[geeklog-devel] Hmm ...

Tony Bibbs tony at tonybibbs.com
Mon Dec 30 10:24:35 EST 2002

Yeah, I'd contact initsoft.  If they are offering this as a service, they 
should install it properly (i.e. lock the installation script).  If they 
don't fix it they could lose a customer, right?  


 On Sun, 29 Dec 2002, 
Dirk Haun wrote:

> Does anyone remember this post:
> <http://www.geeklog.net/article.php?story=20020409133616936>
> To quote: "INITSOFT offers pre-configured hosting of Open Source
> projects: Geeklog (1.2.5 & 1.3.x), phpBB, Gallery, Nuke, Post Nuke,
> osCommerce, and more."
> When I visited their website, <http://www.BusinessLifeEthics.com/> was
> listed as an example for a "dynamic website" (don't know if it rotates).
> That site is obviously running Geeklog, although it doesn't say so.
> I was curious and wanted to know which version was running there. The
> calendar shows an empty last week for November, so it's not 1.3.7.
> Guess what - whoever installed that site left the install directory
> intact and unprotected. So I can call up the install script which tells
> me it's Geeklog 1.3.5. There's also the info.php script which was added
> in 1.3.5sr2, so it's at least a secure version. However, configinfo.php
> is also there, displaying the contents of config.php as a nicely
> formatted table (fortunately, Jeff left out the database information when
> he wrote that script) ...
> I have to admit that I wouldn't know off-hand how to make use of all that
> information to do any harm to the site (other than running the install
> script in upgrade mode and possibly damaging the database), but it's
> certainly not a good thing to make this information available to everyone
> on the WWW.
> What would you do? Contact the site owner? She probably doesn't have much
> technical knowledge anyway. Contact Initsoft? I guess I'll do that but
> would like to see some comments first ...
> bye, Dirk

More information about the geeklog-devel mailing list