The one that does not learn

There is a web site of an open source project that keeps on getting defaced (I’m not going to write it’s name btw). The site itself is hosted at a content provider, that as far as I know, does it in the spirit of open source.

The site itself is hosted with other web sites on the same server (it uses Virtual Hosts), therefore all that is required to deface all the web sites on the server a security bug in one of the virtual host.

The defacement has happened at least 3 times now, and every time, I have offered my help, and every time it was declined.

When I gave them a suggestion on how to make the system less vulnerable, I was given excuses on why to not use the suggestion, and go on and continue to use PostNuke, and other flawed services.

One of their main excuses is time. They claim that it is a waste of time to find a better replacement to PostNuke. Another one is that even sites with static HTML are vulnerable, so they can’t be sure that PostNuke was responsible for the defacement.

A few other excuses were provided as well, one in particular made me angry “OK, you found the vulnerability on my server, and the attackers used it to deface the web sites again before I solved the issue, what should I do then ?” (I’m quoting from memory).

When will content suppliers learn that it’s easier to close known vulnerabilities then to avoid being hit by a car when you cross the road?

When will they stop giving execuses such as “I don’t have the time to make it better, but I do have time to fix the damaged pages over and over and over and over and over and over and over again and over again and over again and over again and over again and over again and over again and over again and over again and over again?”

IMHO the time you would waste on finding a better content management system is far better than the time you would waste on fixing the same problems over and over again and again.

Burying your head in the ground is useful only to “Big Birds” that forgot how to fly, and lost their wings, not to people that manages data and content.

The problem can be easily solved, all you need is to take a few steps. These steps are currently being pushed away by excuses.

Since I started writing this Blog entry, I also started getting some SPAM with viruses on the malling list of the project in question. After a short research, I found out that I’m not the only one on the list. The list email addresses were harvested and after some further research (thanks to other users on the list), I found out that many zombies are located within the ISP, and theses zombies are sending the emails in question. And to think that the administrator of the web site (and mailing list), told me that only the “index” page had been vulnerable to defacement…

Share
  • http://www.c0d3r.org c0d3r

    there is 4 kind of people :
    1) one who know
    2) one who dont
    3) one who cant
    4) one who dont want