in June, WordPress released version 4.7.5.
This is a “Security and Maintenance Release” which doesn’t add any new feature, it fixes security and performances issues.
In particular these 6 major problems have been fixed, in addition to other 4 fixes about performances:

  1. Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
  2. Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
  3. Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
  4. A Cross Site Request Forgery (CSRF) vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
  5. A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
  6. A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.

The update is available within the administration dashboard.

Read more ...

Nakivo: easy and flexible VMware and Hyper-V backup

The new version of the most renowned backup tool for virtual environments adds the support to vSphere 6.5 and improves the integration with the Microsoft world with the support to Hyper-V and Active Directory.

Nakivo Backup & Replication is a backup and Disaster Recovery solution for virtual machines that offers on-site and off-site backup (with testing), replication, recovery (even single files and Exchange/Active Directory elements), Cloud replica (AWS) and multi-tenant capabilities. We have tried in advance for you the new 7.0 version. You can find our review of the previous release at this address.

Support to vSphere 6.5 and Hyper-V

The new version of vSphere came out a couple of months ago and all big players are updating the support to the new release, and Nakivo makes no exception: now you can add an ESXi 6.5 host or vCenter 6.5 to the Inventory and protect all VMs running there. The new support to Hyper-V (version 2012, 2012 R2 and 2016) is with no doubts the most exciting news of Nakivo Backup & Replication 7: the support is extended to virtual machines created and managed with the popular hypervisor by Microsoft. Now the product can cover both main virtualization platform available in on-premises and Cloud infrastructures, also supporting an hybrid solution with the capability of backing data up to the public cloud by Amazon: AWS EC2.

nakivo 7 activity 1

Read more ...

Windows Server 2016: a new features test

In this article we have selected some of the new features available in Windows Server 2016 with the aim of analysing them and evaluating their impact in a real world scenario.

As we’ve mentioned in the previous issue, this new release is conceived as an improvement of the previous versions, rather than a brand new system. Ne features can be grouped into three ares: Virtualization and Containers, Security and Storage.

Virtualization

The main news in terms of Hyper-V is nested virtualization. With the new Windows Server 2016, Hyper-V hosts can be virtualized (ie a VM with Hyper-V running on it): this approach is often used in testing environments and situations where one wants to create multi-tenant environments without costs related to physical hardware. Now VMs’ hardware hot-add (disks, network cards, controllers, etc..) is supported: this operation was previously available upon powering off machines and restarting them with a subsequent downtime.

hot add

A new feature that is introduced with this version is the Host Guardian role, which we discussed in the previous issue. Host Guardian allows to regulate granularly levels and access permissions of Hyper-V administrators on virtual machines running on an host or cluster. Server 2016 also steps towards the Linux world: one of the main problems when creating a Linux VM was the lack of drivers certified for Secure Boot in Windows, which would lead to a “Failed Secure Boot Verification” error when starting the virtual machine; it could be solved by disabling the Secure Boot feature. This new release of Windows Server fixes the problem including such drivers.

Read more ...

An introduction to XenServer: an Open Source enterprise [para]virtualization solution

Xen, like VMware ESXi, is an hypervisor, that is, a software that allows to run several virtual machines -even with different operating systems, at the same time on the same hardware, sharing resources with the aim op optimizing costs and the management of the IT infrastructure. Given its nature, it’s often compared with concurrent platform by Microsoft (Hyper-V) and VMware (vSphere/ESXi), and in this article we are going to cover its characteristic.

A little bit of history

The Xen virtualization project was born in 2003 at the University of Cambridge as a research project. Within a few time XenSource was founded, before being acquired by Citrix in 2007, which keeps a free version but starts to develop a paid version. The project is backed by big players of the market like Intel, AMD, Cisco, Amazon, Google, Oracle, Samsung and Verizon.

In 2013 Xen became part of the Linux Foundation, and Citrix adopted an opensource licensing for its own XenServer product, then at version 6.2. The paid version, which included support and additional maintenance services, still remains.

3952

Read more ...

CentreStack: the object storage platform by Gladinet

CentreStack is a managed server for the creation of an object storage platform that can be deployed between the walls and in Managed Service Provider mode to be offered as a service to clients.

The product of the american Gladinet is a system halfway between classic file servers for companies and off-premises Cloud storage platforms usually used in SaaS/PaaS mode (think of Dropbox, Onedrive, etc..). By taking the best from both worlds, CentreStack can leverage the internal IT infrastructure (servers, storage, etc..) to offer a file sharing service also suitable for BYOD purposes in a Cloud mode. Management indeed is completely Web based with a dashboard from where you can control and act on all aspects of the platform, be it multi-tenant and multi-node as well.

CS web login evo

Structure and requirements

CentreStack is composed by three main parts, or nodes: Web Front Node, Worker Node and Database Node. Nodes can be deployed as physical hosts or as separate virtual machines, or in an all-in-one mode on a single host (a solution which is particularly suitable for small dimensions scenarios or testing purposes) where all components are installed at once. In some situations Web Front and Worker nodes can be condensed on a single machine.

CS db select 2

Read more ...

CMS bulletin - January 2017

WordPress 4.7.1 - Security and Maintenance Release is now available

Less than a month after the release of version 4.7 “Vaughan”, WordPress releases version 4.7.1 of the most used CMS in the world.
This is a “security and maintenance” release which fixes 8 important vulnerabilities that affect all WordPress versions (4. included), in addition to 2 bugs of the previous version.
The 8 vulnerabilities, which are now fixed, include cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.

The update is available at the administration dashboard and at the official Website. We encourage you to update your installation as soon as possible.

Read more ...

CMS Bulletin - April 2017

WordPres 4.7.3 is now available

This is a “Security & Maintenance” release that doesn’t introduce any new feature, as it fixes bugs and problems available in the previous versions.
Because of the security-related fixes, we encourage you to update as soon as possible.

The previous versions had 6 big problems that have been completely fixed:

  • Cross-site scripting (XSS) via media file metadata. Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
  • Control characters can trick redirect URL validation. Reported by Daniel Chatfield.
  • Unintended files can be deleted by administrators using the plugin deletion functionality. Reported by TrigInc and xuliang.
  • Cross-site scripting (XSS) via video URL in YouTube embeds. Reported by Marc Montpas.
  • Cross-site scripting (XSS) via taxonomy term names. Reported by Delta.
  • Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources. Reported by Sipke Mellema.

The update is available within the administration dashboard with an “Update Now” banner, or it can be performed manually; if you have enabled automated updates, your system will be updated soon.

A vulnerability in Magento that allowed CSRF attacks has been discovered 

A vulnerability that allows Cross Site Request Forgery (CSRF) has been discovered in Magento Community Edition (2.1.6 and older) by DefenseCode, which released a document covering the topic. The discovery followed an auditing on the source code of the Community Edition, the Enterprise version has not been tested (yet), but it’s possible that this version too is affected by this issue as both version share the most of the code.

The vulnerability exploits the option that allows admins to add Vimeo videos to product description; the system retrieves a preview image with a POST request accepting the image URL as parameter.
Such request can be changed to GET, and if the URL links to an invalid image file (like a PHP file), the system returns an error, however it downloading the file and not deleting it if validation fails.
Image information are analyzed and stored in a directory that follows a precise scheme: the pattern used is /pub/media/tmp/catalog/product/<X>/<Y>/<original filename>, where the path depends on the image name. For instance, picture.jpg creates the /pub/media/tmp/catalog/product/p/i/picture.jpg path.
Then two files are downloaded: one is the .htaccess file that enalbes the execution of PHP files in the directory, the other is the malicious PHP script.
A typical scenario involves an hacker targeting a Magento user with admin panel access (it can also be a non-full admin) with a phishing email with a link to a URL that starts the CSRF attack.
The “Add Secret Keys to URLs” option can mitigate attacks: you can enable it in Stores > Configuration > ADVANCED > Admin > Security > Add Secret Key to URLs. 
Also disable the use of .htaccess files in the subdirectories of /pub/media/tmp/catalog/product/.

Magento developers stated this vulnerability will be fixexd in the next release of the CMS.

The difference between email backups and archiving

Emails have become a key element in every business. In most cases the correspondence with clients and provides has such an importance that, in case of loss or theft, missing emails can result in heavy economical and organizational repercussions.

Securing email data is a crucial duty for every company. Emails can be protected by means of a traditional backup system or by an archiving system. A proper knowledge of both systems is required to avoid mistakes.

Backup is conceived as a “photography” (or a series of photos) of the system in a precise moment, for instance the saving of the email archive up to today. You can decide to keep one or more of such photos, maybe one each day for the last 5 working days. Retention describes the number of backup that are stored and its disposition in time (ie one backup per month for three months). A backup is created to retrieve messages deleted by accident or to restore a certain situation after software problems or any other issue that compromises the regular working process.
A good backup must have an easy restore routine and must store all necessary information: the position of the message in the folder structure and all its metadata (date, hour, sender, subject, etc..).

On the other hand, archiving is a process that aims to the long term (and possibly in read mode only) storage of the complete email archive. Archiving is not meant to be used for a restore in case of problems, but for data conservation (regardless of users behaviour). If, for instance, a user receives an offer and deletes it, such offer will be available within the archive and the company can retrieve it if needed. Archiving requires a bigger data space, especially if deletion is blocked, and often offers additional capabilities like full text indexing and quick research.

Naturally there are different and specific software and services for backups and archiving: they are, and must be, distinct and not interchangeable processes. This concept is somehow not immediate to understand, so let’s make some explanatory example to point out the aforementioned differences.

Read more ...

Windows Server 2016: new features and on the road test

Previous articles -> Microsoft believes in containers, too - Windows Server 2016 TP4 is now available

After a development period that started in 2014, last October finally the definitive version of Windows Server 2016 came out.

Windows Server 2016, available in the EssentialStandard and Datacenter editions, offers a lot of news with this release, mostly oriented in terms of security and scalability related to new software-defined architectures. The main difference with the past is the new licensing model: Microsoft now adopts a core-based (hyper-threading excluded) management instead of the previous socket-based approach. New licences will be calculated according to the number of cores of the server the OS will be installed on, instead of being calculated on the basis of the physical processors available. This decision comes, apart from arguments about marketing and profit margins linked with scalable infrastructures, from the will of the Redmond colossus of aligning to the new requirements of the Cloud world (and to those will sell Cloud infrastructures), where the boundaries between physical and hardware resources has become very subtle. A licensing model that considers cores and not processors is, for instance, very useful when quoting hosting plans, as the computational power unit is the single core indeed, and not the whole processor.

In general the use of Windows Server 2016 will require to licence all physical cores of the server with the minimum activation of 8 licences per-core (each covering two cores) for each processor, also in the case of quad-core processors, and with at least 16 per-core licences for each physical server (with dual-socket servers). Furthermore, licences will be sold in non-fractionable packets with two cores each.

Read more ...

Password manager: an invaluable tool for IT pros

Is there a solution to the hell of a problem about all those passwords you should adopt in your personal and working life? Yes, there is!, and it’s called password manager: let’s see what it is and how it can change your life for the better.

A password manager is a software that has storing and management capabilities in a single, secure place for all your access credentials and protects them by means of a single primary password. The main goal of this kind of software is to guarantee the security of stored data and a structured management (research, update, deletion, etc..).
Unlike manual solutions like spreadsheets or even paper notes, a software like this helps you to maintain an archive through time or with a growing number of information. Moreover, it provides a better security level, simplify adding passwords and include interesting features as the automated generation of secure passwords and advanced research features.

pass dash masterkey

Read more ...

banner eng

fb icon evo twitter icon evo

Word of the Day

The term Edge Computing refers, when used in the cloud-based infrastructure sphere, the set of devices and technologies that allows...

>

The acronym SoC (System on Chip) describes particular integrated circuit that contain a whole system inside a single physical chip:...

>

The acronym PtP (Point-to-Point) indicates point-to-point radio links realized with wireless technologies. Differently, PtMP links connects a single source to...

>

Hold Down Timer is a technique used by network routers. When a node receives notification that another router is offline...

>

In the field of Information Technology, the term piggybacking refers to situations where an unauthorized third party gains access to...

>
Read also the others...

Download of the Day

Netcat

Netcat is a command line tool that can be used in both Linux and Windows environments, capable of...

>

Fiddler

Fiddler is a proxy server that can run locally to allow application debugging and control of data in...

>

Adapter Watch

Adapter Watch is a tool that shows a complete and detailed report about network cards. Download it here.

>

DNS DataView

DNS DataView is a graphical-interface software to perform DNS lookup queries from your PC using system-defined DNS, or...

>

SolarWinds Traceroute NG

SolarWinds Traceroute NG is a command line tool to perform advanced traceroute in Windows environment, compared to the...

>
All Download...

Issues Archive

  •  GURU advisor: issue 21 - May 2019

    GURU advisor: issue 21 - May 2019

  • GURU advisor: issue 20 - December 2018

    GURU advisor: issue 20 - December 2018

  • GURU advisor: issue 19 - July 2018

    GURU advisor: issue 19 - July 2018

  • GURU advisor: issue 18 - April 2018

    GURU advisor: issue 18 - April 2018

  • GURU advisor: issue 17 - January 2018

    GURU advisor: issue 17 - January 2018

  • GURU advisor: issue 16 - october 2017

    GURU advisor: issue 16 - october 2017

  • GURU advisor: issue 15 - July 2017

    GURU advisor: issue 15 - July 2017

  • GURU advisor: issue 14 - May 2017

    GURU advisor: issue 14 - May 2017

  • 1
  • 2
  • 3
  • BYOD: your devices for your firm

    The quick evolution of informatics and technologies, together with the crisis that mined financial mines, has brought to a tendency inversion: users that prefer to work with their own devices as they’re often more advanced and modern than those the companies would provide. Read More
  • A switch for datacenters: Quanta LB4M

    You don’t always have to invest thousands of euros to build an enterprise-level networking: here’s our test of the Quanta LB4M switch Read More
  • Mobile World Congress in Barcelona

    GURU advisor will be at the Mobile World Congress in Barcelona from February 22nd to 25th 2016!

    MWC is one of the biggest conventions about the worldwide mobile market, we'll be present for the whole event and we'll keep you posted with news and previews from the congress.

    Read More
  • 1