[geeklog-devel] Hmm ...
Tony Bibbs
tony at tonybibbs.com
Mon Dec 30 10:24:35 EST 2002
Yeah, I'd contact initsoft. If they are offering this as a service, they
should install it properly (i.e. lock the installation script). If they
don't fix it they could lose a customer, right?
--Tony
On Sun, 29 Dec 2002,
Dirk Haun wrote:
> Does anyone remember this post:
> <http://www.geeklog.net/article.php?story=20020409133616936>
>
> To quote: "INITSOFT offers pre-configured hosting of Open Source
> projects: Geeklog (1.2.5 & 1.3.x), phpBB, Gallery, Nuke, Post Nuke,
> osCommerce, and more."
>
> When I visited their website, <http://www.BusinessLifeEthics.com/> was
> listed as an example for a "dynamic website" (don't know if it rotates).
> That site is obviously running Geeklog, although it doesn't say so.
>
> I was curious and wanted to know which version was running there. The
> calendar shows an empty last week for November, so it's not 1.3.7.
>
> Guess what - whoever installed that site left the install directory
> intact and unprotected. So I can call up the install script which tells
> me it's Geeklog 1.3.5. There's also the info.php script which was added
> in 1.3.5sr2, so it's at least a secure version. However, configinfo.php
> is also there, displaying the contents of config.php as a nicely
> formatted table (fortunately, Jeff left out the database information when
> he wrote that script) ...
>
> I have to admit that I wouldn't know off-hand how to make use of all that
> information to do any harm to the site (other than running the install
> script in upgrade mode and possibly damaging the database), but it's
> certainly not a good thing to make this information available to everyone
> on the WWW.
>
> What would you do? Contact the site owner? She probably doesn't have much
> technical knowledge anyway. Contact Initsoft? I guess I'll do that but
> would like to see some comments first ...
>
> bye, Dirk
>
>
>
More information about the geeklog-devel
mailing list