[wlug_org] New website/website host required

Michael Dittmer (An Inside Job) wlug_org@lists.wellylug.org.nz
Fri, 17 Jun 2005 10:20:22 +1200 

Jethro: Can you make the website static? I know that it may mean more work
to keep it uptodate, but we can't keep having security flaws.

Ewen: Can you provide more details as to what the security flaws were?

Regards

Michael

-----Original Message-----
From: wlug_org-admin@lists.wellylug.org.nz
[mailto:wlug_org-admin@lists.wellylug.org.nz] On Behalf Of Ewen McNeill
Sent: Friday, 17 June 2005 9:13 a.m.
To: wlug_org@lists.naos.co.nz
Subject: [wlug_org] New website/website host required

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As some of you may be aware, there were a number of "strange" email messages
sent out from the Wellylug website late last night (and, for some members,
again this morning when I tested it -- I think I managed to stop some of
them).

This occured because of an insecurity in the Wellylug website which allowed
any visitor to use the Wellylug website to send out email purportedly from
the Wellylug website/my webserver, with the content of their choice.  Such
things are an magnet for spammers.

As a result I am no longer willing to host the Wellylug website if it has
any "dynamic" functionality.

Either:
(a) someone else will need to be found to host the Wellylug website
    (and that person should be forewarned that this is the second
    serious security issue with the Wellylug website; an earlier one
    resulted in the webserver being 0wn3d), or

(b) the website be redeveloped in the form in which I originally agreed 
    to host it (namely a static website with no database/email
    functionality)

To ensure a smooth transition I will:
* continue to host this site until the end of the month (2005/06/30),
  although with some functionality disabled including the page that
  I have identifed as being used to send out the messages; and

* provide a tar file of the existing website to a nominated person; and

* provide a dump of the database to a nominated person; and

* point the "old" website url (wlug.naos.co.nz) at a new host for 3 months
  (Donald Gordan can presumably be asked to point the new website url
   (wellylug.org.nz) at the new host)
   
If the site has not been moved and/or redeveloped as a static website by the
end of the month then I will turn it off.  I'm sorry if this seems harsh,
but these two serious security flaws in the website, and the time consumed
investigating/cleaning up after them, have used up my generousity.

I'm currently happy to continue hosting the email lists, or not, as Wellylug
may decide.

Ewen

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFCsesrppdH5uwbODkRAr9RAJ404FjjsO9SnT+mjv896uK2EQ2bMACeKC9Q
tsnbkCIFxv0eM1SWKjCmvGE=
=8X4q
-----END PGP SIGNATURE-----

--
WellyLUG Organising Group Mailing List: wlug_org@lists.wellylug.org.nz To
Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wlug_org