[geeklog-devel] Hmm ...
Dirk Haun
dirk at haun-online.de
Sun Dec 29 17:51:09 EST 2002
Does anyone remember this post:
<http://www.geeklog.net/article.php?story=20020409133616936>
To quote: "INITSOFT offers pre-configured hosting of Open Source
projects: Geeklog (1.2.5 & 1.3.x), phpBB, Gallery, Nuke, Post Nuke,
osCommerce, and more."
When I visited their website, <http://www.BusinessLifeEthics.com/> was
listed as an example for a "dynamic website" (don't know if it rotates).
That site is obviously running Geeklog, although it doesn't say so.
I was curious and wanted to know which version was running there. The
calendar shows an empty last week for November, so it's not 1.3.7.
Guess what - whoever installed that site left the install directory
intact and unprotected. So I can call up the install script which tells
me it's Geeklog 1.3.5. There's also the info.php script which was added
in 1.3.5sr2, so it's at least a secure version. However, configinfo.php
is also there, displaying the contents of config.php as a nicely
formatted table (fortunately, Jeff left out the database information when
he wrote that script) ...
I have to admit that I wouldn't know off-hand how to make use of all that
information to do any harm to the site (other than running the install
script in upgrade mode and possibly damaging the database), but it's
certainly not a good thing to make this information available to everyone
on the WWW.
What would you do? Contact the site owner? She probably doesn't have much
technical knowledge anyway. Contact Initsoft? I guess I'll do that but
would like to see some comments first ...
bye, Dirk
--
http://www.haun-online.de/
http://www.tinyweb.de/
More information about the geeklog-devel
mailing list