• LibClamAV Error : Clamd restart issue

    July 27, 2022 Author: Admin
    No comment yet
    Email, RSS Follow

    What is the issue ?

    Today my team reported that our mail relay server is not working and they are not able to sent e-mails via the test applications.
    Whenever I check the mail server I found more than 1000 mails are in queue and mail server is failing to sent/deliver mails to recipients.
    In a detailed check its found that clamd service is down and I was not able to restart clamd service. I was getting the following error

    LibClamAV Error: mpool_malloc(): Attempt to allocate 8388608 bytes. Please report to http://bugs.clamav.net

    After some googling its found that the issue is with the version of clamd we were using in our mail server. And the golden words I got from the clamv forum was as follows

    " ClamAV 0.97.x is no longer supported. The current release of ClamAV is 0.99.2 ".

    How to fix this issue ??

     1.  Download the latest version (0.99.2) of clamd, clamav and clamav-db rpm's and update your mail server. (https://dl.fedoraproject.org/pub/epel/5/x86_64/)
 2.  Restart freshclam and clamd services

    Reference:-
    https://bugzilla.clamav.net/show_bug.cgi?id=11647

  • ImageMagick critical remote execution vulnerability – CVE-2016-3714

    May 5, 2016 Author: Admin
    No comment yet
    Email, RSS Follow

    What is ImageTragic !! (CVE-2016-3714 )

    In a vulnerable environment , image magic commands will allow remote code execution during conversion of several file formats.

    Which are the platforms affected ?

    As per RedHat ,  RedHat 5 , 6 and 7 platforms are affected with this vulnerability.

    How to check whether your platform is affected or not ?

    Create a .mvg file with the following content and run the convert command as follows. If your platform is vulnerable then the convert command will be able to list the folder contents.

    # vi exploit.mvg
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg";|ls "-la)'
pop graphic-context
    [[email protected] config]# convert exploit.mvg out1.png
total 172
drwxr-xr-x 2 root root  4096 May  5 04:52 .
drwxr-xr-x 4 root root  4096 Jun  2  2014 ..
-rw-r--r-- 1 root root  3447 Feb 10  2014 configure.xml
-rw-r--r-- 1 root root 11041 Feb 10  2014 delegates.xml
-rw-r--r-- 1 root root 46238 Jun 28  2009 english.xml
-rw-r--r-- 1 root root 49251 Jun 28  2009 francais.xml
-rw-r--r-- 1 root root  2403 Mar 24  2009 locale.xml
-rw-r--r-- 1 root root   369 May  5 04:42 out1.png
-rw-r--r-- 1 root root  1873 May  5 04:52 policy.xml
-rw-r--r-- 1 root root  9727 Feb 10  2014 type-ghostscript.xml
-rw-r--r-- 1 root root 13655 Feb 10  2014 type-windows.xml
-rw-r--r-- 1 root root   671 Feb 10  2014 type.xml
convert: unrecognized color `https://example.com/image.jpg"|ls "-la' @ color.c/GetColorInfo/965.
convert: no decode delegate for this image format `/tmp/magick-XXoEao8j' @ constitute.c/ReadImage/537.
convert: Non-conforming drawing primitive definition `fill' @ draw.c/DrawImage/3124.
[[email protected] config]

    How to Fix this vulnerability ?

    1. Upgrade your imagemagic packages to 6.9.3-10 or 7.0.1-1 ( As per imagemagic blog this bug patched and released in these versions : refer
    2. Apply the manual patch via policy.xml file.  Add additional policies for Imagemagic policy.xml file to disable processing of MVG, HTTPS, HTTP, URL, FTP, EPHEMERAL, and MSL commands within image files.

    How to apply the manual patch via additional policies ?

    Find policy.xml file on your distribution and add the following lines in <policymap> section of your policy.xml file.

    # vi policy.xml
<policymap>
...
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="HTTP" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="FTP" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
</policymap>

    How to verify the fix ?

    After updating the policy.xml file , re run the image magic convert command . If the bug fixed properly then convert command will fail to list the directories.

    [[email protected] config]#  convert exploit.mvg out2.png
convert: not authorized `/tmp/exploit.mvg' @ constitute.c/ReadImage/425.
convert: missing an image filename `out2.png' @ convert.c/ConvertImageCommand/2800.
[[email protected] config]#

    References :-

    https://access.redhat.com/security/vulnerabilities/2296071

    https://www.imagemagick.org/discourse-server/viewtopic.php?f=2&t=29594&hilit=CVE+2016+3714

  • What is LogJam Attack ?

    May 21, 2015 Author: Admin
    1 Comment
    Email, RSS Follow

    What is LogJam Attack ?

    Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography.

    Who is Affected ?
    Websites, mail servers, and other TLS-dependent services that support DHE_EXPORT ciphers are at risk for the Logjam attack

    How we will prevent this on Application side ?
    Update your applications ssl.conf file with the updated SSLCipherSuite and restart the service .

    1) Apache
Disable support for SSLv2 and SSLv3 and enable support for TLS, explicitly allow/disallow specific ciphers in the given order :
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on
    2) Nginx
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
    3) Apache Tomcat  ( in server.xml)
<Connector
ciphers="ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256, DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-RSA-AES256-SHA256, DHE-DSS-AES256-SHA, DHE-RSA-AES256-SHA, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, AES128-SHA, AES256-SHA, AES, CAMELLIA, DES-CBC3-SHA"
/>
    4) Postfix ( /etc/postfix/main.cf )
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA

    5) Sendmail ( LOCAL_CONFIG section of your /etc/mail/sendmail.mc )
O CipherList=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

     

    Reference : https://weakdh.org

  • glibc GHOST vulnerability ( CVE-2015-0235 )

    January 28, 2015 Author: Admin
    No comment yet
    Email, RSS Follow

    What is glibc ?
    Gnu library C or glibc is an implementation of standard c library and its a core member of linux OS .

    What is GHOST Vulnerability ?
    The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials.And this bug is reported as CVE-2015-0235. Redhat and CentOS already ready with the fix and you can update your boxes to get the patched version.

    Why it is called as GHOST ?
    It is called as the GHOST vulnerability as it can be triggered by the GetHOST functions. ( gethostbyname*() set of functions )

    Are you safe ?
    As per redhat and qualys , most of the systems are vulnerable except those running with glibc-2.17 and glibc-2.18

    How to confirm whether you are safe or not ?
    qualys.com provided a vulnerability scanning script to check this

    ~]# rpm -qa | grep glibc
    glibc-2.12-1.107.el6_4.2.x86_64
    ~]# rpm -qa | grep release
    centos-release-6-4.el6.centos.10.x86_64

    ~]# /usr/bin/gcc ghost.c -o ghost
    ~]# ./ghost
    vulnerable

    After updating to patched version of glibc
    ~]# yum upgrade glibc
    ~]# rpm -qa | grep glibc
    glibc-2.12-1.149.el6_6.5.x86_64
    ~]# ./ghost
    not vulnerable

    ~]# cat ghost.c
 #include <netdb.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
 #define CANARY "in_the_coal_mine"
 struct {
 char buffer[1024];
 char canary[sizeof(CANARY)];
 } temp = { "buffer", CANARY };
 int main(void) {
 struct hostent resbuf;
 struct hostent *result;
 int herrno;
 int retval;
 /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
 size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
 char name[sizeof(temp.buffer)];
 memset(name, '0', len);
 name[len] = '\0';
 retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
 if (strcmp(temp.canary, CANARY) != 0) {
 puts("vulnerable");
 exit(EXIT_SUCCESS);
 }
 if (retval == ERANGE) {
 puts("not vulnerable");
 exit(EXIT_SUCCESS);
 }
 puts("should not happen");
 exit(EXIT_FAILURE);
 }

    References :-
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
    http://www.openwall.com/lists/oss-security/2015/01/27/9
    https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability

  • POODLE: SSLv3.0 vulnerability

    October 15, 2014 Author: Admin
    1 Comment
    Email, RSS Follow

    What is POODLE ?

    POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

    How to Fix ?

    At present there is no working patch for this bug . So that Admin needs to manually disable SSLv3 on their servers .

    Disable SSLv3 – Apache

    1) Add ”   SSLProtocol All -SSLv2 -SSLv3  ”  to httpd.conf

    2) Restart apache service .

    Disable SSLv3 – Nginx

    1) Add   ” ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ”  to nginx.conf under ssl section .

    2) Restart nginx service .

    Disable SSLv3 – PostFix

    1) change smtpd_tls_mandatory_protocols to ”  smtpd_tls_mandatory_protocols =!SSLv2,!SSLv3 ”

    2) Restart postfix server .

    Disable SSLv3 – Weblogic

    Start weblogic with the following JVM option   ” -Dweblogic.security.SSL.protocolVersion=TLS1  ”

    How to Diagnose ?

    # openssl s_client -connect localhost:443 -ssl3

    ==> If you have already disabled sslv3 , then the output will be as follows

    CONNECTED(00000003)
    20888:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40
    20888:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

    ==> If you are not disabled the sslv3 and you are getting the following output , then your server is vulnerable to POODLE  !!.

    CONNECTED(00000003)
    depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]
    verify return:1

    Certificate chain
     0 s:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]
       i:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]

    Reference :-

    https://www.openssl.org/~bodo/ssl-poodle.pdf

    http://docs.oracle.com/cd/E13222_01/wls/docs92/secmanage/ssl.html

  • CentOs Fix for Bash Bug ( CVE-2014-6271 & CVE-2014-7169 )

    September 26, 2014 Author: Admin
    2 Comments
    Email, RSS Follow

    After couple of days trouble today we got a fix from Centos for the so famous bash security issue ( For known loop holes
    CVE-2014-6271 & CVE-2014-7169 )

    CentOS 5 Fix  :-

    * i386:
    ( sha256sum ) 9755e86ad8536c908f95340be308190b52989bfa0d9268a461c40a3f0d493bc7  :  bash-3.2-33.el5_10.4.i386.rpm

    * x86_64:
    ( sha256sum) b1e14edd0d675c6fb0be64cb875fbd9fac208a58e427ea32f373c9359b35642c   :  bash-3.2-33.el5_10.4.x86_64.rpm

    CentOS 6 Fix: –

    * x86_64:

    http://mirror.centos.org/centos/6/updates/x86_64/Packages/bash-4.1.2-15.el6_5.2.x86_64.rpm

    * i386:

    http://mirror.centos.org/centos/5/updates/i386/RPMS/bash-3.2-33.el5_10.4.i386.rpm

    Test Output : –

    [root@ ~]# rpm -qa | grep bash
    bash-3.2-32.el5

    [root@ ~]# env X='() { (a)= >\’ bash -c “echo date”;
    bash: X: line 0: syntax error near unexpected token `=’
    bash: X: line 0: `X () { (a)= >\’
    bash: error importing function definition for `X’
    date
    [root@ ~]#

    * After updating to latest bash rpm.

    [root@ ~]# rpm -qa | grep bash
    bash-3.2-33.el5_10.4
    [root@ ~]#

    [root@ ~]# env X='() { (a)= >\’ bash -c “echo date”;
    date
    [root@ ~]#

     

    Reference :-

    http://lists.centos.org/pipermail/centos-announce/2014-September

  • Again Bash !!! ( CVE-2014-7169 )

    September 25, 2014 Author: Admin
    No comment yet
    Email, RSS Follow

     

    Note : CentOS Fix for CVE-2014-7169 

    Redhat announced  that the fix for CVE-2014-6271 is incomplete and reporting new one CVE-2014-7169 .

    As per the latest update they are working to patch this against CVE-2014-7169.

    People are able to recreate the bug like the following

    /]$ rpm -qa | grep bash

    bash-4.1.2-15.el6_5.1.x86_64  ( patched version )

    ~]$ env x='() { :;}; echo vulnerable’  bash -c “echo this is a test”
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x’
    this is a test

    /]$  env X='() { (a)= >\’ bash -c “echo date”; cat echo
    bash: X: line 0: syntax error near unexpected token `=’
    bash: X: line 0: `X () { (a)= >\’
    bash: error importing function definition for `X’
    date
    cat: echo: No such file or directory

    /]$ env X='() { (a)=>\’ bash -c “echo echo vuln”; [[ “$(cat echo)” == “vuln” ]] && echo “still vulnerable :(“
    bash: X: line 1: syntax error near unexpected token `=’
    bash: X: line 1: `’
    bash: error importing function definition for `X’
    bash: echo: Permission denied
    cat: echo: No such file or directory

    Waiting for the patch from Redhat .

    Referrence : –

    https://access.redhat.com/security/cve/CVE-2014-7169

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169

  • Serious Bug with BASH ( CVE-2014-6271 )

    September 25, 2014 Author: Admin
    No comment yet
    Email, RSS Follow

     

    Note : Redhat updated this patch is incomplete and they are working with a new one at the moment ( CVE-2014-7169 ) , Refer for the details for CVE-2014-7169

    Affected platforms :-

    Red Hat Enterprise Linux 4 (ELS)/ 5 / 6 /7
    CentOs 5/6/7

    How to test  if your version of Bash is vulnerable to this issue or not ?

    [root@]# env x='() { :;}; echo vulnerable’  bash -c “echo this is a test”
    vulnerable
    this is a test
    [root@]#

    Resolution :-

    This issue affects all software that uses the Bash shell and parses values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.

    In order to avoid exploitation from CVE-2014-6271, ensure that your system is updated to at least  versions of Bash.

    # yum update bash

    Fix for CentOs platforms

    Centos 5

    bash-3.2-33.el5.1.i386.rpm / bash-3.2-33.el5.1.x86_64.rpm

    Centos 6
    bash-4.1.2-15.el6_5.1.i686.rpm / bash-4.1.2-15.el6_5.1.x86_64.rpm

    Note : Its always better to reboot your machine after upgrading to the latest bash package . If its a production critical machine and not able to do a quick reboot then please run ” /sbin/ldconfig “

    How to make sure your machine/server is secure after the package update ?

    Run the above command again

    [root@]# env x='() { :;}; echo vulnerable’  bash -c “echo this is a test”

    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x’
    this is a test

     

    Reference :-

    https://access.redhat.com/security/cve/CVE-2014-6271

    http://lists.centos.org/pipermail/centos/2014-September/146099.html

    https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

     

  • Moin Moin Wiki Active Directory Integration

    April 28, 2013 Author: Admin
    No comment yet
    Email, RSS Follow

    I was trying to setup AD integration for our moinmoin wiki . Unfortunately I couldnt see that much straightforward documentation on this. Here I am sharing my settings which worked pretty well.

    I have created a user wiki.admin in the AD and used that to query the Active directory .

    =======================================

    # Active Directory authentication  starts here
    from MoinMoin.auth.ldap_login import LDAPAuth
    ldap_authenticator1 = LDAPAuth (
    server_uri=’ldap://adminlogs.info’,
    bind_dn = ‘[email protected]’,
    bind_pw = ‘password’,
    base_dn = ‘DC=adminlogs,DC=info’,
    scope=2,
    referrals=0,
    # LDAP REFERRALS (0 needed for AD)
    search_filter = ‘(sAMAccountName=%(username)s)’,
    givenname_attribute=’givenName’,
    # often ‘givenName’ – ldap attribute we get the first name from
    surname_attribute=’sn’,
    # often ‘sn’ – ldap attribute we get the family name from
    aliasname_attribute=None,
    # often ‘displayName’ – ldap attribute we get the aliasname from
    email_attribute=’mail’,
    email_callback=None,
    coding = ‘utf-8’,
    timeout = 10,
    autocreate=True,
    # set to True to automatically create/update user profiles
    report_invalid_credentials=True,
    # whether to emit “invalid username or password” msg at login time or not
    )
    auth = [ldap_authenticator1, ]
    # this is a list, you may have multiple ldap authenticator as well as other authenticators
    cookie_lifetime = (1, 1)
    # no anon user sessions, 1h session lifetime for logged-in users
    # Active Directory authentication  ends here

    =======================================

    Add the above in your wikiconfigy.py file and restart apache ..Thats its !!  You will be able to authenticate using Active directory credentials 🙂

Next Page