[wlug_org] New website/website host required
Ewen McNeill
wlug_org@lists.wellylug.org.nz
Fri, 17 Jun 2005 11:38:28 +1200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In message <20050616221847.0467582819@smtp-1.paradise.net.nz>, "Michael Dittmer
(An Inside Job)" writes:
>Ewen: Can you provide more details as to what the security flaws were?
At this stage, I'd rather not reveal too many details publically (I'm
not certain everything is closed off).
In very brief summary the first flaw, with a little assistance from
PHP, allowed arbitrary PHP to be downloaded from anywhere on the 'net
and executed by the webserver. Suffice to say this is bad. The second
flaw allowed, as you have seen, arbitrary persons to send out arbitrary
emails from the webserver, with no authentication. (There was an attempt
at authentication, but it didn't work, and didn't keep anyone out.)
A brief look at the database, and the rest of the code leaves me feeling
that a considerable amount of work would be required before I felt it
was "safe" to run on my webservers.
Hence the options are either (a) converting it to a static-only website,
or (b) moving it somewhere else.
Ewen
PS: "Fixing it up" and then running it on my webservers is no longer an
option. We tried that after the first exploit.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFCsg1vppdH5uwbODkRAoS3AJ9Sduq6SxnYKPW67ph/+YqEx61u3wCdEstp
OjR9QAaznWnUaDNOZHHexYU=
=IucV
-----END PGP SIGNATURE-----