[geeklog-devel] Hmm ...

[Tony Bibbs]

Yeah, I'd contact initsoft.  If they are offering this as a service, they 
should install it properly (i.e. lock the installation script).  If they 
don't fix it they could lose a customer, right?  

--Tony

 On Sun, 29 Dec 2002, 
Dirk Haun wrote:


> Does anyone remember this post:

> <http://www.geeklog.net/article.php?story=20020409133616936>

> 

> To quote: "INITSOFT offers pre-configured hosting of Open Source

> projects: Geeklog (1.2.5 & 1.3.x), phpBB, Gallery, Nuke, Post Nuke,

> osCommerce, and more."

> 

> When I visited their website, <http://www.BusinessLifeEthics.com/> was

> listed as an example for a "dynamic website" (don't know if it rotates).

> That site is obviously running Geeklog, although it doesn't say so.

> 

> I was curious and wanted to know which version was running there. The

> calendar shows an empty last week for November, so it's not 1.3.7.

> 

> Guess what - whoever installed that site left the install directory

> intact and unprotected. So I can call up the install script which tells

> me it's Geeklog 1.3.5. There's also the info.php script which was added

> in 1.3.5sr2, so it's at least a secure version. However, configinfo.php

> is also there, displaying the contents of config.php as a nicely

> formatted table (fortunately, Jeff left out the database information when

> he wrote that script) ...

> 

> I have to admit that I wouldn't know off-hand how to make use of all that

> information to do any harm to the site (other than running the install

> script in upgrade mode and possibly damaging the database), but it's

> certainly not a good thing to make this information available to everyone

> on the WWW.

> 

> What would you do? Contact the site owner? She probably doesn't have much

> technical knowledge anyway. Contact Initsoft? I guess I'll do that but

> would like to see some comments first ...

> 

> bye, Dirk

> 

> 

>