BitFolk » Panel

I've recently signed up with Gandi.net and saw that each contact is linked to a handle and has the option of setting the contact as owner, billing, admin, tech contact, etc.. similar to how whois works for domain name.

Not sure if this would be a bit overkill, but thought I'd suggest it anyway.

Yep, that's the sort of thing I would like to do. There needs to be at least

• billing
• technical/monitoring
• secondary/emergency

And for each of these there probably needs to be options not only for email address but also for phone (sms), phone (voice), twitter, etc.

Being able to add multiple addresses to the current email field (or documenting how if it's possible right now?) would be preferable to me personally.

thewarof1812 wrote:

Being able to add multiple addresses to the current email field (or documenting how if it's possible right now?) would be preferable to me personally.

It's not currently possible unfortunately, but I can fake it for you by creating a local alias that expands to multiple addresses if you would like. Please send a support ticket if so.

This feature request is still the most voted for. So far I've only done a little work, mostly theoretical, about how an address book should be done. It's a lot of work and there always seems to be something more pressing.

One of those more pressing things is to work on replacing our ageing Nagios (monitoring) install with a new install of Icinga2; the Nagios install is getting to the point where it's so old that it can't actually monitor some services, and won't be able to do so without major work. I think the time would be much better spent in starting over and modernising the feature.

That's well under way, but I'd like more automation in its configuration such that every customer VPS gets monitored by default (with ability to turn that off, of course). Customers are going to have to be able to specify custom email addresses for alerts to go to, so that brings us back to this feature request for an address book.

What I think I will do is implement something minimal that just allows optional extra email addresses that are just for alerts to go to, but I will try to do it in a way that leaves the way open to add different types of contact later on, with different methods of contact (e.g. phone, postal, SMS, Twitter, …). Hopefully that will make the work actually achievable in a reasonable time-span without being too limiting and requiring a later rewrite.

Hopefully.

Once that basic infrastructure is there the most obvious enhancement after that would be to add billing contacts. It's a very common situation that a VPS is managed by one person or set of people, but the bills should be directed somewhere else. Although that feature is much more in demand than any of this monitoring stuff it would require touching lots and lots of BitFolk's existing billing code before the UI of it could ever be shown to customers. Doing the monitoring bit first has the advantage that there's only a small amount of existing code building monitoring configs, and I'm rewriting that anyway.

So for the foreseeable future we'll need to carry on with the "<whatever>@bitfolk.com expands to multiple addresses" hack for multiple/alternate billing contacts.

I've been working on this recently and now have something that lets you add and manage multiple contact records, and assign them to roles. The roles don't actually do anything yet. It could do with some testing, so if anyone wants to help do that, please see:

https://testpanel.bitfolk.com/account/contacts/#toc-address-book

It seems that you may be able to overwrite another person's contact details. I'm not sure if
it is possible, as I cannot really check if the data is overwritten from my end.

The form located at https://testpanel.bitfolk.com/account/contacts/add has a chgid parameter.
There is no error if the value of this parameter is changed, so it seems like you are able to
overwrite a different person's contact details.

https://testpanel.bitfolk.com/account/contacts/add?chgid=8
request 1

The request 1 should retrieve the contact details with that ID given in the chgid parameter.
ID 8 was the one initially given, so requesting that page works as expected. When changing
that parameter to a different value (7) the server responds with a fake 500 response code.
The actual response code is 200, but the text inside the response indicate that a "500
Internal Server Error" occurred.

@POST https://testpanel.bitfolk.com/account/contacts/add HTTP/1.1

chgid=8&NICKNAME=Test&NAME=Test+Lastn&EMAIL=nfomaker%40gmail.com&COMPANY=TestInc&ADDR1=Prestestien+14&ADDR2=Andre+etasje&POSTCODE=5118+ULSET&add_detail=PHONEHOME&addr_add_submit=%EF%88%B4+Save@

request 2

Request 2 is the request that is sent when you save the new contact. By changing the chgid
parameter to a new value (7), the server accepts it. If I now try to send request 1 again
with chgid=8, I get the same code 500 response as earlier when I tried to access an ID that
was not mine. Request 1 will now give my contact details if I change the value of chgid to 7.

puse wrote:

It seems that you may be able to overwrite another person's contact details. I'm not sure if it is possible, as I cannot really check if the data is overwritten from my end.

Thanks for testing things!

I don't think it is possible to view, change or overwrite another customer's contact entries.

An ORM is in use and it's doing this on a change:

my $addr_id = $query->param('chgid');

# …

my $addr = $customer->addrs->find({ id => $addr_id });

This does an SQL query that can only bring back an addr row that is related to the $customer at hand, not some other customer.

The fake 500 pages you're seeing are because I was lazy and did a die "blah…" if that query returned nothing. I suppose I could make it just display some "why are you being naughty?" text instead of dying.

But, I could be wrong. :)

Have a go at overwriting or changing the details for chgid=3, which does currently exist and belongs to one of my test users.

Cheers,
Andy

puse wrote:

It seems that you may be able to overwrite another person's contact details. I'm not sure if it is possible, as I cannot really check if the data is overwritten from my end.

I've been watching while you've been trying various things and it seems that while you can only affect your own address book entries, you are able to insert some strange things into the database this way, and other updates you do fail only because of unique key constraints. So, that's not good, and I will now take some time to investigate and fix that. :)

admin wrote:

puse wrote:

It seems that you may be able to overwrite another person's contact details. I'm not sure if it is possible, as I cannot really check if the data is overwritten from my end.

Thanks for testing things!

I don't think it is possible to view, change or overwrite another customer's contact entries.

An ORM is in use and it's doing this on a change:

[...]

This does an SQL query that can only bring back an addr row that is related to the $customer at hand, not some other customer.

The fake 500 pages you're seeing are because I was lazy and did a die "blah…" if that query returned nothing. I suppose I could make it just display some "why are you being naughty?" text instead of dying.

But, I could be wrong. :)

Have a go at overwriting or changing the details for chgid=3, which does currently exist and belongs to one of my test users.

Cheers, Andy

The "fake" 500 errors aren't really a problem, it is just more polite to return the proper return codes for non-human clients.

When deleting a entry, where the ID was one which does not belong to me the server response was very slow, between 5-8 seconds. It works as it should, but the long response time may be because something strange is happening. It only occurs with the first request of the ID, and it seems like the result ends up in a cache somewhere.

The nickname and names fields (in "Add new contact") have some character encoding issues in certain circumstances.

1. Add a nickname and name using non-ASCII characters (in my case Swedish letters, "i å ä e ö" and "Någon Testdjävel")
2. Select "postal address" from the "add detail" dropdown and click the "add detail button"
3. The nickname and name are now mangled (see attached image)

If I just add the contact with the Swedish letters then the mangling doesn't happen, so it seems to be specific to the "add detail" code path.

vosill wrote:

The nickname and names fields (in "Add new contact") have some character encoding issues in certain circumstances.

Thanks. I think I've fixed these now. This was due to doing the HTML entity encode and the UTF-8 decode in the wrong order in that code path.

puse wrote:

The "fake" 500 errors aren't really a problem, it is just more polite to return the proper return codes for non-human clients.

I've now made the "change" action into an "add" action if you try to change an invalid address.

I'm having trouble replicating the unique key constraint errors etc that I was seeing before when you were trying ti break it. What else were you trying besides doing a change with an id you made up?

When deleting a entry, where the ID was one which does not belong to me the server response was very slow, between 5-8 seconds. It works as it should, but the long response time may be because something strange is happening. It only occurs with the first request of the ID, and it seems like the result ends up in a cache somewhere.

I think this may have been just because I was working on it at the time. When web server is reloaded, first request needs to load all of the application into memory.

admin wrote:

puse wrote:

The "fake" 500 errors aren't really a problem, it is just more polite to return the proper return codes for non-human clients.

I've now made the "change" action into an "add" action if you try to change an invalid address.

I'm having trouble replicating the unique key constraint errors etc that I was seeing before when you were trying ti break it. What else were you trying besides doing a change with an id you made up?

Changing the value of other parameters, such as add_role_name to "ADMIN", changing type to arrays "add_role_name=ALERTING" to "add_role_name[]=ALERTING" this typically results in an error for PHP applications, but can have some strange effects because of PHP's typing, and not checking types when comparing different variables.

I've now added a button to remove individual address details. Some more testing would be appreciated.

puse wrote:

Changing the value of other parameters, such as add_role_name to "ADMIN", changing type to arrays "add_role_name=ALERTING" to "add_role_name[]=ALERTING" this typically results in an error for PHP applications, but can have some strange effects because of PHP's typing, and not checking types when comparing different variables.

That's pretty nifty. Do you have a tool or plugin to do that from your web browser?

admin wrote:

puse wrote:

Changing the value of other parameters, such as add_role_name to "ADMIN", changing type to arrays "add_role_name=ALERTING" to "add_role_name[]=ALERTING" this typically results in an error for PHP applications, but can have some strange effects because of PHP's typing, and not checking types when comparing different variables.

That's pretty nifty. Do you have a tool or plugin to do that from your web browser?

I use OWASP Zed Attack Proxy (https://github.com/zaproxy/zaproxy). I just interact a bit with the page using the browser, then resend requests that looks interesting while tweaking the data. It can also do automatic scans, but I did not want to use that against the page without permission (sends a lot of requests).

The link gives an example of what can happen when giving PHP a array when it expects something else:
https://github.com/ctfs/write-ups-2015/tree/master/boston-key-party-2015/school-bus/brigham-circle

I'm happy with the infrastructure of this.

I've created two new sub-issues (#144 and #145) for the addition of roles for data transfer emails and billing emails respectively. Issues could also be added for new contact details such as Twitter.