Meltdown and Spectre bugs

Tuesday 9 January 2018 by Norbert Laposa

We are receiving questions from our clients about the latest security issues found in CPUs.

Please be asured we are constantly monitoring all security announcements issued by our OS vendor (i.e. https://www.debian.org/security/) and we receive all updates to our email and we apply the changes within 24 hours as part our service.

We can confirm that all our servers are now safe from both the bugs.

Our PCI compliant server customers can are also protected by extra security measures which includes:

  1. It’s a dedicated host fully under our control. No one else can make changes to the operation system. The Meltdown and Spectre bugs are most dangerous in Cloud servers environment, where multiple OS are running on one physical hardware (host), which gives an opportunity to a client OS owner to read information from another OS. This is not possible on this server as there is only one OS, which is under our control.
  2. Hosted websites don’t have FTP/SFTP service available to our customers. No one else can upload a server side executable code (e.g. PHP file), exploring the discovered processor vulnerabilities. 

All other customers are running in a Cloud environment and the OS was fixed by our supplier, see https://forum.bytemark.co.uk/t/meltdown-specture-vulnerabilities-what-were-doing-about-them/2784


Onxshop security design

Monday 3 July 2017 by Laposa Ltd

One great security feature Onxshop has is the way how user uploaded files are saved. Onxshop is saving all files outside of web folder, which means that it is not possible to execute any files uploaded by users. 

Here is an example how effective the Onxshop way is agains this type of security hole.

On our demo site, which is open to public CMS users, somebody tried to upload this .htaccess file, which allows to interpret PNGs as PHP script files. 

var/files/.htaccess
AddType application/x-httpd-php .png

The attacker then uploaded a script similar to this:

var/files/png.png
<?php # Web Shell by oRb
$auth_pass = "63a9f0ea7bb98050796b649e85481845";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
preg_replace("/.*/e","********");

Of course, it was rendered as completely useless and the attacker didn't gain any access to the website.

For example in Wordpress, backdoors can be hidden in scripts similar to this: /wp-content/upgrade/wp-mails.php

It looks like a genuine Wordpress script, but it's actually a file uploaded under a CMS user. This type of files are then used for sending spams, or executing DDoS attack.


Canvas, WebGL and HTML5 banners

Thursday 12 January 2017 by Hugo Dvorak

Our clients often asks us what is the difference. So here is a short explanation.

Canvas and WebGL are both part of the HTML5 standard.

WebGL is an API for rendering interactive 3D graphics. It provides a special language (similar to C++) which you use to describe a 3D scene (objects, light sources, camera position, textures, etc.). With that language you can describe things like “a sphere with marble texture in the centre of the scene”, “a red directional light pointing from the corner of the scene to the centre” etc.

Canvas is an HTML tag which appears in the browser as a rectangular area on the page. It’s up to you what you show in the area. There is Canvas 2D API for that. You do things like “draw a 1px blue line from 0,0 to 100,200” or "draw a red circle at position 20,30” or "fill canvas with black colour” or “draw image XYZ at position 10,10” etc. That’s what we use for HTML5 banners.

Eventually you can combine both for 3D graphics. You render the 3D scene defined by WebGL in the context of the Canvas. Canvas behave as any other HTML element. You can define it’s position on the page, dimensions and even make it responsive. Each HTML5 banner, for instance, is a separate Canvas element.


Let's Encrypt

Thursday 29 December 2016 by Laposa Ltd

Our premium hosting customers can now request a free SSL certificate from Let's Encrypt.

From January 2017 Chrome users who navigate to some HTTP sites will be notified they’re on a site that isn’t secure, if that site feature either a password or credit card form. With this in mind we have implemented Let's Encrypt SSL framework into our hosting platform.

Please note the move to HTTPS may cause a temporary fluctuation in your Google ranking however the benefit gained from having the SSL Cert in place will outweigh any temporary ranking change. Google also gives better ranking to sites with an SSL Cert. 


Why Onxshop?

Wednesday 16 November 2016 by Laposa Ltd

Onxshop is an enterprise level, open source content management system, built and maintained by development company Laposa Ltd.

Flexible & Efficient

Onxshop is built using standard web technologies: HTML, CSS, PHP and SQL, where all code is clearly structured and separated, which allows anyone with simple CSS knowledge to become Onxshop developer without the need of expensive certification programmes.  As the creators of Onxshop we have full control of all aspects of the software allowing us to easily adapt and create new functionality where necessary. This translates to considerable savings in development time (cost) compared with other systems.

Secure

Due to it’s exclusivity as an enterprise content management system, Onxshop is not as vulnerable as it’s competitors. For example, Wordpress boasts 75 million installations and a plugin directory containing close to 50,000 add-ons (created by different developers and coding standards). The mass adoption of Wordpress provides an attractive opportunity for hackers and opens many potential security holes. Laposa reviews every piece of code before committing it to the Onxshop Github repository and regularly tests for PCI (Payment Card Industry) compliance.

Easy to use

Onxshop is a true CMS, not a blogging platform. It’s powerful, adaptable yet highly intuitive requiring only minimal training.

Open licence

There is no annual licence fee with Onxshop and it can be easily hosted elsewhere should you choose to move host.

Support

Laposa offer full technical support on our Onxshop hosting platform where we are happy to provide an SLA. Due to the nature of Wordpress, (eg. automatic system updates, plugin updates, etc…) we cannot offer this level of service.

Key features

  • Built using standard web technologies HTML, CSS, PHP and SQL

  • Responsive layout system by default

  • Front-end editing including fluid layouts allowing the user to combine a variety of content types (building blocks) page by page

  • Core building blocks include:

    • Site template for different channels, i.e. web, Facebook, Mobile App

    • Page (creates clean, SEO friendly URL and pre-built structure e.g. default, product list, symbolic link),

    • Layout (creates placeholders for content e.g. 1-6 columns, tabs and slider)

    • Content (e.g. Rich Text, Contact Form, Testimonial, Photo Gallery, File List, Menu of Pages, Feed Reader, News Article List, User Comments)

  • Drag & drop front-end components within each page

  • Drag & drop page tree organisation

  • Drag & drop media library

  • In-context editor

  • Reusable elements outside of website context (e.g. within Facebook Apps)

  • Role based access control

  • XML feed for any type of content

  • API for recipe, product and store database

  • Use prebuilt selection of contact forms

  • Form builder for customer surveys

  • Geolocation via taxonomy system

  • Automatic image resize: Upload one file and re-use in multiple places (Global Media Library)

  • Built-in CSS editor

  • Build-in template editing

  • Flexible picture gallery: Select from 7 different types with detailed options (simple image list, jQuery Cycle, Fancybox (Lightbox), jQuery Tools Gallery, Nivo Slider, prettyPhoto)

  • Saved revisions for every content update

  • Multiple users role (Access Control List)

  • Flexible scheduler for content publishing/unpublishing

  • Enterprise Search Engine using Apache Lucene

  • Social integration - management of Open Graph properties and login using Facebook or Twitter

  • Bin for easy recovery of content deleted by mistake

More information can be found on onxshop.com


Archive

Categories

Laposa Ltd
58 Howard Street
Belfast BT1 6PJ

info@laposa.co.uk
+44 (28) 9032 8988
+353 (48) 9032 8988