[wlug_org] New website/website host required

Jethro Carr wlug_org@lists.wellylug.org.nz
Fri, 17 Jun 2005 16:57:52 +1200 

--=-rQLferI9ZBmde6UVd75Y
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

ohh s**t....

First off, really sorry to Ewen for this.

The problem is the /admin folder which was written along time ago and
should have been deleted. I can really make no excuses for not doing
this. A change in the website structure caused this to break and I never
checked it.


The first problem Ewen mentions was a problem with my
include_once($variable) statement, when I first started programming with
PHP, I didn't relise that I needed to check for other webpages being
inserted into the $variable value. This caused Ewen's server to be
comprimised. :-(


> A brief look at the database, and the rest of the code leaves me feeling
> that a considerable amount of work would be required before I felt it
> was "safe" to run on my webservers.

Ewen, if you would be kind enough to mention (to me) a couple of things
to look at, I would be greatfull. I'm not aware of any major flaws, so I
would like to know if there are.



> Hence the options are either
>  (a) converting it to a static-only website,

	I, or someone else can do this.

> or (b) moving it somewhere else.

	Anyone who wants to, please inform the list.


> PS: "Fixing it up" and then running it on my webservers is no longer an
>     option.  We tried that after the first exploit.

I understand your stand completely Ewen, and I'm real sorry for this.



I'm also happy to opensource the code to anyone to take a look at.



--=20
-- Jethro Carr

jethro.carr@jedolinux.com

http://jethrocarr.jedolinux.com
http://jethrocarr.jedolinux.com/index.php?page=3Dcv/cv.php

http://www.jedolinux.com

--=-rQLferI9ZBmde6UVd75Y
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQBCslhPzaGhUDexX9wRAh2SAKCaF3J6WSzmQ0DjPvxPsFwrvUzejgCfRaaN
U8k/El3UYLKCs5lNJs1JWIs=
=faFn
-----END PGP SIGNATURE-----

--=-rQLferI9ZBmde6UVd75Y--