[thelist] webmasters acting as sysadmins

Ron ronr at linuxdude.com
Mon Feb 19 10:06:52 CST 2007


While you 2 guys are lecturing everyone, maybe you'll find a few minutes to lecture the people that set the budgets for IT departments. You DO realize that's where the problems starts, right??? I know you must, since both of you seem to be incredibly intelligent and all.

Cheers


Mark Groen wrote:
> On Monday 19 February 2007 03:06, der wert wrote:
>> I've found it true that now a days the person that creates a website
>> handles the system administration on the server. I don't mean in larger
>> companies but the smaller ones. It seems that a lot of the webmasters
>> aren't fully up to the task, they use crutches such as packages like
>> cpanel, plesk, or webmin. It also seems true that many scripts that are put
>> on sites aren't understood by the webmasters. This has become a big
>> weakness, these users are able to get a website online but the problem is
>> with keeping it online. They don't fully understand all of the workings or
>> all of the options for the config files that the whm scripts never show the
>> user. There are so many points of a server that needs to be secured and
>> monitored and I fear that the further we get into the technology age the
>> more and more common these crutches are becoming and more widely available.
>> They've started to take over and now have become a sort of standard for
>> hosting companies. These crutches are becoming a weakness, less and less
>> knowledge is required in order to bring a site online. So many of these
>> sites have security flaw that are just waiting to a malicious user to find.
>> I would like to urge anyone that maybe reading this that doesn't have an
>> understanding of how their server works that they "manage". I urge them to
>> start to learn the workings of all the services. Try to learn the languages
>> of the scripts you have running, try to understand the security aspects of
>> these languages. These type of issues are a down fall and are the cause of
>> servers being hacked/defaced. I've had my little rant, feel free to
>> comment.D
> 
> Nice rant, and pretty much agree with it. I'm one of those people that troll 
> web sites that you can't actually read unless you look at the source and 
> follow some links in it to the real content, and have a chuckle along with 
> every one else when a site like Nokia Canada gets goatsed.
> 
> Look that word up if you must, but trust me, it isn't a pretty sight unless 
> you are into gross things.
> 
> The Nokia case was a _very_basic_ SQL injection that should have not happened 
> with a bit of forethought. It was a typical of what I see all the time, the 
> input for an admin log-in was totally unfiltered, and the SQL itself used 
> wildcards no less. Dumb and dumber yet.
> 
> Any odd mark would break it and show you the actual SQL error on the web 
> page - which means a bad server set up too, getting dumber yet...
> 
>>From that day:
> SQL : Select * From adminwebusers Where Username = ''' And Password = ''
> just add ' OR 1='1 to the data you are sending and you're in, it's just that 
> easy.
> 
> Even if you aren't sure which application they are using, many times you only 
> need to make it error out, and in many cases the table names are available 
> right there on your screen. A Google shows you what the application is if you 
> don't know already (in Nokia it didn't matter, no need to go any further to 
> bork it), download, a quick grep through the code and the rest is history.
> 
> But it isn't funny of course when it's your own web site is borked. 



More information about the thelist mailing list