[wlug_org] New website/website host required

Ewen McNeill wlug_org@lists.wellylug.org.nz
Fri, 17 Jun 2005 09:12:37 +1200 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As some of you may be aware, there were a number of "strange" email
messages sent out from the Wellylug website late last night (and, for
some members, again this morning when I tested it -- I think I managed
to stop some of them).

This occured because of an insecurity in the Wellylug website which
allowed any visitor to use the Wellylug website to send out email
purportedly from the Wellylug website/my webserver, with the content of
their choice.  Such things are an magnet for spammers.

As a result I am no longer willing to host the Wellylug website if it
has any "dynamic" functionality.

Either:
(a) someone else will need to be found to host the Wellylug website
    (and that person should be forewarned that this is the second
    serious security issue with the Wellylug website; an earlier one
    resulted in the webserver being 0wn3d), or

(b) the website be redeveloped in the form in which I originally agreed 
    to host it (namely a static website with no database/email
    functionality)

To ensure a smooth transition I will:
* continue to host this site until the end of the month (2005/06/30), 
  although with some functionality disabled including the page that 
  I have identifed as being used to send out the messages; and

* provide a tar file of the existing website to a nominated person; and

* provide a dump of the database to a nominated person; and

* point the "old" website url (wlug.naos.co.nz) at a new host for 3 months
  (Donald Gordan can presumably be asked to point the new website url
   (wellylug.org.nz) at the new host)
   
If the site has not been moved and/or redeveloped as a static website by
the end of the month then I will turn it off.  I'm sorry if this seems
harsh, but these two serious security flaws in the website, and the time
consumed investigating/cleaning up after them, have used up my
generousity.

I'm currently happy to continue hosting the email lists, or not, as
Wellylug may decide.

Ewen

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFCsesrppdH5uwbODkRAr9RAJ404FjjsO9SnT+mjv896uK2EQ2bMACeKC9Q
tsnbkCIFxv0eM1SWKjCmvGE=
=8X4q
-----END PGP SIGNATURE-----