This is going to be a little bit of a different style post then we usually do on Question-Defense. I have been completely amazed lately at the amount of unsecured web interfaces on the Internet and I figure another post cant hurt. I am assuming every one knows that when you buy a new piece of hardware you need to change the default user name and password. “well of course I know that” most people would say. Well how about we do a little recon and see if that is really true.
I recently installed the Youtube With Fancy Zoom WordPress plugin on one of my personal web sites so I could upload and display videos of my daughters. This plugin allows you to upload videos to the YouTube, reference them in your WordPress admin, and then display them in a nice pop up window on your website. This way they are streamed from YouTube but the person visiting your site doesn’t have to leave your site to view the video.
I have been having a problem with the media browser uploader for a couple days since I enabled FORCE_SSL_ADMIN in my wp-config.php file. I finally got some time tonight to look into the issue and I am embarrassed it took me so long to resolve. This was a classic example of trying to make something more complicated than it really was. The issue ended up being with a WordPress plugin I had installed called Flexible Uploader. This plugin provides all the functionality of the flash media uploader to the browser media uploader. It turns out that this plugin has not been updated in a long time and some of the URL building functions have changed in the newer versions of WordPress. Below I explain how to easily resolve the issue.
LiteSpeed web server uses the same Rewrite engine that Apache uses so most of the information you will find on the Internet relates to Apache and not LiteSpeed. One of the projects I am working on redirects all web traffic that hits each virtual host from HTTP to HTTPS without exception. Recently it came up that we needed to do some API testing with a company that wanted to test on a development server to HTTP and not HTTPS. So I needed to figure out how to exclude a specific directory from our HTTPS Redirect Rule on one specific virtual host which turns out is really easy. Below I describe how to send all traffic except one directory to HTTPS via the LiteSpeed web admin.
I have a Linksys WRT54G wireless router running DD-WRT open source firmware. A lot of the work I do requires providing access to clients or coworkers to various devices on my local network. I also view the DD-WRT web interface regularly on the Linksys WRT54G to see what devices it can see on the network via ARP or IP. A lot of the time when I attempt to connect to the web server which is only running HTTPS on port 443 the connection via my browser will just hang or simply won’t make a connection at all. During the times when I am unable to open the DD-WRT web interface I am always still able to connect to the Linksys device via SSH meaning that for some reason the web interface is failing.