[wlug_org] New website/website host required

jamie.baddeley@vpc.co.nz wlug_org@lists.wellylug.org.nz
Fri, 17 Jun 2005 10:37:11 +1200 

I'd suggest a plan is to ask the membership for help.

There's probably some people out there who could audit Jethro's code
from a security perspective and solve the problem.

All that Jethro would need to do is opensource the code. And I think
that would be highly appropriate.


Ewen has been kind enough to give us a little time, so I'd suggest
making a decision fairly quickly (Jethro).

And in the event no one wants to help, I guess we'll have little choice
but to find a new home for the website. But I'd be surprised and
disappointed if we had to do that.

cheers

jamie

On Fri, 2005-06-17 at 09:12 +1200, Ewen McNeill wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> As some of you may be aware, there were a number of "strange" email
> messages sent out from the Wellylug website late last night (and, for
> some members, again this morning when I tested it -- I think I managed
> to stop some of them).
> 
> This occured because of an insecurity in the Wellylug website which
> allowed any visitor to use the Wellylug website to send out email
> purportedly from the Wellylug website/my webserver, with the content of
> their choice.  Such things are an magnet for spammers.
> 
> As a result I am no longer willing to host the Wellylug website if it
> has any "dynamic" functionality.
> 
> Either:
> (a) someone else will need to be found to host the Wellylug website
>     (and that person should be forewarned that this is the second
>     serious security issue with the Wellylug website; an earlier one
>     resulted in the webserver being 0wn3d), or
> 
> (b) the website be redeveloped in the form in which I originally agreed 
>     to host it (namely a static website with no database/email
>     functionality)
> 
> To ensure a smooth transition I will:
> * continue to host this site until the end of the month (2005/06/30), 
>   although with some functionality disabled including the page that 
>   I have identifed as being used to send out the messages; and
> 
> * provide a tar file of the existing website to a nominated person; and
> 
> * provide a dump of the database to a nominated person; and
> 
> * point the "old" website url (wlug.naos.co.nz) at a new host for 3 months
>   (Donald Gordan can presumably be asked to point the new website url
>    (wellylug.org.nz) at the new host)
>    
> If the site has not been moved and/or redeveloped as a static website by
> the end of the month then I will turn it off.  I'm sorry if this seems
> harsh, but these two serious security flaws in the website, and the time
> consumed investigating/cleaning up after them, have used up my
> generousity.
> 
> I'm currently happy to continue hosting the email lists, or not, as
> Wellylug may decide.
> 
> Ewen
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
> 
> iD8DBQFCsesrppdH5uwbODkRAr9RAJ404FjjsO9SnT+mjv896uK2EQ2bMACeKC9Q
> tsnbkCIFxv0eM1SWKjCmvGE=
> =8X4q
> -----END PGP SIGNATURE-----
>