-
Notifications
You must be signed in to change notification settings - Fork 758
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cant create any paste #80
Comments
What version of PrivateBin are you using? And BTW: I hope you are planning to deploy HTTPS on your server. 😃 |
Normally https should be activated on htelostone.org... I should recheck this! Like I said, I use the latest master on both servers, I have no webserver logs I can look into, but I can enable php errors (in the index?). |
You do not redirect to HTTPS. Also you only support RSA and you might want to improve this ssl config (try to get A). You you might consider to use this generator for this. But I'll get off-topic... As the master branch is updated continuously updated, it does not help to say "I use the lastest master". It helps much more to paste the commit hash here. E.g. a9759f1, which the latest master at the time of writing. Do you use it?
Really? Do you have them disabled?
Yes, you might do that temporarily. It would be very helpful. |
As you get the generic error, the script encountered a situation it couldn't handle. Could you check what errors PHP returns (possibly by enabling the PHP errors as you suggest)? Otherwise the most likely candidate to check is that the folder the script resides in has permissions set so that the webserver / PHP-process can create its folders in it. If you happen to run CentOS / Red Hat you might also need to adjust SELinux settings. |
I just can say that I activated ssl on one.com. It seems that this hoster is crap in any way. I dont know how I can input a commit hash, oserwise I would do it. No, I simply have a host who didnt provide logs. Anyway. After include error_reporting(E_ALL); into the index.php I get nothing too. Ah and btw I found the commit thing, no I know better how to ask for a thing. |
I ask the support for the logs and he gives me this, hopefully it helps: [Tue Aug 16 18:54:53 2016] [warn] [client 82.165.156.248] mod_fcgid: stderr: #0 thelostone.co.at/root/lib/Persistence/ServerSalt.php(56): random_bytes(256), referer: http://thelostone.co.at/ [Tue Aug 16 18:54:53 2016] [warn] [client 82.165.156.248] mod_fcgid: stderr: #1 thelostone.co.at/root/lib/Persistence/ServerSalt.php(83): PrivateBin\Persistence\ServerSalt::generate(), referer: http://thelostone.co.at/ [Tue Aug 16 18:54:53 2016] [warn] [client 82.165.156.248] mod_fcgid: stderr: #2 thelostone.co.at/root/lib/Persistence/TrafficLimiter.php(85): PrivateBin\Persistence\ServerSalt::get(), referer: http://thelostone.co.at/ [Tue Aug 16 18:54:53 2016] [warn] [client 82.165.156.248] mod_fcgid: stderr: #3 thelostone.co.at/root/lib/Persistence/TrafficLimiter.php(127): PrivateBin\Persistence\TrafficLimiter::getHash('sha256'), referer: http://thelostone.co.at/ [Tue Aug 16 18:54:53 2016] [warn] [client 82.165.156.248] mod_fcgid: stderr: #4 thelostone.co.at/root/lib/PrivateBin.php(217): PrivateBin\Persistence\TrafficLimiter::canPass(), referer: http://thelostone.co.at/ [Tue Aug 16 18:54:53 2016] [warn] [client 82.165.156.248] mod_fcgid: stderr: #5 thelostone.co.at/root/lib/PrivateBin.php(130): PrivateBin\PrivateBin->_create(), referer: http://thelostone.co.at/ [Tue Aug 16 18:54:53 2016] [warn] [client 82.165.156.248] mod_fcgid: stderr: #6 thelostone.co.at/root/vendor/paragonie/random_compat/lib/random.php on line 185, referer: http://thelostone.co.at/ |
Sorry that you are having trouble with the project. Thank you for providing the logs! The error seems to be that the "There is no suitable CSPRNG installed on your system" Exception is thrown by the random_compat library. Could you therefore check if the mcrypt extension is available on your system? It is a last fallback to provide the cryptographically safe random number used as the servers salt in hashing. |
No need be say sorry, you cant something my webhost didnt do. :) I use this code for checking: It says: mcrypt is loaded! |
Thank you for checking this. I revisited the code of the random_compat library and it should only fail on line 185 of random.php if all methods of acquiring cryptographically safe randomness fail. Could you run the following check for all these methods and post its output here? echo '<pre>PHP version used: ', PHP_VERSION, PHP_EOL,
'extension libsodium is loaded: ',
(extension_loaded('libsodium') ? 'true' : 'false'), PHP_EOL,
'/dev/urandom exists and is readable: ',
(is_readable('/dev/urandom') ? 'true' : 'false'), PHP_EOL,
'extension mcrypt is loaded: ',
(extension_loaded('mcrypt') ? 'true' : 'false'), PHP_EOL,
'function mcrypt_create_iv exists: ',
(function_exists('mcrypt_create_iv') ? 'true' : 'false'), PHP_EOL,
'extension com_dotnet is loaded: ',
(extension_loaded('com_dotnet') ? 'true' : 'false'), '</pre>'; |
thelostone.org server (Hoster: One.com):
thelostone.co.at server (Hoster: Nitrado.de):
I edited my costumer folder with xxx, btw. |
Ok, now its clear what the problem is: This is a requirement to have mcrypt_create_iv and the other mechanisms work with cryptographically safe randomness. If your hoster can't or won't make this accessible to you it will not work. I hope you can find a solution with them. Edit: If you don't, you need to generate the server salt only once. You could generate it on some other site (or locally) and then move it into the data folder of these two hosts (they need to be unique per installation). |
Humm... thats bad. Then I need to use sadly another script. :( |
@rugk In the light of this ticket, do you think we should introduce an unsafe fallback which raises a visible warning message on the homepage? At least it would work, even if the salt could be weak. |
Hmm, if However I am quite sure that a generation of the server salt once would not be enough, because we also generate an unique salt for each Paste. @elrido You know that I certainly would not like an insecure fallback. But I am in favour of a more meaningful error message. Maybe something like this:
So there PrivateBin should still be unusable, because when there is no Server Salt much things are weakened (think of the security audit...), so in this case it should not really be usable. In this case we could provide instructions on how to use it. Note that random_comb also supported OpenSSL a while ago, but it has been removed (the
However it would be okay for me to introduce a setting (disabled, obviously), which changes the pad Salt generation, so that it is done in the old way (using the server salt). This way we would still have to provide instructions how the server admin can create the server salt, but this has only to be done once. @Nerdcoat At first: Thanks for opening this issue, it helped us very much. |
Probably it would be easier to convince the hosters to change their |
FYI: I did now write a clarification on this into the installation documents (wiki and INSTALL.md). We will otherwise not address it, as this only affects PHP versions below 7.0 and uncommon server configurations. |
I did now also wrote a FAQ about this: https://github.com/PrivateBin/PrivateBin/wiki/FAQ I also added some other nice questions. As it is a wiki everyone is welcome to edit it. |
After downloading the latest version, I uploaded it, typed in some random bla and clicked on send.
An error of making the text with no answer from the server appears.
I checked this on two different hosters, same error.
My websites for this: http://thelostone.org / http://thelostone.co.at
Using PHP 5.6 if its important.
Thanks for any help
The text was updated successfully, but these errors were encountered: