Phosphorus Five Files

Phoenix release version 8.3

About this release - Tightening security!

For this release security has gained significant improvements. In fact, I have had a security expert from Reddit performing code review of P5's code, to find things you often tend to overlook when you're too deeply into it yourself. This security expert has several decades of experience, and is an extremely skilled software developer, and he literally went through the system with a microscope! Although the code was found to be in general good shape, there were 3 minor flaws which was pinpointed in this process, which are now fixed.

Encrypting the password file

The most important part is that the "auth.hl" file is now encrypted using PGP encryption. This implies that even if an adversary should somehow gain access to your password file, he'll still have to break through its 4096 asynchronous RSA encryption, which is the recommendation that NSA and the CIA are providing for the public sector in the USA for sensitive information might I add.

In addition, the private PGP key is stored AES encrypted, with a password only accessible from your web.config file. So even if an adversary somehow should gain access to both your private PGP key, and your password file, both of which should be impossible with normal usage of Phosphorus Five might I add - The adversary still needs to gain access to your web.config file. And even if an adversary were to be able to gain access to all of the above - Even after decrypting your password file, the passwords are still stored as server-side salted hashed values. However, even though this is arguably several orders of magnitude better security than you need, security is just one of those things you simply can't get enough of - And it's better to be safe than sorry.

SQL injection and improvements during installation

In addition the code review process was able to find one place where there potentially could occur an SQL injection during restoring a MySQL backup, if the CSV file you're trying to import as a backup had somehow been tampered with by an adversary. The "install.sh" script has also bee upgraded, to now in addition to hide most information about your Linux box, also hide the fact that it's running ASP.NET/Mono.

Of course, security is a constant process, and I would like to repeat that if you find a potential hole in Phosphorus Five, feel free to send me information about it at thomas@gaiasoul.com. You are also free to try to hack my private home server, which you can find here.

About Open Source and Crowd Source

The lessons learned from this process, is that if you only give people the right incentives, they are willing to provide services free of charge for you, for often times thousands of dollars, as long as they can scrutinise your source code. I am of course deeply grateful to /u/Cifize - Feel free to bring forth my thanks to him :)

Using the Source Code version

IMPORTANT - Please download the Source-Complete-With-Submodules.zip file, which includes all submodules. If you get a blank page when debugging, this is highly likely your problem!

Visual Studio for Windows - Make sure you turn OFF the "Browser sync" features of Visual Studio before you start your debugging session.

Please make sure you have installed Visual Studio, Mono Develop, or Xamarin. In addition, you'll need to have access to a MySQL database, and edit your "/core/p5.webapp/web.config" file, such that your connection string points to your MySQL instance. If you don't have MySQL installed, Phosphorus Five will still function partially, such as Hyper IDE, and some of the other modules - But you will not get the full experience.

Installation process (for non-geeks)

1. Install Visual Studio Community Edition - You can skip this if you already have Visual Studio, Mono Develop or Xamarin installed.
2. Install MySQL Community Server - You can skip this if you have access to an (other) MySQL server somewhere
3. Download and unzip Phosphorus Five
4. Edit your "/core/p5.webapp/web.config" file from Visual Studio, and supply your MySQL password in the "MYSQL_GENERIC_CONNECTION_STRING" section. Below is an example of how your entire connection string setting should look like.
5. Turn OFF Browser Sync in Visual Studio if you are using the Windows version. This is a toolbar button, that looks like a "round arrow".
6. Start debugging by clicking "F5" or the "play" button in Visual Studio
7. Have fun :)

Example MySQL connection string setting from "web.config".

server=127.0.0.1;SslMode=none;User Id=root;Password=YOUR_MYSQL_PASSWORD_GOES_HERE;charset=utf8mb4;allowPublicKeyRetrieval=true;

Exchange the YOUR_MYSQL_PASSWORD_GOES_HERE parts above with your actual MySQL password, which you chose during installation of MySQL.

Notice - The above connection string allows retrieval of the public encryption key over a non-secure connection. This is probably what you want for your local source code and development machine - But you'd probably want to change this for your production website.

Installing binaries on a Linux/Ubuntu server

Important - Currently the installation script only works on Linux Ubuntu version 16.04. Sorry for the inconvenience, I am trying my best to fix this though, and will shortly hopefully provide a fix allowing you to install it also on later versions.

To install a new binary release on a Ubuntu server, type in the following to download the installation script in a terminal window. Make sure you don't have an old "install.sh" file in the same folder from before.

wget https://github.com/polterguy/phosphorusfive/releases/download/v8.3/install.sh

Then execute the following command to make your installation script become an executable.

chmod +x install.sh

Then start the installation process with the following.

sudo ./install.sh

The above "install.sh" script have only been tested on Ubuntu Server, version 16.04.4, but it might work on other versions. You can probably easily edit the actual script yourself, if you'd like to make it work with other Debian based systems.

Documentation

The system is largely literate, and contains its own documentation. However, for convenience purposes, I have included the PDF documentation as a separate file here. You can also generate this file yourself, from within the system.