[thelist] webmasters acting as sysadmins

Mark Groen evolt at markgroen.com
Mon Feb 19 09:04:00 CST 2007 

On Monday 19 February 2007 03:06, der wert wrote:
> I've found it true that now a days the person that creates a website
> handles the system administration on the server. I don't mean in larger
> companies but the smaller ones. It seems that a lot of the webmasters
> aren't fully up to the task, they use crutches such as packages like
> cpanel, plesk, or webmin. It also seems true that many scripts that are put
> on sites aren't understood by the webmasters. This has become a big
> weakness, these users are able to get a website online but the problem is
> with keeping it online. They don't fully understand all of the workings or
> all of the options for the config files that the whm scripts never show the
> user. There are so many points of a server that needs to be secured and
> monitored and I fear that the further we get into the technology age the
> more and more common these crutches are becoming and more widely available.
> They've started to take over and now have become a sort of standard for
> hosting companies. These crutches are becoming a weakness, less and less
> knowledge is required in order to bring a site online. So many of these
> sites have security flaw that are just waiting to a malicious user to find.
> I would like to urge anyone that maybe reading this that doesn't have an
> understanding of how their server works that they "manage". I urge them to
> start to learn the workings of all the services. Try to learn the languages
> of the scripts you have running, try to understand the security aspects of
> these languages. These type of issues are a down fall and are the cause of
> servers being hacked/defaced. I've had my little rant, feel free to
> comment.D

Nice rant, and pretty much agree with it. I'm one of those people that troll 
web sites that you can't actually read unless you look at the source and 
follow some links in it to the real content, and have a chuckle along with 
every one else when a site like Nokia Canada gets goatsed.

Look that word up if you must, but trust me, it isn't a pretty sight unless 
you are into gross things.

The Nokia case was a _very_basic_ SQL injection that should have not happened 
with a bit of forethought. It was a typical of what I see all the time, the 
input for an admin log-in was totally unfiltered, and the SQL itself used 
wildcards no less. Dumb and dumber yet.

Any odd mark would break it and show you the actual SQL error on the web 
page - which means a bad server set up too, getting dumber yet...

From that day:
SQL : Select * From adminwebusers Where Username = ''' And Password = ''
just add ' OR 1='1 to the data you are sending and you're in, it's just that 
easy.

Even if you aren't sure which application they are using, many times you only 
need to make it error out, and in many cases the table names are available 
right there on your screen. A Google shows you what the application is if you 
don't know already (in Nokia it didn't matter, no need to go any further to 
bork it), download, a quick grep through the code and the rest is history.

But it isn't funny of course when it's your own web site is borked. 
-- 
cheers,

        mark

More information about the thelist mailing list