- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Hey look! Anyone at all can comment on this post without registering!
Perhaps I should set up a cURL script to post a 'frist' commen... ah drat. Captcha: erat. "I don't erat this security configuration"
Admin
Admin
TRWTF is calling adding a htaccess file "hardening"
Admin
It DOES make me hard.
Admin
Could be worse, they could have used the system's user database to store users. Anyone who had created an account on the website was able to ssh into the web server and get a shell.
Admin
Admin
error 401; access to comments denied
Admin
If the accounts were stored in a shared database, yes, but these were stored in /etc/passwd and that file was in turn rsync'd to the other web servers. Accounts were eventually moved to an LDAP server specifically set up for the web servers and implemented some kerberos-like features to implement SSO.
Admin
Apart from that - what's wrong with htaccess? It's working, I do not recall any news that the system has been compromised, and if you use it your chances to accidentally implement a broken authorization system yourself are greatly reduced :-)
Ok,it's ugly, but hey. Beauty lies in the eye of the beholder.
Admin
As a who-dunnit the story is a bit weak. I suspected the moved htaccess file as soon as I read "no one could register for events through the Drupal calendar".
Admin
I frist read it as "talented legacy". Then I realised my mistake...
CAPTCHA: duis: duis not reading correctly tonight.
Admin
Is it the original CMS team doing a hack to allow their code to work?
or is it Eddie making a "fix" without understanding the consequences of what he was doing?
Addendum (2014-04-30 08:22): Is it the original CMS team doing a hack to allow their code to work?
or is it Eddie making a "fix" without understanding the consequences of what he was doing (yet still feeling smug about his technical prowess)?
Admin
Admin
This is.
...Although granted, it wouldn't surprised me if this story involved shared hosting.
Admin
Admin
TRWTF is Drupal.
Admin
That's what I like about the comments section of TDWTF - chances are high that if you put something up for discussion you get some meaningful replies.
Admin
I'm not sure why people are having trouble spotting TRWTF here. The original developers intentionally left the administration section unprotected to work around the fact that their curl call was failing authentication. They left themselves fully exposed because they couldn't figure out how to make their home-made Drupal module work. If I was on Slashdot a car analogy would be expected, so here goes:
This is like finding that the radio you added to your car doesn't work with the ignition key removed, so to make it work you leave your car unlocked and running at all times.
Admin
As a Drupal developer I find it annoying how sometimes Drupal gives administrators the tools to shoot themselves in the foot. The example in this article being the ability for anyone to create an account without admin approval.
We have come across clients who INSIST that they be able to use something called a "Full HTML filter". This essentially allows the user to publish a page with any html structure they desire... including un-tokenized forms allowing for CSRF, malicious javascript, broken HTML structures that break the page, etc...
Now we just disable that particular filter and tell them it doesn't exist.
Admin
The real WTF is that the admin thanked him. but that may just have been wishful anonymisation.
Admin
i am failing to understand the motive behind this comment. what is wrong with Drupal? So many sites including Telugu newspaper sites are also using it.
Admin
In very cold places like Siberai, you have to do that.
Admin
Curl! The nightmares!
That diabolically tool designed to do everything from HTTP-downloads to encrypted FTP-uploads over firewalls with SOCKS5-authentification to transferring rings into mount doom in Mordor via RFC1149 carrier pigeon protocol.
The endless list of options - sorted alphabetically by their shortest commandline option, making it impossible to find the option at the place where you expect it:
--pubkey <key> (SSH) Public key file name. Allows you to provide your public key in this separate file. If this option is used several times, the last one will be used. -P/--ftp-port (FTP) Reverses the default initiator/listener roles when connecting with FTP. This switch makes curl use active mode. In practice, curl then tells the server to connect back to the client's specified address and port, while passive mode asks the server to setup an IP address and port for it to connect to. ...Looking for options related to FTP-transfers? Of course don't forget looking in the P-section!
Admin
Admin
That Siberia as a region is so cold is a common myth (you can check Wikipedia for a monthly temperature chart.) My mom spent most of February in Siberia about five years ago. She said it's no different than Iqaluit or the Northwest Territories here in Canada, and was only a little colder than Ottawa (where we're from.) Typical Ottawa winters have overnight lows around -30C to -35C, with the windchill reaching -45C to -50C. Any car parked outside has a block heater that you plug in, which keeps the engine block warm enough to start. Gas has antifreeze added to keep it fluid to -65C, and you can do the same with the oil if necessary (I just use a thinner grade.) We also use remote car starters - that starts the car's engine without unlocking it or requiring a key in the ignition. So while it's true the engine is running, the doors, steering wheel and gear shift are all still locked.
To be honest, TRWTF is living in a climate like this...
Admin
Admin
Or look for the "/" key and then type "ftp". If that doesn't jump immediately to the section you want, press "n" until it does.
If you are reading man pages through a web browser then locating the "find" command is left as an exercise for the reader.
Admin
you're
Admin
So what exactly is stopping you people from moving to warmer climes?
Admin
TDWTF succinctly put.
The site was not configured correctly so the cms could work correctly using the method of securing the site. So they changed which portion of the site was secured to avoid the cms error. This opened up the vulnerable portion of the site to anyone and their grandma. Enabling the public to use the site as their own content host. (As well as opening up the server to anything you could imagine).
All to avoid correctly implementing the security of the site.
Admin
Admin
Admin
Admin
Admin
I prefer to call that decade the "Two Kays".
After all, it seemed like every maker of annual sports games (except the Madden series) used "2Kn" (where n is the last digit of the year) in the name of their games. It's easy to pronounce and sounds a lot less stupid than "noughties", which sounds like something out of a Monty Python sketch.
I'll leave the problem of what to call the decade of 2100-2109 to a future generation.
Admin
Good advice. I doubt that any of us yakking it up now will be concerned about this 'trivia'. Then again, you might want to write suggestions down on a piece of paper and hide it away for a grandkid to see.
It was kinda like calculating leap years. I noted (last century) that it could be simplified to (Y % 4 == 0) for my lifetime and I wasn't going to worry about the extraneous permutations that Pope Gregory established back in the day.
We now return you to the normal discussion of Frist and friends.
Admin
why hasn't anyone realized that TRWTF is PHP?
Admin
Just take a look at the database structure sometime. It will make you barf.
Clearly, whoever designed the database barfed all over their design worksheet and then implemented what they saw, complete with the barf.
My god, it's filled with barf!
Plus, it allows people who think "web design" means picking the right color to appear slightly competent to those who are even more ignorant.
Admin
But it's sooooo much easier without all that authentication nonsense.
Sigh.
I had this coworker who set up servers for various purposes. I swear I heard him, at least once a week, explain to some luser that, "No. The server must have a password. I realize it's harder to access, but it must be password protected." Etc.
Admin
Somebody alluded to this already, but TRWTF is Eddie making a significant change, and then not bothering to test any of the common use cases.
Captcha: genitus. Eddie must consider himself quite the genitus.
Admin
"You told me that you wanted to block all of the spam bots, but you didn't say that you wanted to keep access for everyone else!"
Admin
Admin
hard titty access
Admin
Admin
Oh and then there was the Drupal "developer" I overheard saying "We'll create a user table for each new user who comes to the site, and copy over their default settings from the generic user table." Yeah. Too bad that never took off. I was soooo looking forward to setting my browser not to take his cookies, putting reload-every on 5 seconds, and overflowing his disk the same day he went live.
Admin
If you find a business-critical system that is not properly secured
Definitely do not just lock it down on the spot. Someone could get hurt.
Admin
Well, I give you my reason... quality of life, security. Just that.
Admin
Exactly, if the company wanted to pres charges against whoever hacked the system, you just tampered with evidence. Plus you might have overlooked something and now you'll get blamed for any future compromises on the systems. It is best to just disconnect the machine from the network and await orders from your supervisor.
Admin
Admin