jsuto / piler / issues / #687 - OVA Mail Piler Web GUI — Bitbucket

Issue #687 invalid

Randy created an issue 2016-05-19

Hi All,

I imported the OVA file that can be downloaded in mail piler website to my xenserver. The import was successful, however when I log in as admin@local the web GUI started to go to other website such as facebook and etc. Is this a bug or security breech? How can I resolve it?

Comments (10)

Janos SUTO repo owner
It definitely shouldn't happen. Can you provide some more details about this incident? I try to find a way to deploy the ova, and see it for myself.
- 2016-05-19T07:42:07+00:00
Randy reporter
I already deleted my VM. Please update me if you see it for yourself.
- 2016-05-19T08:37:23+00:00
Randy reporter
Hi jsuto,

Did you try it yourself?

Thank you.
- 2016-05-20T06:55:32+00:00
Janos SUTO repo owner
I've made it myself. Give me more time to investigate the issue.
- 2016-05-20T11:20:02+00:00
Randy reporter
Hi jsuto,

any update?

Thank you.
- 2016-05-23T09:32:04+00:00
Janos SUTO repo owner
Yes. I couldn't reproduce the problem. So I'd like you to redeploy the ova, install ngrep, and show me all packets leaving the virtual machine, eg.

T 192.168.100.100:80 -> x.x.x.x:12345

I'm interested in only the destinations of the packages, not the actual content.
- 2016-05-23T10:09:45+00:00
Randy reporter
Hi Jsuto,

Please see details below:

192.168.0.13:80 -> 192.168.0.29:54170 [AP] HTTP/1.1 302 Moved Temporarily..Server: nginx/1.2.1..Date: Tue, 24 Ma y 2016 02:46:03 GMT..Content-Type: text/html..Transfer-Encoding: chun ked..Connection: keep-alive..X-Powered-By: PHP/5.4.45-0+deb7u2..Expir es: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0..Pragma: no-cache..Locati on: http://piler.yourdomain.com/index.php?route=health/health....0...

Waiting for your reply
- 2016-05-24T02:49:45+00:00
Randy reporter
Hi Jsuto,

You may change the status as resolved. I just edit the config-site.php to my domain and does not go to other site. My only question is, is this virtual file is safe to use? What I mean is it does not have vulnerabilities or my email are safe to anyone?

Thank you.
- 2016-05-24T05:12:21+00:00
Janos SUTO repo owner
My bad: I should have asked for proof in the first place :-) The main purpose of the OVA image is to give you an instant installation allowing you to try and evaluate it without going over the installation procedure. The latest OVA contains debian 7, which means you should update the OS packages, or you may even dist-upgrade it (though in this case you may have to recompile piler). Besides the recommended upgrade, the OVA image is safe, I've made it myself.

Btw. in the future I may switch to kvm or virtualbox, or perhaps even to docker. I don't have a hands on access to a vmware environment anymore.
- 2016-05-24T06:47:29+00:00
Janos SUTO repo owner
- changed status to invalid
- 2016-05-24T06:47:37+00:00
Log in to comment

Assignee: Janos SUTO

Type: bug

Priority: major

Status: invalid

Votes: 0

Watchers: 2

Jira: the preferred issue tracker for Bitbucket. Join the team!