• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Aftermath Wizard Log Mailer
#1
Does Anyone Have a Copy of The PHP Script located at http://aftermathwizard.net/mail_logs.php

I am Trying to Add the upload log function to my server. and i want to expand onto the script to Support Encryption and some other server sided function on my own server(s).

1. I don't trust my data running through the aftermath wizard server for a number of reasons

2. The Thing sends this information over a non-encrypted connection

3. Its an open Mail Relay and it can be used for spam if a spammer knows what he is doing.

4. I don't want the Log Mailer Dependent on your server

5. How do We know that the Aftermath site isnt logging every single one of those paste links and ip addresses in a mysql database.

6. Paste default expire time in the wizard uploadlog.py is about 30 days. So not only is the latter above possible. but there is a pretty good 30 day history that can potentially be obtained. Personally I reduced the time to

I think in the Interest of Fairness and Security that you should Release a Copy of that script with any potential smtp credentials removed. It would take a load from your server and it gives us (the builder or end user) the ability to control data flow. I dont think its an unreasonable request to want to have control of where your users logs are being sent through
  Reply
#2
I've not looked but I presume all it does is sends a post of the log contents to some url.

The url you hit then presumably saves that file on the server. Would just be a very simple case of googling how to create a text file on your server, in fact I just googled it and the very first thread pretty much gave all the info you need:
https://www.w3schools.com/php/php_file_create.asp

so your online code would just be something like this:

Code:
<?php

// setup the log_path
$logpath = $_SERVER['DOCUMENT_ROOT']."/logfiles/";

// grab the unix timestamp - can use this as the filename
$time = time();

// set the full path to the final file you're going to save
$fullpath = $logpath.$time.".txt";

// grab the post with the log text, I'm presuming the post is called "log" but set to whatever you want in the python code.
$logtext = $_POST['log'];

// add some encryption routine here if you want to decrypt

// write the file to your server
fwrite($fullpath, $logtext);
fclose($fullpath);

// return something, you'd have to check what the upload python code is looking for as a return
// it's probably something like the filename
echo $time;

?>

As far as the python code goes, just find the upload python file and sling in whatever kind of encryption you want to create. Of course you'll also need a matching decryption method on your server to decipher the post.
IMPORTANT:
NO LOG == NO PROBLEM
Away
  Reply
#3
Right I can handle the Encryption Decryption part I just want to have this mailer function for the logs on my own server.


and I am not suggesting anyone is a malicious party by any means. I just want to add a degree of security to my build when i go public with it.
  Reply
#4
The above is untested but I don't see why it shouldn't work, let us know how you get on with it.
IMPORTANT:
NO LOG == NO PROBLEM
Away
  Reply
#5
As stated in the credits.txt the log uploader is the same as the one in the kodi repo. As far as the php file goes. I'm most than happy to share it.
Code:
<?php
  if ($_SERVER["REQUEST_METHOD"] == "POST") {

    $email        = filter_var(trim($_POST["email"]), FILTER_SANITIZE_EMAIL);
    $pin          = filter_var($_POST["results"], FILTER_SANITIZE_STRING);
    $file         = filter_var($_POST["file"], FILTER_SANITIZE_STRING);
    $wizard       = filter_var($_POST["wizard"], FILTER_SANITIZE_STRING);
    $ip           = $_SERVER['REMOTE_ADDR'];
    $subject      = "Kodi Log Upload URL";
    $message      = "
<html>
<head>
<title>Kodi Log Upload URL</title>
</head>
<body>
The file <b>".$file."</b> that has been uploaded by <b>".$ip."</b> using ".$wizard." can be viewed at:<br><br> <b><a href=\"".$pin."\">".$pin."</a></b><br><br>Please do not reply to this email.
</body>
</html>";
    
    if(!filter_var($email, FILTER_VALIDATE_EMAIL)){ //email validation
      $output = json_encode(array('type'=>'error', 'text' => 'Please enter a valid email! '.$email));
      die($output);
    }
    if(strlen($pin)<10){
      $output = json_encode(array('type'=>'error', 'text' => 'Not a valid URL for log. '.$pin));
      die($output);
    }
    
    $headers = "MIME-Version: 1.0" . "\r\n";
    $headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";
    $headers .= 'From: No-Reply <[email protected]>' . "\r\n";
  
    mail($email, $subject, $message, $headers);
    
    $output = json_encode(array('type'=>'message', 'text' => 'Email has been sent from [email protected]'));
    die($output);

  }
?>

Sent from my SM-N920V using Tapatalk
[Image: nansig_surfacingx.png]
  Reply
#6
(07-08-2017, 06:47 PM)Surfacingx Wrote: As stated in the credits.txt the log uploader is the same as the one in the kodi repo.  As far as the php file goes. I'm most than happy to share it.

Sent from my SM-N920V using Tapatalk

SMTP Email Support has been introduced into the script
You will need php-pear 
Pear Net_SMTP
and pear mail
you can usually get those on your server (if you have root) by doing 
sudo yum (or sudo apt-get) install php-pear
pear install Mail
pear install Net_SMTP

PHP Code:
<?php
require_once "Mail.php";
 if ($_SERVER["REQUEST_METHOD"] == "POST") {
   $from         "your-name-or-username-or-no-reply <[email protected]>";

   $email        filter_var(trim($_POST["email"]), FILTER_SANITIZE_EMAIL);
   $pin          filter_var($_POST["results"], FILTER_SANITIZE_STRING);
   $file         filter_var($_POST["file"], FILTER_SANITIZE_STRING);
   $wizard       filter_var($_POST["wizard"], FILTER_SANITIZE_STRING);
   $ip           $_SERVER['REMOTE_ADDR'];
   $subject      "Kodi Log Upload URL";
   $message      "
<html>
<head>
<title>Kodi Log Upload URL</title>
</head>
<body>
The file <b>"
.$file."</b> that has been uploaded by <b>".$ip."</b> using ".$wizard." can be viewed at:<br><br> <b><a href=\"".$pin."\">".$pin."</a></b><br><br>Please do not reply to this email.
</body>
</html>"
;
   
   if
(!filter_var($emailFILTER_VALIDATE_EMAIL)){ //email validation
     $output json_encode(array('type'=>'error''text' => 'Please enter a valid email! '.$email));
     die($output);
   }
   if(strlen($pin)<10){ 
     $output 
json_encode(array('type'=>'error''text' => 'Not a valid URL for log. '.$pin));
     die($output);
   }
   
//    $headers = "MIME-Version: 1.0" . "\r\n";
//    $headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";
//    $headers .= 'From: No-Reply <[email protected]>' . "\r\n";
 
$headers 
= array(
   'From' => $from,
   'To' => $email,
   'Subject' => $subject
);


$smtp Mail::factory('smtp', array(
       'host' => 'ssl://smtp.gmail.com',
       'port' => '465',
       'auth' => true,
       'username' => '[email protected]',
       'password' => 'yourpassword'
   ));
   // mail($email, $subject, $message, $headers);

$mail $smtp->send($email$headers$message);
   
if (PEAR::isError($mail)) {
   echo('<p>' $mail->getMessage() . '</p>');
$output json_encode(array('type'=>'message''text' => 'Email has been sent --  '.$mail->getMessage() ));
} else {
   $output json_encode(array('type'=>'message''text' => 'Email has been sent from [email protected]'));
}

   
   die
($output);

 


Special Thanks to The BOFH @ Anonops for This. He Wrote this script for me. It is based on your original Script.


This Should Increase the security of the log mailer process just a tad bit.
the Script is tested and working with https as well. I would advise everyone to use https when using any kind of function like this when transmitting data such as a log to a server.

Is there a way for you to get GPG working inside of kodi @surfacingx.
if you can make that happen you can have the log uploader encrypt the contents of a log with a public key that only the intended receipent could decrypt. (example put a public key in a file somewhere and have the addon import gpg library and have it encrypt with a public key, This could also allow for signing of build files and notifications with a gpg key and could allow for a "file integrity" system for build creators.

If you can make GPG happen on kodi it would probably be best to make it some kind of service other people could use in there addons.

Can this thread get moved to the Aftermath Forum? i think i made a mistake when i posted it
  Reply
#7
People Who Want to Increase the Security of the Outgoing mail with gpg Can use the Following Script.
Its Recommended that you have a basic understanding of GPG keys and some knowledge in the linux command line before you continue.


Like the First Script you Will need php-pear 
Pear Net_SMTP
and pear mail
you also need Crypt_GPG and gnupg for your php installation
http://pear.php.net/manual/en/package.en...pt-gpg.php.

Note: Your Mileage may vary and you may have to define a custome homedir and or key ring to make your implementation work, and you may also need to manually create .gnupg directories and files and chown them to your "webserver" user/group..
See warning at: https://pear.php.net/manual/en/package.e...te-key.php

PHP Code:
<?php
 
require_once "Mail.php";
require_once 
'Crypt/GPG.php';
   $gpg = new Crypt_GPG();
   $gpg->addEncryptKey('[email protected]');



 if ($_SERVER["REQUEST_METHOD"] == "POST") {
   $from         "No-Reply <[email protected]>";
   $email        filter_var(trim($_POST["email"]), FILTER_SANITIZE_EMAIL);
   $pin          filter_var($_POST["results"], FILTER_SANITIZE_STRING);
   $file         filter_var($_POST["file"], FILTER_SANITIZE_STRING);
   $wizard       filter_var($_POST["wizard"], FILTER_SANITIZE_STRING);
   $ip           $_SERVER['REMOTE_ADDR'];
   $subject      "Kodi Log Upload URL";
   $message      "
<html>
<head>
<title>Kodi Log Upload URL</title>
</head>
<body>
The file <b>"
.$file."</b> that has been uploaded by <b>".$ip."</b> using ".$wizard." can be viewed at:<br><br> <b><a href=\"".$pin."\">".$pin."</a></b><br><br>Please do not reply to this email.
</body>
</html>"
;
$encrypted $gpg->encrypt($message);
   
   if
(!filter_var($emailFILTER_VALIDATE_EMAIL)){ //email validation
     $output json_encode(array('type'=>'error''text' => 'Please enter a valid email! '.$email));
     die($output);
   }
   if(strlen($pin)<10){ 
     $output json_encode(array('type'=>'error''text' => 'Not a valid URL for log. '.$pin));
     die($output);
   }
   
 
$headers 
= array(
   'From' => $from,
   'To' => $email,
   'Subject' => $subject
);


$smtp Mail::factory('smtp', array(
       'host' => 'ssl://smtp.gmail.com',
       'port' => '465',
       'auth' => true,
       'username' => '[email protected]',
       'password' => 'password'
   ));


$mail $smtp->send($email$headers$encrypted);
   
if (PEAR::isError($mail)) {
   echo('<p>' $mail->getMessage() . '</p>');
$output json_encode(array('type'=>'message''text' => 'Email has been sent --  '.$mail->getMessage() ));
} else {
   $output json_encode(array('type'=>'message''text' => 'Your log has been Sent to the Tech guys'));
}

   
   die
($output);

 



Note: This Wont protect the Actual log with encryption, just the outgoing email to the specified destination in the settings.xml

This Can be useful to Builders who want to host there own Script for emailing the logs and pre-define an email in the addon settings.xml and encrypt the email with gpg.
One Good Reason for Builders to implement gpg could be for example: an adversary who has gained access to your email and wanted to find out more about your kodi users (use your imagination).

Hopefully in the Future Someone can bring the Sign,Verify and Encrypt functions of PGP/GPG to kodi. So that the log itself could be encrypted with a specified or embedded public key before upload. This could allow for a lot of interesting features such as code signing (to prevent a malicious repo from overwriting your plugin),Verifying releases of builds,verifying notifications, etc. It might be more sensible to request the feature in the main kodi branch itself. But gpg encryption is just one of many tools people need to help defend against many attacks and maybe even take downs if other measures are implemented.


More information about gpg/pgp.

Mailvelope: GPG/PGP encryption in Your Browser https://www.mailvelope.com/en/
ProtonMail: A Fully Encrypted Email service (also supports gpg) https://protonmail.com


With that being Said I encourage everyone to Educate themselves on Government and 3rd party Surveillance Defense https://ssd.eff.org/


Using Cloudflare is a good way to accelerate your websites and downloads if you know what you are doing.

if there are Any Builders and or Box Sellers using questionable content in there builds and you are communicating with certain people by email or telephone 
Its Also Recommended to be Using Kodi17 or a Fork that supports Modern SSL/TLS Libraries and Ciphers and Deploying your builds,repos,websites over a secure connection when hosting on your own server, Also Avoid Shared hosting plans and just go with a VPS or Dedicated Server. You get Better Results and have more control over your server.


SSL/TLS certificates can be Obtained for free from https://letsencrypt.org/ 
In the Past SSL certificates were not free, and most shared hosts dont support SSL,
and a Decent VPS can usually be obtained for a few bucks more then shared hosting. (Centos7-minimal is one of the best choices for a server os)

I suggest you get a pgp key, get signal, and whatsapp.
More information about gpg/pgp.

Mailvelope: GPG/PGP encryption in Your Browser https://www.mailvelope.com/en/
ProtonMail: A Fully Encrypted Email service (also supports gpg) https://protonmail.com

Signal For your phone.
Android Version
IOS Version

and WhatsApp
Android
IOS Version


Encrypt Where and whenever possible. Defend yourself against Surveillance and MITM attacks over an insecure connection
  Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  Problems With Wizard The_Hunted 6 733 01-07-2018, 10:57 PM
Last Post: solo24
  Error during wizard build install...? log Berl 0 130 12-01-2017, 03:30 PM
Last Post: Berl
  Create my own repository/wizard help DJH21 2 690 10-29-2017, 05:58 AM
Last Post: Berl
  help with apk aftermath wizard doublevision 3 545 05-29-2017, 04:06 AM
Last Post: doublevision
Thumbs Up fresh start wizard exclusion 17.1 doublevision 9 907 05-02-2017, 11:08 AM
Last Post: Surfacingx
  Tutorial for build wizard on Kodi 17? hyp0xia 4 675 02-24-2017, 10:04 PM
Last Post: OptimusGREEN
  Build and Wizard Creation _Crozzer_ 9 1,299 01-11-2017, 10:22 AM
Last Post: Y05h1mura
  made my first kodi wizard. now how to update it? adam1111 7 4,670 07-05-2016, 01:49 AM
Last Post: Ekodi
  Wizard Error on downloading kodi1338 4 1,447 12-31-2015, 01:48 AM
Last Post: kodi1338
  How to make a wizard? sdoherty1000 9 2,653 08-08-2015, 09:57 PM
Last Post: pipcan

Forum Jump:


Users browsing this thread: 1 Guest(s)